Lots of Malware

I'm removing malware from a friend's computer. It was very unstable, sometimes not booting and sometimes blue screening.

I completed the Read & Run Me First guide. I ran everything sucsessfully until running Activescan, which would not run in safe mode or normal mode. It returns an "Error on Page" message, and I was told to just do the other steps and report them.

I ran BitDefender and Counterspy under administrator in safe mode before having the problem with Activescan and I stopped there for the day. I decided to rerun all steps the next day, but logged under the user's account while in safe mode, and found a good deal more. I attach both sets of logs: the first are bdscan.txt and counterspy.txt, the second set are bdscan2.txt and counterspy2.txt. The remaining steps were only run once, on the second time through.
Thanks!

 

part 2

 

part 3

 

ShowNew and GetRunKey are not properly installed. Unzip both to a folder such as MGTOOLS in the root directory of the boot drive, i.e. C:\MGTOOLS.

Post new logs from both.

 

I've tried to attach the new files and it tells me I've already attached runkeys.txt in this thread. I tried adding a 2 to the name and it still tells me the same thing. I tried starting a new thread and it tells me I uploaded it in this thread.

Suggestions?

If you want to delete this thread, I will start over, or I can Email the new file to you.

Ken

 

Just add a blank line to the end of the file and then attach it.

 

Thanks. Runkeys is attached to this message as runkeys2.txt and newfiles to my last post as newfiles2.txt

 

Sorry about the confusion. I was running from the extracted files, but had the problem with the system files which generated the message:

C:\WINDOWS\SYSTEM32\AUTOEXEC.NT. The system file is not suitable for running MS-DOS and Microsoft Window applications

I hadn't noticed the fix you had for this problem and I thought it had generated the files ok. I hope I'm squared away now after applying the fix, and the new files are attached.

Thanks for all the help. Ken

 

Download
- Pocket Killbox

Using Add or Remove Programs in the Control Panel; uninstall the following:

Install Java Runtime Environment (JRE) 6 available from Sun Microsystems.

Windows Messeger is running in the background on this computer, and represents a security risk. Remove Windows Messenger by running Uninstall Messenger.

You are using MsConfig to prevent several items from loading at Windows start. MsConfig is a diagnostic tool, and not intended to be used in the manner you are using MsConfig. Enable everthing you used MsConfig to disable. If you are recieving error messages, related to these items, at system start; we can fix this without using MsConfig.

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop; make sure File Type: is set to All Files (*.*).

Close Notepad.

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Now Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

REBOOT to Normal Mode.

Post fresh logs for the following: (Ran in the order listed)
ShowNew
GetRunKeys
HijackThis