Help please - I'm trying to clean my laptop

I went through the steps given on the "READ & RUN ME FIRST Before Asking for Support" sticky. Running all these different programs has kinda got my brain jumbled, but I'll try my best to explain how it went.

0 - I'm running AVGFree. I went into the virus vault and emptied it. I'm also running SpywareBlaster and SpywareGuard, but I don't think those programs have vaults. I emptied the recycle bin.

1 - I did NOT disable system restore yet.

2 - I've enabled viewing of hidden files, system files and file extensions.

3 - I'm only running AVG.

4 -
Instead of using CCleaner I used a program from the makers of SpywareBlaster called MRU-Blaster. Hope this is ok... (I'm prepared to get my ears boxed.)

I loaded and updated Ad-Aware.

Spybot was already loaded, but I updated it.

Loaded and updated MS Windows Defender.

Loaded MS Windows Malicious Software Removal Tool (Long name).

Installed Hijack This to C:\Program Files\Hijack This.

Loaded CWShredder and Kill2Me.

5 -
Unplugged Cat5 cable, rebooted in safe mode.

Ran MRU-Blaster. Deleted a number of MRUs, cookies, and temporary internet stuff.

Ran MS Windows Malicious Software Removal Tool. It found:
nothing

Ran Ad-Aware. It found:
Lycos Sidesearch
midADdle
Browseraid
ClickSpring
MemoryWatcher
StatBlaster
I don't think Ad-Aware was able to fix everything.

Ran Spybot. It found:
SearchAndClick
Wishbone
WildMedia
Everything was immunized already.
Either Spybot or Ad-Aware complimented my use of SpywareBlaster and opened that program for extended protection.
Spybot could not fix any problems.

Ran MS Windows Defender. It found:
nothing

6 - I rebooted, plugged in my Cat5 again, and ran BitDefender, then Panda Active Agent.
(oops, I didn't run in Safe Mode + Network, I ran in Normal Mode - is that a problem?)

I then ran Kill2Me and CWShredder, which was fruitless.

What should I do now?

I am enclosing the logs from BitDefender, Panda Active Agent, and Hijack This!

 

Computer is running Windows XP Home - SP 2
Dell Inspirion 1100
Intel Pentium 4 CPU 2.40GHz
2.39 GHz, 256 MB RAM
C:\ = 27.8 GB, 15.9 GB Used, 11.9 GB Free
We have some sort of high speed connection through Bell South. Exactly what, I'm uncertain.

I'm looking to get more RAM once I get this pooter cleaned up. I defragged a week or so ago, but have done alot of moving around of stuff since then.

 

Oh, and I was surprised that there were viruses on this computer, though I probably shouldn't be. I was running AVG and all the spyware stuff and it never found the viruses. I'm in deeper doo doo than I thought.

 

Download
- Pocket Killbox

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
On the page that opens, scroll down to Win32 USB2 Driver or Microsoft Config (Whichever you find) ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the 'None of the above, just start the program' button at the bottom of the choices. At the lower right, click on the 'Config' button, and then the 'Misc tools' button ... select 'Delete an NT Service' ... copy/paste the following into the box that opens, and press 'OK':

Win32 USB2 Driver or Microsoft Config (Whichever you found from above)

Now Scan with HijackThis and fix the following:

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post a fresh HijackTHis log.

 

Sorry for the long delay, I wasn't able to get on the internet through the laptop anymore. I had to hook up the desktop PC. I'll post results when I finish your recommended steps.

 

When I try to "Delete a NT Service" Hijak This is telling me:
Service "Win32 USB2 Driver" was not found in the Registry.
Make sure you entered the short name of the service., vbExclamation

Also, Win32 USB2 Driver was already stopped.

 

I went through all the steps you mentioned all though I couldn't execute every step (see previous post). I am including the Hijack This log. What's next? Should I rerun all the scans?

 

Your HijackThis log is clean.

Download and run WinSock XP Fix on the laptop. That should fix the problem with connecting to the Internet.

 

Wow, that was quick. The way my laptop was acting I thought it would be much more trouble. Thanks.

I didn't need to run WinSock XP fix, the laptop was able to connect to the internet again after rebooting.

 

Good to hear.

Lets flush all your restore points and create a new clean one for your system.

Disable And Enable System Restore
How to Protect yourself from malware!

Safe surfing.

 

Okay, I went through the process of disabling system restore, restarted the computer and ran Ad-Aware and Spybot. They are showing the same problems as before. I ran Ad-Aware two times in a row without restarting or closing the program and it caught the same problems both times - these problems are the same I've been seeing from Ad-Aware for a while. Spybot cannot get rid of the problems it keeps detecting either, even if it runs automatically at startup. I'm going to list the problems, which may not be the root problem (if there is even a problem)...

Spybot (6 problems)
Wild Media
1 HKEY_CLASSES_ROOT\SearchHelp
SearchAndClick
2 HKEY_CLASSES_ROOT\_ATL_GENERATED.SearchToolbarName.1
3 HKEY_CLASSES_ROOT\_ATL_GENERATED.SearchToolbarName
4 HKEY_CLASSES_ROOT\_ATL_GENERATED.SearchToolbarBHO.1
5 HKEY_CLASSES_ROOT\_ATL_GENERATED.SearchToolbarBHO
Wishbone
6 HKEY_CLASSES_ROOT\AtlBrCon.AtlBrCon

Ad-Aware (10 problems)
BrowserAid (Regkey/DataMiner)
01 HKEY_CLASSES_ROOT:_atl_generated_searchtoolbarbho\
02 HKEY_CLASSES_ROOT:_atl_generated_searchtoolbarbho.1\
03 HKEY_CLASSES_ROOT:_atl_generated_searchtoolbarname\
04 HKEY_CLASSES_ROOT:_atl_generated_searchtoolbarname.1\
Lycos Sidesearch (Regkey/Misc)
05 HKEY_CLASSES_ROOT:sep.band\
06 HKEY_CLASSES_ROOT:sep.band.1\
07 HKEY_CLASSES_ROOT:sep.search\
08 HKEY_CLASSES_ROOT:sep.search.1\
midADdle (Regkey/Malware)
09 HKEY_CLASSES_ROOT:searchhelp\
10 HKEY_LOCAL_MACHINE:software\classes\searchhelp\

 

The new Hijack This log. Hope it is still clean.

 

Can I just delete the problems in the registry?
For example, is HKEY_CLASSES_ROOT\SearchHelp needed?

 

Your HijackThis log is clean.

Yes you can delete those keys in your registry.

 

I tried to manually delete them and the computer wouldn't let me. I think what it said amounted to, they are running so you can't delete them. Suggestions?

I may have to go through the entire process again. I went through the process of making my computer safe from malware and one of the bookmarks I have in Firefox is a Yahoo link preceeded by red.clientapps.yahoo.com. Is that bad? Also, Zone Alarm has blocked attempts to send information from my computer to the internet twice already.

I'm going to buy a mouse and defrag while I'm gone after I clean up the pooter a bit. When I get back I'll see how the system seems to be running, and if I need to I'll do it all over again tomorrow. I want to get the laptop running in top form and keep it there.

Thanks for all the help, you guys are great. Hopefully I can talk my wife into investing in all the freeware programs that are saving our asses - if she gives me the ok I'll try to send a donation to MajorGeeks as well. Don't know the time frame, but I do intend on getting that done. Thanks again.

 

Run the scans in Safe Mode.

 

Hey, I'm going to have a go at it and I'll check back tomorrow with details. It seems there is a never ending supply of problems for you to figure out. Kinda sounds like fun.

 

It's what I signed on for; I'll be here when you're ready.

 

I've got another virus. I was able to run the first internet virus scan in safe mode, but I had to reboot afterwords because my internet connection was cutoff. I tried to run Panda, but I couldn't run it from safe mode because of the internet cutoff issue and because in safe mode the screen gets much smaller and I don't have full access to the window that Panda runs the scan on (and there are no scroll bars or resizing options).

I guess I'm going to run Panda from normal mode and try to download that winsock fix before I start the Panda scan.

Sad that neither Panda nor the other online scanner requires IE, ie no Firefox.

Also, would you recommend any particular registry cleaner. I downloaded RegCleaner from you guys - it got good reviews.

 

Ok, here are all the newly updated logs. I'll probably try some stuff on my own until I hear back from you guys.

I've included the Ad-Aware log also.

 

I'm also including transcribed data from Spybot and Panda. I didn't get all the information off of Panda, before I could down the last 3 file locations i hit the back button on my new, newfangled mouse. Damn technology!

 

Copy the contents of the below quote box to Notepad, Save As FixReg.reg to your Desktop

Close Notepad. Double-Click on FixREg.reg and answer 'Yes' when asked if you want to merge with the registry.

Click on Start then Run, type regedit, click 'OK'. Registry Editor will open, navigate to the following registry key:

Open Windows Explorer, navigate to and delete the following:

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT

Do a full scan with AdAware and Spybot.

Post both logs.

 

1. I completed the steps regarding FixReg.reg.

2. HKEY_CURRENT_USER\software\microsoft\internet explorer\main
There was no "Search Page" in the right window pane. I am using Mozilla Firefox now, does that make a difference?

3. I already deleted the entire directory c:\!KillBox. I hope that wasn't a mistake.

4. After I rebooted, i got a notice that moffice.exe failed at startup, and I sent a report to Microsoft about it.

5. I downloaded FreeRAMXP from Major Geeks. It is supposed to make my computer use memory more efficiently. Should I keep it? Also, right now I only have 254MB RAM and UpgradeMemory.com tells me I could upgrade to 1024MB. I'm guessing 1024MB would make everything run smoother, even the internet. Am I right?

6. WkUFind.exe tries to access the internet soon after I boot up. I deny it, thanks to ZoneAlarm. I don't think I have MSWorks, I can't find it on the computer. Is it malware? I searched my computer and found WKUFIND.EXE-30F3EA8A.pf in C:\Windows\Prefetch and WkUFind.exe in c:\Program Files\Common Files\Microsoft Shared\Works Shared. I'm guessing maybe we had Works loaded on this computer at one time. My wife had this computer hooked up to a small network with her roommates, could we have this works stuff on our computer from one of the other computers?

7. When I log on to MySpace and Major Geeks my computer tries to talk to the internet (thanks again ZoneAlarm). I'm assuming it is trying to talk to the advertisement banner. Any idea about that?

 

Works was installed at one time on the computer.

Scan With Hijacthis and fix this line:

This will stop the MS Works Update program from launching at system start.

You don't need FreeRAM. XP does a much better job of handling system memory. 526Mb would be the minimum I'd recommend. Of course, 1 gig is better.

ZoneAlarm is too 'Chatty' for my tastes. It's probably seeing the ads and asking for permission.

Those keys are still there. Follow the directions for Using GetRunKey.

Post runkey.txt when finished.

 

Hi, this evening I figured out how to get rid of the spyware keys in the registry. The reason I couldn't delete them earlier is because they were "locked." So I right clicked on each, clicked on permissions, and selected allow full control. I was then able to delete them. Spybot and Ad-Aware scans show clean. I wish I kept the same hours as you do so I could have a more efficient dialogue, but I guess life is full of choices. I'll take everything you've said into consideration - I'll be able to look at it tomorrow I think. Will you check the Hijack This log and let me know what you think of it.

 

Everything looks fine with HijackThis. Glad to hear you got those registry keys deleted.

I meant 512 MB not 526 of system RAM. Thinking one thing typing another.

 

I went ahead and disabled/enabled system restore. I'll uninstall FreeRAM XP and if you have any other suggestions for firewalls I'd like to hear them. Do you have any other general suggestions for improving my computer's performance? I'm planning on trying to clean things up as much as possible (I messed around with that a bit today), though I'm hesitant to tinker around too much for fear of whacking something I shouldn't. I wish I could have installed things on my own at the start and kept note of just what everything is. Is that realistic, something I should insist on the next time I get a new pooter?

I guess I should run those online scans again just to reassure myself that everything's cool. Thanks and have a good night/weekend.

 

Personally I use Sygate Personal Firewall Free for my firewall. It is discontinued and there will be no further development or support by Symantec. Still it is up to the task, compact and not nearly as resource hungry as ZoneAlarm. I'll add that if you are happy with ZoneAlarm then there is no need to change firewalls. ZoneAlarm is one of the best software firewalls available.

For antivirus I use AVAST Home Edition.

Always exercise care when cleaning and removing stuff from your computer. Inadvertantly removing the wrong thing can have disaterous results.

 

I've been trying to cut out some of the excess files running on my system today, in addition to rerunning the online virus scans. I've got 6 instances of svchost.exe running at this moment, which seems like too much to me. Maybe I'm just ignorant, does svchost.exe give programs internet access or something? I guess I could see 6 programs using the internet... I'm trying to stop all the auto-update programs from running so that I can have less programs running and just manually update when I feel like it. That shouldn't cause a problem, right?

Anyways, the real meat of the problem is I ran the two virus scans. The first came up clean, but Panda showed three problems. The problem is, it doesn't tell me where all the problems are. Frustrating... I'm including the log. Any ideas? I deleted cookies.txt, though it didn't have [.as-us.falkag.net/] after it, it just showed up as cookies.txt.

 

Oh, and here's my Hijack This log, if that helps.

 

"Svchost.exe" (Generic Host Process for Win32 Services) is an integral part of Windows OS. It cannot be stopped or restarted manually. It manages 32-bit DLLs and other services. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. In normal conditions multiple instances of Svchost.exe run at the same time.

Having anywhere from 5-7 svhost processes running is not unusual. Most do not need Internet access. You can deny access to Generic Host Precess when asked by the firewall. You can always go back and allow the process if it causes problems.

You should leave Windows Automatic Update enabled, all the other auto updates you can turn off.

Panda finds 2 things in the registry, wintools and sidesearch; but does not say where it was found.

Save the contents of teh below quote box to Notepad, and Save As RegFix.reg to your Desktop.

Close Notepad.

REBOOT to Safe Mode.

Double-click RegFix.reg and answer 'Yes' when asked if you want to merge with the registry.

REBOOT to Normal Mode.

Post a fresh Panda ActiveSacn log.

 

I'm not sure why, but I've been having regular trouble connecting to the internet now. When I run WinSock XP fix I can get back on, but I've been unable to connect on more than one occasion. I'm going to run Panda now.

 

I'm thinking ZoneAlarm may have been blocking my internet access. It happened again this morning, so I changed an option in ZoneAlarm, Internet Zone security from high to medium, and I was able to access the internet again right away. Hopefully that was the only problem, but also hopefully that doesn't diminish the protection ZoneAlarm gives me. Nothing changed with Panda, the cookie returned, this time with a different spyware. My bookmarks to MySpace and different Yahoo pages looked to have some sort of excess address connected to them, I think it may have been malware related (So I edited them manually).

 

Sorry I keep forgetting to post the HijackThis logs... here is the new one.

 

Panda found these again:
adware/wintools
adware/sidesearch

Doesn't me where in the Registry they were found.

Zone Alarm could be the problem. You could try a different Firewall, to see if you are having the same problem. Are you using a router?

 

Not using a router yet. Are you saying ZoneAlarm is causing Panda to see the malware, or ZoneAlarm is keeping Panda from seeing the exact location of the spyware in the registry?

 

Can I search the registry and delete all directories refering to AOL? I don't like AOL.

 

No, I mean ZoneAlarm could be blocking something intermittently; that is causing you to lose your internet connection.

 

I'd be careful what you delete in the registry. Unistall AOL using Add or Remove programs first. Then use a registry cleaner to clean any of the orphaned registry entries.

 

Hi, I did a search for "Lycos" in the registry and found something, so that may have taken care of Sidesearch. I still can't find the residual WinTools references that Panda is finding.

 

I wouldn't be too overly concerned. You could run a registry cleaner. It may just be an orphaned entry.

 

I have run a registry cleaner. I'm not too concerned but I'll probably look around the net until I figure it out.

Today I installed some extensions for Firefox - Adblock and an Adblock add-on called Filterset.G, which will supposedly block even more sites known to be affiliated with malware. I've got a gig of memory on the way, so I feel set.

I guess that wraps up our session. If I need help in the future I will start another thread. Thanks for your help.

 

You're Welcome.

Adblock for FIrefox is a pretty good extension.

 

Hey, after lots of independent work I think WinTools is all gone. I just ran Panda and its scan was clean. How sweet. Thank you so much. Don't ask me what I did though - the only specifics is that I looked all over the net and trimmed carefully away at suspicious files and registry keys. This should be my last post in this thread. =) Everyone who might randomly read this, MajorGeeks is for real! A+!! One of the best tools against malware.

 

You're wlecome. thanks for the endorsement of the site. Nice work figuring out were Wintools was hiding in the registry.

If you could please post the keys you found for future reference. So, that anyone else looking at this thread will also know what to look for.

Lets flush all your restore points and create a new clean one for your system.

Disable And Enable System Restore
How to Protect yourself from malware!

Safe surfing.