Cleaning Friend's Desktop

Hi! First I want to thank y'all for the help I received recently cleaning up an infected laptop. A friend of mine managed to get her laptop and desktop infected just a few days apart. I took the desktop first and got it booting again, did some cleanup and added some security, then swapped it for the laptop knowing I wasn't finished with the desktop. I now have the desktop back.

I don't know exactly how this one ended up not booting. It was getting to the black Windows loading screen, and not much past that.

I used my UBCD4WIN and ran scans of the hard drive with several anti-virus and anti-malware programs. They removed a bunch of MyWebSearch stuff, Hotbar, Zango, and Trojan.Qakbot. I was still unable to boot, and got the message "C:\WINDOWS\system32\command.com The parameter is incorrect." So I ran chkdsk from UBCD4WIN, and it ended with the message, "Windows has made corrections to the file system." I was then able to get the computer to boot.

I temporarily used msconfig to disable some things, rebooted, and uninstalled (with permission) MySpace IM, MIRC, MySpace Profilewatcher, messenger, and Kodak EasyShare.

I installed Online Armor and Avast. Then I ran CCleaner and Defraggler, and created a restore point. This is when I swapped for her laptop, which she continued to use some even though it was infected. I knew the desktop still had issues, but I figured it was reasonably safe and stable and she needed a working computer for business.

Now that I have the desktop back, I removed Limewire (finally got through to her!) and TWC Desktop and drivers and software related to her old ISP. I then ran the Read & Run, and am attaching the logs.

Can I go ahead and run Microsoft's Windows Installer Cleanup Utility? Photo Gallery keeps trying to install every time the computer starts, and it's a pain to get out of!

Thank you in advance for your help!!!

I forgot to mention that the computer is running very slowly. Also, as it is starting items you watch appear in the system tray, it will occasionally hang, leaving me able to move the mouse and nothing else. The computer is unresponsive, and I have to do a hard shut down. Twice when it has hung at this point, a black box with grey frame has appeared where the system tray would be. Hard shut down for that too.

 

And the MGTools log.

 

Hi, and thank you so much!! That's wonderful that it is clean already!

For some reason, I had not noticed that it was running SP2. I appreciate you pointing that out. I was wondering about it having so little memory, and had already talked to her about upgrading it. I'll work on that, and then get it up to SP3.

BigFix was on my list of things to find out about and see if it was needed, so you saved me the trouble!

For the startups, do I just go in and delete the registry keys you listed? And do we not want the Java updater to run automatically, to keep it secure (or will the updater run anyway if I delete the key, just not at startup)?

Thank you again, so very much! I will go ahead and work on BigFix and the Final Steps while I await your reply.

(And then on to my upstairs neighbor's computer! Woohoo! :-D)

P.S. I love your signature!!!

 

Thank you very, very much! Removing those entries made a huge difference in startup time! The SAS one was already gone, because I had changed the program settings to disable it loading on startup. And... I did leave the Java one, because I just can't be sure she'd keep on top of it. (I already wrote her a three-page document detailing monthly scans... I think if I added one more thing to it, her head might explode! :-D) Also, she's saving up for a memory upgrade, so I'll be popping 2 Gigs in there in a few weeks!

I will now go ahead and finish up the rest of the things I haven't completed. By the way, she told me that she knew her son had visited porn sites on this desktop when he was at home, and wanted me to make sure there was nothing left of it. My first pass through, I did remove some porn. Did you see anything in the logs from this second time through that would indicate the presence of any porn on the machine, or would you necessarily be able to tell? I apologize for forgetting to ask this sooner!

Thank you again for all your help!

 

Wow... this computer really did not like the autoruns thing. Instead of the welcome screen, I was getting a randomly flashing assortment of varying amounts of mostly blue horizontal lines, black screens, and white screens. I had to do a hard shut down.

I rebooted into safe mode and rolled back to the restore point created right before I installed the registry patch. That being unsuccessful, I rolled back to the point created before I installed the KB patch from Microsoft.

Still unable to boot normally, I scheduled a chkdsk from safe mode, and rebooted. Apparently, it did something, because the computer is back now. This is what the log file says:

Event Type: Information
Event Source: Winlogon
Event Category: None
Event ID: 1001
Date: 11/17/2009
Time: 11:35:28 PM
User: N/A
Computer: YOUR-D1207667D2
Description:
Checking file system on C:
The type of the file system is NTFS.

A disk check has been scheduled.
Windows will now check the disk.
Cleaning up minor inconsistencies on the drive.
Cleaning up 814 unused index entries from index $SII of file 0x9.
Cleaning up 814 unused index entries from index $SDH of file 0x9.
Cleaning up 814 unused security descriptors.
CHKDSK is verifying file data (stage 4 of 5)...
File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
Free space verification is complete.

76943317 KB total disk space.
17273964 KB in 62273 files.
21592 KB in 5836 indexes.
0 KB in bad sectors.
160965 KB in use by the system.
65536 KB occupied by the log file.
59486796 KB available on disk.

4096 bytes in each allocation unit.
19235829 total allocation units on disk.
14871699 allocation units available on disk.

At any rate, I'll go ahead and use the Panda USB and AutoRun Vaccine instead if that's alright.

 

I am sorry it took me so long to get back to you. I had a major allergy attack that lasted for days, so this is the first day in a while I've felt like a human! :-D

I don't know what happened either; it was very unexpected, as I was aware that the patch was used frequently. And while I'm certainly no tech, I have been tinkering with and programming and cleaning up computers for over 25 years, so I know I can say I applied the patch correctly. All I can figure is that something still wasn't right in the system files somewhere, and the computer balked when I added the patch.

After chkdsk got it booting all the way again, I installed the Panda vaccine.

Unfortunately, the chkdsk proved to be only a temporary solution. On restart, the computer works, but turn it off and come back to it the next day, and a white screen appears when the login screen should. At least it doesn't flash anymore. It starts with a blank screen with white at the right side, and the white stretches left (but not in a straight line) until the whole screen is white. Oddly, I'm getting the same thing on a neighbor's Vista machine I've been working on. Like this machine, it was not booting when I got it.

Anyway, after trying the chkdsk thing a couple more times and finding it wasn't holding, I did a repair install. This also did not fix the problem, though I did note it was unable for some reason to copy 250 files from the i386 folder on the disk to the computer. I did randomly select some and find they are on the computer, but I haven't been through all of them to see and make sure they are all where they belong, and all current. I reinstalled sp3 and other updates, to no avail.

I have just run sfc, so I will see what it says in the event log. I'll keep you posted. I'm certainly not blaming anything on you -- I know you do this all the time! It isn't you, it isn't me, and it isn't the patch, so I've just got to ferret out what it is. :major (Any suggestions are welcome!! )

Thank you very much for all your help!

 

You know, I had downloaded fresh drivers for the graphics card, thinking that might be the problem. I think I'll give that a try. If that doesn't do it, I'll go ahead and post in Software, as I'd really like to avoid a total reinstall if I can.

I've also been poking through the event logs, and there are some errors in there that I'll be looking up to see what I can find out about them.

Thank you very much, chaslang!!! I am not knowledgeable enough to be able to declare a machine clean, so it is wonderful to have someone be able to tell me "okay, it's clean now, on to other solutions!" It has been a pleasure working with you, and I hope you had a wonderful Thanksgiving!

 

Thank you for reminding me about the display drivers, chaslang, because that was the problem! Like I said, I had already downloaded them, but I had more or less forgotten about them. So I uninstalled, and then used DriverSweeper to finish the cleanup. It actually deleted the new drivers I had downloaded too, it was so thorough! So I got some new ones, installed, and it's working great!

I went through the services with the help of BlackViper and theeldergeek, and the computer is breathing a huge sigh of relief. Another defrag, and a few other minor tweaks, and this machine will be going home!

Thank you again!