Malware, password changes, regedit changes

I have been having some problems with a computer here and would like the pros at MajorGeeks check out some of the issues that are beyond my level of expertise and double check the work I have done so far.

I discovered that this machine had SpywareQuake on it and went through the FAQ for removal. While I was removing the SpywareQuake, I noticed several other things that were obviously wrong.

1) The local admin password has been changed. It is not any password that it should be, nor was it blank. No one admits to having changed it either. I need to know if there is a way to reset the local admin password back to what it should be. I do not have local admin access, but I do have domain admin access.

2) The add/remove programs window has a huge amount of blank space in it. A hundred plus more blank lines with nothing there. If this could be removed or something, I would really appreciate that too.

3) I think that some one got into the registry and carved some things up with the very dull knife of panic and inexperiance.

I have attached the HijackThis log and the log from the last run of smitRem. If there is anything else that you need, please let me know.

I thank all the professionals at MajorGeeks and hope to get this resolved quickly.

 

Download
- Pocket Killbox

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post a fresh HijackThis

For the local Admin Password Offline NT Password & Resgistry Editor

Don't remeber right off-hand what the fix is for the blank space in Add/Remove.

 

As requested I have uploaded a new HijackThis log. I appreciate all the help.

 

Yoour log is clean.

How is the computer running?

 

It is running ok, other than it being 5-7 years old.

At least I didn't have to reformat and reinstall everything, and that makes this monkey happy.

If I figure out how to remove all the blank space in the Add/Remove Programs, I will post something on the boards about it.

 

The answer may already be posted on the board. I vaguely remember seeing something about that around a year ago.

 

Please see this MS Article Add/Remove Programs tool displays installed programs incorrectly

 

Well, thank you very much. Think that is everything that was the matter with that computer.

 

Goog to hear.

Lets flush all your restore points and create a new clean one for your system.

Disable And Enable System Restore
How to Protect yourself from malware!

Safe surfing.

 

Yeah, now if I can just keep the maintainence guys from going to 'questionable' web sites, my life would be good.