Infected or damaged files??

Welcome to Majorgeeks!

Normally something like this is the sign of a corrupted or null entry in one of the Startup locations.

If your son has taken the PC back to school, how do you plan to fix anything we find.

You need to rerun CounterSpy and allow it to fix what it found! You had it ignore everythiong. You definitely need to get that PC MightyMax fixed. Do this before countinuing on to the below where I will say to uninstall CounterSpy.

You need to get a couple antispyware applications removed. I'm surprized this PC runs at all with all of the junk McAfee is running and then add to it AVG Antispyware, CounterSpy, Spy Sweeper, and Windows Defender.

• Is AVG Antispyware the free version from the READ ME? If yes, uninstall it.
• If CounterSpy is the free trial from the READ ME, uninstall it now.
• Is Spy Sweeper a paid version or free trial? If paid keep it and uninstall Windows Defender.
• If Spy Sweeper is the free trial version, uninstall it and keep Windows Defender.

You saved a load of stuff to the C:\Documents and Settings\Andrew Neilson\Desktop folder. You should either delete most of these files or move them to a more permanent location that does not clutter up the Desktop.

What is this folder C:\Program Files\SpywareRemover

Uninstall the below old versions of software:
Java 2 Runtime Environment, SE v1.4.2_03

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment


Are you using some kind of program to control startups? I see a load of things being indicated as control in msconfig registry entries but MSconfig itself is not being used. Thus something else must be controlling them.


Make sure viewing of hidden files is enabled (per the tutorial).
Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: (no name) - {812ADD54-7C7E-4257-AC67-742FE57D7D63} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

After clicking Fix, exit HJT.
Then reboot into safe mode and delete the below if found:

C:\Program Files\PC MightyMax <--- the whole folder
C:\Program Files\VSAdd-in <--- the whole folder

Now run Ccleaner .

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

Now reboot in normal mode

Also delete all files in the below folder except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp\

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

 

You're welcome!

I don't understand what you mean! What extra window? And when are you getting this? xpob2res.dll is a valid Windows file.

ShowNew should run in less than a minute. Did you have any problems the first time you ran this and attach logs in your second message?

Please complete my previous instructions and attach the requested logs. If you cannot get ShowNew to run, then just attach the other logs.

 

You will have to address this issue in the Software Forum as it is not related to malware.

Your logs are clean, but I have some more for you to do. Also I have a question that I'll ask first.

Why aren't you using Ad-Aware's Adwatch feature? It is probably better to use that then to have Windows Defender running.

You need to delete the below left overs from CounterSpy:
C:\Documents and Settings\Andrew Neilson\Local Settings\Application Data\Sunbelt Software
C:\Program Files\Sunbelt Software

Now Uninstall the below old versions of software:
Java 2 Runtime Environment, SE v1.4.2_03

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment


Now use HJT to fix the below remnants of McAfee's Popup Blocker and Spy Sweeper.
O2 - BHO: McAfee Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)


If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
8. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!