I Sure Hope You Can Help With This BIGGIE!!!

First...Hi & Thanks for viewing my question...

I followed all instructions in the "Read Me First" Section..BUT...I am having issues running Ad Aware SE..This is weird because I have had Ad Aware since before I read the "Read Me First" and have never had an issue running it. So I went to the read me and downloaded Ad Aware SE again...It still wont run & as it is scanning, causes my computer to reboot...(I am so scared to the answer of this one...)

So I went ahead and did the HiJack This Log anyways, hoping the issue may be found in there...You will find my Hijack log below...

Any help you can offer would be super...

I am running Windows XP. I did have Bearshare on my computer. I have aim on my computer. My virus stuff ran out last month, I just havent had enuf cash to get another licence yet....

Thanks a tonne, again...amandalee76

HI JACK THIS LOG

 

I also meant to tell you that there is this weird "click me" (it is green) icon on my desktop, I have tried to uninstall, but it isnt going anywhere....

 

Hi Amandalee,

Please do the following:

1 -- Download the latest version of HijackThis and Extract it from the ZIP to its own folder C:\Program Files\HijackThis

2 -- Run Panda ActiveScan -- Allow it to fix what it can and save the Log to attach to your next post.

3 -- Download and Install Ewido Security Suite

DoubleClick the Ewido Icon on your desktop and allow it to update to the latest malware definitions (Click Update > Start). Then, exit Ewido and boot to Safe Mode.
When in Safe Mode, open Ewido and click Scanner. Be sure the following boxes are checked (Binder - Crypter – Archives) and then Start Scan.

Allow Ewido to fix what it finds and click on Save Report. Save the log to where it can be easily found.

4 -- Rescan with HijackThis. Please be sure to follow the instructions below:
Note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post back. Please attach the EWIDO Log as well..

I will try to check back as time permits.

@Chaslang - Hey Slowpoke! If you want to run with this, go ahead! . . . .Never mind . . .

Best luck
PP

 

Oh PP! Thanks so much for your help,

Here are the logs for Panda Active Scan & HiJack This, I will reply & post the log from ewido.....

(There are some issues now with comp...lol Will post in next thread....

 

Here is the Ewido Scan log...

There are new issues with comp now, my desktop has something called active desktop recovery as the background, I have no idea what that is...

Thanks again PP, I really appreciate all the help!

Amanda

 

Hi Amandalee,

I'll take a look at those logs and post something for you as time permits. If I am not around, hang in there - D3m3nt3d will keep an eye on your thread and help in my absence.

For the desktop issue, try this:

RightClick an empty area on your Desktop and select Properties > Desktop Tab > Customize Desktop > Web and make sure nothing is selected in the box labeled "Web Pages." Let us know what boxes, if any, are checked.

PP

 

Ok TY so much PP,

I did the desktop thing and It had a web site listed:

My Home Page

The box was not checked.

Thanks again!!

 

Well . . . That’s interesting. Is there no option for you to “Restore Active Desktop”?

-- Also, it looks like you are running “Selective Startup” via msconfig. What are you keeping from running? Let me know.


Let’s leave that for now and do the following:

FIRST:
Please unzip Pocket KillBox to its own folder. Leave it there for the time being.

Please print out or save these instructions locally so that you can Disconnect from the Internet and operate with All Browser Windows CLOSED.
Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled.

Now scan with HijackThis and Check the Boxes for the following, if they remain:

O4 - HKLM\..\Run: [Win32] C:\Win32\dll\Win32k.exe -starthide C:\Win32\dll\Win32.exe -local
O4 - HKCU\..\Run: [qbhttah] c:\windows\swjanpf.exe
O4 - Startup: WindowsUpdate20059[1].exe

O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/ea/freekstyle/install.cab

O21 - SSODL: systemp - {273700EC-B6E8-40C6-A48C-1C3227DB4D17} - systemp.dll (file missing)

O23 - Service: Mouse Hardware Sync (mousehs) - Unknown owner - C:\WINDOWS\System32\mousehs.exe (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW, please open Pocket KillBox.

Next, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” and “End Explorer Shell While Killing File ” Options. Enter or Copy&Paste each of the following into the box one by one, making sure Delete on Reboot and End Explorer Shell While Killing File are Checked for each entry. Click the Red X for each entry, but DO NOT Allow your machine to be Rebooted until the last item has been entered:

** Note: For the .dlls, instead of End Explorer Shell While Killing File , check the Unregister .dll Before Deleting box instead. Some of these should already be gone.

C:\Win32
C:\WINDOWS\SYSTEM32\ELITEAMI32.EXE
C:\WIN32\DLL\WIN32K.EXE
C:\WINDOWS\SYSTEM32\CANADA.EXE
C:\WINDOWS\SYSTEM32\systemp.dll
C:\WINDOWS\SYSTEM32\sysp.dll
C:\WINDOWS\SYSTEM32\ systemp.exe
C:\DOCUMENTS AND SETTINGS\OWNER\START MENU\Click Me.lnk
C:\WINDOWS\SYSTEM32\rtneg.dll
C:\DOCUMENTS AND SETTINGS\OWNER\FAVORITES\Casino & Carrers
C:\WINDOWS\etb
C:\WINDOWS\system32\shell32.exe
C:\WINDOWS\system32\temp532.exe
C:\WINDOWS\system32\username.exe
C:\WINDOWS\system32\wudupdate.exe
c:\windows\swjanpf.exe
C:\WINDOWS\System32\mousehs.exe

When the last item has been entered and you are prompted to reboot, ALLOW Pocket KillBox to Reboot your computer. If Killbox fails to Reboot your machine, do it manually.


NEXT:
Run CCleaner and Spybot S&D (from the READ ME FIRST Sticky Post ) and have Spybot fix what it finds.


Reboot to Normal Windows and Scan with HijackThis and attach that log.

ALSO: Please download Find_It_s.zip
Extract it to it’s own folder, run it and attach that log as well.

Let me know of any problems you may have encountered with the above instructions and how your computer is running now. I will try to check back when time permits (likely Friday evening or saturday) and we can have a whack at that Desktop issue.

Best luck
PP

 

I am going to go & complete the tasks now,

re: ms config, thats how I booted into safe mode, other than that I dont use it, so if it is only running partial, I have no idea why....

I am off, be back soon..

Thanks again PP, You are such a great person to be doing this!!

 

Okay before I reboot normally, i need to know this:

Will any work completed in SImply Accounting be erased if i do this??? I am so scared! lol

Thanks

 

The Find It log is attached to this messgae...

I ran cc cleaner, it removed 34.5 mb

I can't seem to run Spybot though, it seems to freeze up on step 3...

Help is appreciated,

Amanda

 

Oh I am sorry I also meant to tell you I restored active desktop, everything in that respect is okee dokie...BUT

That Green CLick me icon is still on my desktop.....

 

OKay, SpyBot ran:

found the following & fixed:

Wild Tangent - 3 entries
Elitum.EliteBar - 1 entry

 

Ok I am rebooted in normal & hijack log is attached (click me icon STILL on comp...)

Upon restarting this box & info pops up:

SYSTEM CONFIG UTILITY (I am going to refer to this as SCU)

You have used the SCU to make changes in How Windows Starts

SCU is currently in diagnostic or select startup mode, causing this mssg to be displayed & the utility to run every time windows starts.

Choose normal startup on the general tab to start windows normally & undo changes made during SCU.

---------------------------------------------------------------------
GEBERAL TAB (looks like this..sorta)

Selective Startup is checked
Process System.ini file is checked
Process win.ini file is checked
Load Services is checked
Load startup item is checked

Then...
There are two boot choices:

use original boot.ini (not checked)
use modified boot.ini is checked...

Should I do that they say & pick the start windows normally box?

Thanks again!!!

 

I ran msconfig & am now in normal mode, a new Hijack this is attached..


re: click me icon...

when i right click the icon, it has a large drop down menu, so i went to properties:

C:\Windows\System32\Canada.exe

THANKS! Is there a way to donate $$ to help support the forum?

 

Hiya D3,

Thanks for your help, greately appreciaited (I wish I could hug you all! lol)

I am not the most computer literate in the world, and can't seem to locate any of the files that are listed in the link you gave...Could I be doing something wrong?

There was no running process called canada.exe either...

Thanks again,
Amanda

 

Thanks D3,

I did that no canada.exe...

 

HI, no that isn't the only prob...

In my Favorites for IE there are folders that i have never put there...and sometimes when I click one of my fav's that I actually entered, it doesnt go to the site it should..It still says the correct addy in the addy bar, but it is an ad, rather than the site...

I did perform all scans in the read me, but that was before I was booted into normal mode...should I do them again?

Does My Hijack log look clean now??

Thanks tones,
amanda

 

I did miss it, we posted at the same time, lol SORRY

So I did it, new log attached...

NO MORE GREEN CLICK ME!!!WOO HOOO

 

So srry Chas,

Can you pls give detailed instruction on how to delete that item? I really dont want to mess anything up! Thnaks!

 

OK I must be having some great probs here,

I tried hijack to delete & your right it doesn't...

With your instructions I made it as far as the start folder, but everytime i try to click on it, it freezes...

Then it refreshed to the Active Desktop Recovery again.....

Thanks
Amanda

 

Sorry, should I run the read this scans again now that i am in normal mode?

 

Thvm,

Current Hijack Log posted...

 

OKee Chas,

I did everything you said and ended up having to search for it, for some reason when I try to open the start menu folder it freezes...

Anyways we were successful...
File was here:

C:\Documentsandsettings\Owner\StartMenu\Programs\Startup

Also, my new Hijack log is attached

Thanks again!

 

Hi Amandalee,

Looks like you are making good progress! I am going to cut out and leave you in the able hands of Chaslang and D3m3nt3d.

Best luck
PP

 

Thanks so much Phillie, I really appreciate all you guys are doing!