Read me and Run me First Logs

Hello
I am using Windows XP Home, SP2.
2 weeks ago I logged on to find that when I clicked "My Documents" it advised me to check that the path was correct. It had been located in an Extra Storage drive. I finally found all the documents that had been in "My Documents" in a new folder called "Jenny's Documents"
I got onto Majorgeeks and found a thread showing same problem. This weekend I have followed your "Read me and run me first" and I am attaching the logs I obtained.
During the running of MGtools an error report came up that later led me to download Microsoft .Net Framework software from the link shown. I would actually like to remove this but can't find out how.
I have not removed any of the downloads required for this cleanup.
When I logged on this morning I was distressed to find that the computer didn't want to work very well.
As well as my normal doesn't like connecting to the Internet without trying to connect several times, it appeared to lockup whilst going to My Computer, it wouldn't let me shutdown so I had to turn it off.
Since turning it back on I have been able to do most things albeit very slowly.
I hope the logs show what might be amiss, and should I remove things like Combofix, the Windows XP boot disks, MGtools etc.
FYI my security tools are PCtools Security, SpyBot Search and Destroy, Spyware Blaster and a-squared Free and they seem to keep me secure, thanks to Majorgeeks for recommending last time I required your services.
Looking forward to hearing from you.
Regards
Jenny

 

Hello again
Don't know if I have done this right but attached is SuperAntiSpyware log.
Thank you
Jenny

 

Welcome to MajorGeeks.com!

First, please disable any antivirus and/or antispy programs you have installed so they will not block this fix.

Pre-Instructions:
Print out these instructions or save them to a text file so that you can operate with All Browser Windows CLOSED.

Step 1:
Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

Again, make sure ALL browser windows are closed when you click FIX.

Step 2:
Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Step 3:
Default Security Settings

To Default Security Settings:
For Internet Explorer 6 users:
Click Start > Run > type inetcpl.cpl and press ENTER, when Internet Properties comes up navigate to the Security Tab and click Default Level for the following:

• Internet
• Local Intranet
• Trusted Sites
• Restricted Sites.

Click OK to exit.

For Internet Explorer 7 users:
Click Start > Run > type inetcpl.cpl and press ENTER, when Internet Properties comes up, navigate to the Security Tab and simply click the "Reset all zones to default level" button. Click OK to exit.

Step 4:
Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


Step 5:
Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

Hello bjgarrick
Many thanks for your quick response. I have followed all instructions carefully.
Before sending this I turned my security back on, logged off then back on (obviously) to check how things were working. I think it was slower than usual but I noticed it did that on Saturday after doing all the other stuff, improved second time around. Also everything that was in My Documents is still in Jenny's Document and My Documents isn't where it should be so I can't use any links. Is this something I have to do manually.
I think the next assistance needed will be when I give my friend here a larger memory.
The required files are attached. I didn't have any problem following your instructions.
Hope you come back with a clean bill of health and will you let me know when I can remove all the extras.
Thank you very much
Regards
Jenny
PS. Re the files that open at startup is there an easy answer to which ones I don't need, there are so many of them.
Regards again
Jenny

 

I don't think this is malware related, I would recommend posting this issue in the Software Forum once we're done.

Yes, see the list below of unecessary entries you can remove to improve your startup speed. To remove these entries simply run C:\MGtools\analyse.exe and fix the entries below.

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Once you complete the above instructions, reboot and let me know how things are running and if you have any further malware problems.

 

hello Again bjgarrick
I am not sure if I did the right thing with my last message, I had attached logs and also asked when I could remove programmes. In your response you gave me instructions that I had already followed from your previous message.
I f I haven't done the right thing could you please let me know.
Many thanks
Jenny

 

No, everything is fine!

If you are not having any other malware problems, it is time to do our final steps:

1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significan amount of resources ( except a little disk space ) until you run a scan.
2. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
   • Delete the C:\combofix folder from combofix (if it exists)
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
9. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!