Did I get it all ?

Hi,
I have my grandsons computer here (he shares it with the other 4 kids in the house). I origianaly started trying to get out all of the P2P network sharing out of it. It had trojens and viruses in it but I think I have cleaned most of it out using the guide at http://forum.grisoft.cz/freeforum/read.php?4,27725,backpage=
How To Clean An Infected Computer. How ever when all was said and done, teatimer was asking permission to change at start up ITtoolbar. I keep on denying it but I want to stop that from happening in the first place.
Searching around I came accross the guide to use combo fix, I had used this before with the help of someone on a forum. So I thought that would maybe help me clean out little bits that got missed in my original clean up, or find something I missed.
On this guide is where I found the link to Major Geeks. I clicked this one because I have been to your site before and found soulutions to problems in the past.

On the combo fix guide it showed me how to make the Windows Recovery Console...... then it told me not to turn off the computer yet.......... and to post that txt file.

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

Im not sure if you need the above file but im not sure if it is safe to shut the computer off or reboot it yet.

I then came to your site and found the Windows cleaning page that you had and followed that. So attached will be the zip file from your program. Now I have the combo fix file here and not sure if you collected that with your program or if you want me to also post that one?

Since im not sure if I can reboot yet then im not sure if everything is fixed or not.

So this is where I stand.
Thanks in advance for your help.

 

I am so sorry about not getting the java thing done first. I did read it, something must have distracted me and I know how important it is to follow directions especialy when you are trying to help me.
When I went into each user account to run CCleaner one of the accounts got blocked :

windows security alert in Mickeys account:

Ares Ultra p2p for windows
Now is that something else that needs to come out? and yes I am still wanting to get rid of the p2p stuff also and thanks for that help.

I had assumed that you only had to log on as administrator to run any of these fixes on the whole computer meaning all accounts. Is this not true? Becaue I noticed by signing into all accounts to run ccleaner that all of the accounts dont have AVG running updated on them. I installed AVG on my account (the only administrator account) thinking it was going to work on all accounts but you cant rely on the kids to update it.

When I get done here I plan to go install K9 I am hoping that that will stop anymore of the p2p sharing being installed by the ever curious 13 year old. Unless you have a better suggestion?

Any ways it did start up much better. Attached are the logs you asked for.


Thanks for the help!
Grandma

 

The problem is that I dont know the names to all of the p2p programs, I googled lots of the names that I was thought could be one and removed them that way one by one.

Relevant Knowledge seems like it should be somethig educational to me. But I did find it in add and remove programs and went to remove it and got the message that it may have already been uninstalled and would I like to remove it from add and remove so I did.

bitlord is not in add and remove programs but I do see the folder to it still
Do I just remove the folder ?

also Ares Ultra p2p for windows is not in add and remove programs. I also see this folder.

While we are on the add and remove programs topic I see two things there that I wonder about they are "silvitask.zip" and "skullcur.zip" I am not use to seeing zips in there on my computer and wonder if this is ok or not?

There is a folder called imesh, not sure if this is ok or not? I seem to remember reading something not so positive about that. This is also not in add and remove programs.

Someone needs to write a program that searches your computer for p2p programs for those of us who dont know all of the names.

there is something called "Cheat Engine" and "cs_package.zip" they look to me like some kind of network items.
There is also a folder called filesubmit with DealiioKit1-stub-0.exe in it, also in this folder are folders called "silvitask.zip,skullcur.zip, skullsicoxp.exe,vstyle.zip" even though some have the .zip on them they are folders that are not zipped up.
These items are not in add and remove programs. Just folders I see.

This is all thats left that looks odd to me.

Now if I go back and run MGTools on each account will each log over write each other? Should I run all of the things I have run on the admin account (cw shreader, rouge remover,adaware,avg spyware) over again on each account?

Im not including a log since im not sure how to run it on seprate accounts and if it will over write each other so I wait on instructions.

Thanks again for your help it is greatly appreciated. I didnt realize it was going to be so much.

 

Oppps I went back and read your post from earlier and just deleted the folder called bit lord............ sorry about that. I did think I went right down your list and deleted them but I must have missed that one

 

I went to read the page you sent me to and I do see imesh listed there so that question is now taken care of.......... its going
I did have a password on my account on this computer as the page also says, but I was bad at choosing a password that would be easy for me to remember, and that was ok untill the 13 year old came along and figured it out, that is how he said he got most of this stuff on the computer ............. we have now changed the password about a month ago so we should be ok in that department now

 

Here is the latest MGlogs from the account that I have been using all along. I am not sure why the last one didnt work since I waited for it to say to press any key

 

I just found relevant knowlage again and follwed it to
C:\QooBox\Quarantine\C\WINDOWS\system32
its in the program files start up menu but If im not mistaken thats quarenteened by combofix?

 

Hello again and sorry for so many messages. I just went a different account to try to run MGTools on that account and got a lot of access is denied in the DOS window, then a pop up of HijackThis saying "For some reason your system denied write acccess to the hosts file. If any hijacked domains are in this file , HijackThis may NOT be able to fix this." then shows you how to edit the file yourself. Shall I go ahead and do the file fix ?

 

Oh yes I went to all of the computers around here and diabled the guest accounts.

All users did have passwords when I started out I took them out to make it easier for me to jump from one account to the other without having the extra step of putting passwords in

Only one account on the computer has the admin, the rest of the accounts are limited.

Ok, I didnt realize bumping ment the same thing when you have already been being helped vs waiting for help to arrive, I will watch myself from here on out. I am typing this in note pad first so that I dont do that same thing again.


As for the strange (like Malware) items they are listed with ATI Technologies that was the video card not sure if malware can be connected to that or not ......... well I gues it could be.

Ares Ultra has been deleted ... imesh also deleted.

I will ask grandson about the other programs .......... I more or less didnt know if they were more p2p items or not.

My next step is to make all users admin accounts.And I did not reallize that I need to only be logged on to one account at a time and will correct this from here on out. Then run ccleaner on each account and also run GetLogs.bat and attach them.

Attached are the logs from each seprate account on the computer. I ran ccleaner on each account then getlogs.bat right after , also logged on to only one account at a time in admin mode.

P.S. There are 3 more logs from users accounts on this computer and so I dont bump myself I will wait till the next post to attach them.

 

Ok, I have done the above to the three accounts.....that was easy!

Attached are the next and last 3 accounts.

Thanks again for your help

 

Ok I have done all of the above steps and am now working on "How to Protect yourself from malware! " page. I let AVG Anti Spyware run this morning and it found Downloader.Wimad.m and put that in quarantine.

 

Oh im sorry for not being more clear, it wasnt untill after I did a restart after turning system restore back on, and I thought that I was done with your instructions, that I ran AVG

It was actualy found in
C:\Documents and settings\me\My Documents\through the fire and lames.wm