I have followed directions I have logs

Hi,

I am helping my sister with her computer. She is down for the rest of the day and I hope I can get some help right away.

We have some problems and I have followed the read me first thread and completed the scans. They have helped somewhat but there is still something there as you will see.

Attached is hijack log, bitdefender and Activescan.

In the house cleaning I found windows search something and couldnt remove it with add/remove so I contuniued without deleting it. Just trying to follow directions.

OK here ya go,

Oh, and Thanks in advance, you guys rock!

 

We also need the logs from GetRunKeys and ShowNew.

 

here that are. GetrunKeys and Shownew logs

 

Download
- Pocket Killbox
- ExplorerXP

You are using MsConfig to prevent several items from loading at Windows start. MsConfig is a diagnostic tool, and not intended to be used in the manner you are using MsConfig. Enable everthing you used MsConfig to disable. If you are recieving error messages, related to these items, at system start; we can fix this without using MsConfig.

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop. DO NOT run it as this time we will do that later in Safe Mode.

Close Notepad.

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files

Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

SpywareQuake & SpyFalcon Removal Procedure
MalwareWipe Removal Procedure

Post the logs from the above 2 procedures and a fresh HijackThis log.

 

Hi Shadow,

Thanks for your help.

First thing I did was try change ms config back. Thing is when I went there it was set to normal start up.
I think I did this after I followed the read me first post. Well it is set to normal now.

I think I did this correctly, Please let me know if I forgot something.



"In each of the above lines replace the [Current User Account] text with the actual user account name you are logged into."
There are 2 accounts on this computer and did this on both. The administrator and user accounts.
Out of the whole process I deleted 2 files from the administrator account on the last line.

You asked what the status is with spywareQuake. I couldnt find any trace of it anywhere.


Avenger did not boot my computer twice. did I do something wrong?
I attached the file.

Please advise.

 

Your HijackThis log is clean.

How is your computer running?

 

Log is clean? Great news.

As far as how the computer is running, It is running a little slow, It was running faster before I completed the last procedure.

At least she can use it now, Her classes start next week.
Thank you again.

Would it be ok to delete the programs I installed durring this process to maybe speed it up a little bit then clear the restore points and hide the hidden files again?

Please advise

 

Yes, you can uninstall everything that was installed in during this entire process; and delete teh things that didn't need to be installed, if you have no further use for them.

Before I pronounce the system clean, remove everything you don't want/need; use the system for a bit and let me know how it is running?

 

Ok I still have a problem.
In the beginning of this you told me to go and uninstall any programs from add and remove programs that I considered malware. As I mentioned I found search assistant-my web search. I couldnt uninstall it. when I tried all I got was a blank window. so I moved on.
Well now as I was going through deleting the programs I downloaded I came across it again. Once again I tried to delete it and got a blank window. I tried enter but nothing happened. I closed window. under information for the program there was a link. I clicked on it and 17 small windows opened.
Luckly I have not connected this to the internet yet and all the windows just displayed the error message. I closed the program with task manager.

I ran a search on my laptop for the program and got some info. The fix recomended was:
-------------------------------------------------
"First, uninstall the My Web Search option from Add/Remove Programs

1) Click on Start, Settings, Control Panel

2) Double click on Add/Remove Programs

3) Find "My Web Search" in the list of installed programs and click on Change/Remove to uninstall it. You may also want to uninstall any of the following items associated with FunWebProducts.

My Web Search (Smiley Central or FWP product as applicable)
My Way Speedbar (Smiley Central or other FWP as applicable)
My Way Speedbar (AOL and Yahoo Messengers) (beta users only)
My Way Speedbar (Outlook, Outlook Express, and IncrediMail)
Search Assistant - My Way
4) Reboot your Computer and run HijackThis

5) With HijackThis, scan for and fix any of the entries shown above that may be remaining.

6) Next, open My Computer, Drive C, and double-click on the Program Files folder

7) Right-click and delete the folders for:

FunWebProducts

MyWebSearch

8) MyWebSearch should now be completely uninstalled from your computer.

9) There will be some minor registry entries left behind by the uninstall, however these can be cleaned up by running SpyBot Search and Destroy or Ad-Aware SE or left alone."
------------------------------------------------------------
Problem is I cant do the first procedure. when I select the program to uninstall all I get is that blank window.

I still have most of the programs installed, Is killbox the way to go here?

Please advise

 

One more thing,

When I run spybot there is problem found but It wont fix it. I tried 3 times.
Its "Windows active desktop". When I select fix problem it creates a restore point and says its fixed but when I run it again its still there.

Otherwise the computer seems to be running fine.

 

Use Your Uninstaller! 2006 to uninstall it.

Post the log from Spybot. So,I can see what exactly it is finding. Most likely a registry entry.

 

ok,

That did remove it. I ran spybot and couldnt find a log so I generated a report and saved it as .txt

Is this what you need?

 

Download to your Desktop
Policies.zip

Extract the contents of Policies.zip to your Desktop. Open the folder Policies and run policies.bat.

Notepad will open, just close it.

Attach policies.txt. Which is located in the root folder of Drive C.

 

Got it.

 

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop.

Close Notepad.

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

REBOOT

Delete FixReg.reg

Spybot still reporting on that registry entry.

 

ok, I did the fixreg and ran spybot. Its still there.
I ran polices again and tried to attach the new log

I renamed the file to polices2.txt but couldnt attach it.
I found the log files for spybot and sent checks and fixed togedther on the attachment if that would help.

 

Spybot is alerting on Legit Registry Keys. The patch I had you run changed 2 keys from REG SZ to DWORD. Tell Spybot to ignore those keys or you can leave it set the way it is and get those alerts everytime you run Spybot.

 

I dont mind seeing the alerts.

Whats next?

 

Your system should now be clean.

Flush all your restore points and create a new clean one for your system.

Disable And Enable System Restore
How to Protect yourself from malware!

Safe surfing.

 

Great,
Thanks for your help.
Ya see my sister dosent have the money to replace her computer and this is needed to complete her degree. I wish I could buy you a beer!

Take care...

 

You're welcome.