Cant even figure out whats infected me...

[RemarkablyDumb]

Heyas, long time lurker, first time caller... really hope someone can help me..

First symptom was in Firefox when i typed anything into Google search, it would crash. How odd right, when i try it on my old Netscape which i use for reading it doesnt crash when i type something in Google, but the recomendations it lists underneath as i type, if i select one, the input feild instead of filling in the recomendation changes to "undefined" Hrmm how odd. Other than that i didnt see anything happening. I did get a few redirects from Google on netscape first time, but if i try same link again, it worked fine.

So first i think its an addon, i turn most off. I wasnt getting any other symptoms, so i couldnt even begin to figure out what my prob was. Then upon rebooting, i noticed that my desktop would load with icons, then icons would disappear for a moment, a little flicker, then theyd come back. So something seems to be running in backround. I go to run regedit, it wont load, neither would command prompt. I try to restart in Safe mode, and that just hung, and was real tricky to fix. Luckily i had previously installed windows recovery, so i got into there, changed my bootconfig and was able to get back to normal windows.

Downloaded and installed Malwarebytes, at first it shut itself down, i ran Combofix, and then i was able to at least run malwarebytes. It did catch a few things, but didnt seem to fix the prob. I got Avira, ran that it also detected a few thigns, one thing i noticed, its not running registry scan-and for some odd reason i cant even see where to turn it on.

Downloading HJT as i type this, will install and get a log up (i hadnt but decided not to as where to DL it, i just went and found it on CNET...figured they should be safe...hopefully..) ILl post this in a few after i install and run it so i can post up the log)

Normally im pretty good at diagnosing and disinfecting myself, but this ones got my ego in check. Any help greatly appreciated, as seems like its a rootkit and im pretty darn stuck.

Heres the malwarebyte log:

Malwarebytes' Anti-Malware 1.44

Database version: 3865

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

3/14/2010 6:20:52 AM

mbam-log-2010-03-14 (06-20-52).txt

Scan type: Full Scan (C:\|)

Objects scanned: 245819

Time elapsed: 1 hour(s), 34 minute(s), 47 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\SYSTEM32\CONFIG\33055138.Evt (Rootkit.Agent.H) -> Quarantined and deleted successfully.

I would post the Avira log, but its HUGE (i already tried actually and it was so big that i couldnt even just delete parts of it, i had to hit BACK on browser and start again) So can someone tell me what portiong of the Avira log they want, prob same time as tell me where they want and what they want from HJT and ill be only too happy to oblige.

For fun, here is just the top and bottom..or what i think may help a bit:

Avira AntiVir Personal

Report file date: Sunday, March 14, 2010 17:38

Scanning for 1853771 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows XP

Windows version : (Service Pack 3) [5.1.2600]

Boot mode : Normally booted

Username : Dad

Computer name : RACERX

Version information:

BUILD.DAT : 9.0.0.415 21609 Bytes 11/8/2009 10:00:00

AVSCAN.EXE : 9.0.3.10 466689 Bytes 10/13/2009 15:26:33

AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 14:58:24

LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 15:35:49

LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 14:58:52

VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 11:35:52

VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 21:24:10

VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 21:24:23

VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 21:24:27

VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 21:24:33

VBASE005.VDF : 7.10.4.204 2048 Bytes 3/5/2010 21:24:33

VBASE006.VDF : 7.10.4.205 2048 Bytes 3/5/2010 21:24:34

VBASE007.VDF : 7.10.4.206 2048 Bytes 3/5/2010 21:24:34

VBASE008.VDF : 7.10.4.207 2048 Bytes 3/5/2010 21:24:34

VBASE009.VDF : 7.10.4.208 2048 Bytes 3/5/2010 21:24:34

VBASE010.VDF : 7.10.4.209 2048 Bytes 3/5/2010 21:24:34

VBASE011.VDF : 7.10.4.210 2048 Bytes 3/5/2010 21:24:34

VBASE012.VDF : 7.10.4.211 2048 Bytes 3/5/2010 21:24:34

VBASE013.VDF : 7.10.4.242 153088 Bytes 3/8/2010 21:24:35

VBASE014.VDF : 7.10.5.17 99328 Bytes 3/10/2010 21:24:36

VBASE015.VDF : 7.10.5.44 107008 Bytes 3/11/2010 21:24:37

VBASE016.VDF : 7.10.5.45 2048 Bytes 3/11/2010 21:24:37

VBASE017.VDF : 7.10.5.46 2048 Bytes 3/11/2010 21:24:37

VBASE018.VDF : 7.10.5.47 2048 Bytes 3/11/2010 21:24:37

VBASE019.VDF : 7.10.5.48 2048 Bytes 3/11/2010 21:24:38

VBASE020.VDF : 7.10.5.49 2048 Bytes 3/11/2010 21:24:38

VBASE021.VDF : 7.10.5.50 2048 Bytes 3/11/2010 21:24:38

VBASE022.VDF : 7.10.5.51 2048 Bytes 3/11/2010 21:24:38

VBASE023.VDF : 7.10.5.52 2048 Bytes 3/11/2010 21:24:38

VBASE024.VDF : 7.10.5.53 2048 Bytes 3/11/2010 21:24:38

VBASE025.VDF : 7.10.5.54 2048 Bytes 3/11/2010 21:24:38

VBASE026.VDF : 7.10.5.55 2048 Bytes 3/11/2010 21:24:39

VBASE027.VDF : 7.10.5.56 2048 Bytes 3/11/2010 21:24:39

VBASE028.VDF : 7.10.5.57 2048 Bytes 3/11/2010 21:24:39

VBASE029.VDF : 7.10.5.58 2048 Bytes 3/11/2010 21:24:39

VBASE030.VDF : 7.10.5.59 2048 Bytes 3/11/2010 21:24:39

VBASE031.VDF : 7.10.5.67 139776 Bytes 3/14/2010 21:24:40

Engineversion : 8.2.1.180

AEVDF.DLL : 8.1.1.3 106868 Bytes 3/14/2010 21:24:57

AESCRIPT.DLL : 8.1.3.17 1032570 Bytes 3/14/2010 21:24:56

AESCN.DLL : 8.1.5.0 127347 Bytes 3/14/2010 21:24:54

AESBX.DLL : 8.1.2.0 254323 Bytes 3/14/2010 21:24:58

AERDL.DLL : 8.1.4.2 479602 Bytes 3/14/2010 21:24:53

AEPACK.DLL : 8.2.1.0 426356 Bytes 3/14/2010 21:24:52

AEOFFICE.DLL : 8.1.0.39 196987 Bytes 3/14/2010 21:24:50

AEHEUR.DLL : 8.1.1.7 2326902 Bytes 3/14/2010 21:24:49

AEHELP.DLL : 8.1.10.1 237942 Bytes 3/14/2010 21:24:44

AEGEN.DLL : 8.1.2.0 373107 Bytes 3/14/2010 21:24:43

AEEMU.DLL : 8.1.1.0 393587 Bytes 11/8/2009 11:38:26

AECORE.DLL : 8.1.12.2 188790 Bytes 3/14/2010 21:24:41

AEBB.DLL : 8.1.0.3 53618 Bytes 11/8/2009 11:38:20

AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 12:47:59

AVPREF.DLL : 9.0.3.0 44289 Bytes 8/26/2009 19:14:02

AVREP.DLL : 8.0.0.7 159784 Bytes 3/14/2010 21:24:59

AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 14:32:09

AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 19:05:41

AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 14:37:08

SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 19:03:49

SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 12:21:33

NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 14:32:10

RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 19:39:58

RCTEXT.DLL : 9.0.73.0 86785 Bytes 10/13/2009 16:25:47

Configuration settings for the scan:

Jobname.............................: Rootkit search

Configuration file..................: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\PROFILES\rootkit.avp

Logging.............................: high

Primary action......................: interactive

Secondary action....................: ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Process scan........................: off

Scan registry.......................: off

Search for rootkits.................: on

Integrity checking of system files..: off

Scan all files......................: All files

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: high

Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+PFS,+SPR,

Expanded search settings............: 0x00300922

Start of the scan: Sunday, March 14, 2010 17:38

Starting search for hidden objects.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Drivers32\midi9

[iNFO] The registry entry is invisible.

'447788' objects were checked, '1' hidden objects were found.

Starting the file scan:

Begin scan in 'C:'

C:\

......enourmous list....

Beginning disinfection:

C:\327882R2FWJFW\

nircmd.com

[DETECTION] Contains recognition pattern of the APPL/NirCmd.3 application

[NOTE] The file was moved to '4c0f779c.qua'!

C:\MP3's\11806incoming\Buckcherry\

Buckcherry - Dead Again.wma

[DETECTION] Is the TR/Dldr.Age.1171323 Trojan

[NOTE] The file was moved to '4c0077a8.qua'!

C:\MP3's\11806incoming\Buckcherry\

Buckcherry - Dirty Mind(1).wma

[DETECTION] Is the TR/Dldr.Age.1171323 Trojan

[NOTE] The file was moved to '48098c91.qua'!

C:\MP3's\9-10-08 Incoming\

here we go again demi lovato.wma

[DETECTION] Is the TR/Dldr.WMA.Wimad.X Trojan

[NOTE] The file was moved to '4c0f7798.qua'!

C:\MP3's\9-10-08 Incoming\

i want you to me ksm.wma

[DETECTION] Is the TR/Dldr.WMA.Wimad.X Trojan

[NOTE] The file was moved to '4c147754.qua'!

C:\MP3's\Incomplete\

T-6472385-ksm-i want you to want me.mp3

[DETECTION] Is the TR/Dldr.WMA.Wimad.N Trojan

[NOTE] The file was moved to '4bd37761.qua'!

End of the scan: Sunday, March 14, 2010 19:54

Used time: 1:48:06 Hour(s)

The scan has been done completely.

11306 Scanned directories

253922 Files were scanned

6 Viruses and/or unwanted programs were found

0 Files were classified as suspicious

0 files were deleted

0 Viruses and unwanted programs were repaired

6 Files were moved to quarantine

0 Files were renamed

30 Files cannot be scanned

253886 Files not concerned

6947 Archives were scanned

31 Warnings

34 Notes

447788 Objects were scanned with rootkit scan

1 Hidden objects were found

HiJack This log...my first time so if you want something diff or for me to use another function on it, let me know (this seems like a very short log compared to others ive read) Im tempted to explore it, but will resist the urge..

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:51:25 AM, on 3/15/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com/"); (C:\Documents and Settings\DAD\Application Data\Mozilla\Profiles\default\l4fizvyp.slt\prefs.js)

N3 - Netscape 7: user_pref("browser.search.defaultengine", ""); (C:\Documents and Settings\DAD\Application Data\Mozilla\Profiles\default\l4fizvyp.slt\prefs.js)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSCONFIG.EXE /auto

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O8 - Extra context menu item: AMV convert tool grab multimedia file - C:\Program Files\MP3 Player Utilities 5.07\AMVConverter\grab.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O15 - Trusted Zone: *.avsystemcare.com (HKLM)

O15 - Trusted Zone: *.imageservr.com (HKLM)

O15 - Trusted Zone: *.onerateld.com (HKLM)

O15 - Trusted Zone: *.safetydownload.com (HKLM)

O15 - Trusted Zone: *.storageguardsoft.com (HKLM)

O15 - Trusted Zone: *.trustedantivirus.com (HKLM)

O15 - Trusted Zone: *.virusschlacht.com (HKLM)

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1264638197609

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1) -

O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Network Client - Unknown owner - C:\WINDOWS\system32\netcom.exe (file missing)

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--

End of file - 5182 bytes

[miekiemoes]

Hi,

First of all, check and fix next entries in HijackThis:

O15 - Trusted Zone: *.avsystemcare.com (HKLM)

O15 - Trusted Zone: *.imageservr.com (HKLM)

O15 - Trusted Zone: *.onerateld.com (HKLM)

O15 - Trusted Zone: *.safetydownload.com (HKLM)

O15 - Trusted Zone: *.storageguardsoft.com (HKLM)

O15 - Trusted Zone: *.trustedantivirus.com (HKLM)

O15 - Trusted Zone: *.virusschlacht.com (HKLM)

Btw, it looks like you are dealing with a daonol variant, because of this: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Drivers32\midi9

However, the fact that you can run HijackThis and malwarebytes looks like the malware isn't active anymore.

You said you used Combofix before, can you post the log from Combofix please? It's located on your C:\ with the name combofix.txt

[RemarkablyDumb]

Hi miekie, thanks for helping!

I checked and fixed those 7 entries in HijackThis as requested.

Here is a copy of the Combofix.txt file but there isnt anyhting there (??) i do know it did something, because like i said MWB started working after i ran it, maybe you meant a diff TXT file in that folder? There are a few and they all say...something (what im not sure honestly)

heres what it says:

ComboFix 10-03-13.03 - Dad 03/14/2010 3:52:23.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.734 [GMT -4:00]

Running from: C:\Documents and Settings\Dad\Desktop\ComboFix.exe

* Created a new restore point

.

thats it (??)

I dont know if it always creates a Qoobox, but it did for mine, and its got stuff in it. No text files tho, just a variety of stuff.

I ran downloaded and ran GMER last night, i know im supposed to leave it while it runs, i thought i had waited till it was finished and then hit copy,opened notepad and pasted it in there, i saw that ...for about 2 seconds then the machine rebooted and its had some issues booting since. Sometimes i get hung up on the first blue Starting Windows screen (even today..so 3 times now, i wait for about 5 minutes, turn off machine and then turn back on and then it seems to boot) Im tempted to run GMER again, but illl wait to hear back from you. I also had trouble turning off AVG guard, i unchecked it in msconfig, but that didnt work until i also changed it to manual in services. This time it wasnt on at startup. But when it was, i couldnt turn it off, even using taskmanager. And theres no tray icon, lie ive read here, where you can right click and select to turn it off.

So i agree whataver virus this is, i did something to it, but its still there, or at least the damage it did to my system is. I still cant run Regedit or command prompt, Anyhting i type in Google stil crashes firefox and im getting asked for cookies for sites ive been to plenty of times and havent asked in awhile. Also Firefox always starts up with the "Sorry your browser crash, can it report the problem" which was fine when FF did crash, but last times it didnt crash i turned it off, yet i still always get that message first as FF opens.

Lookin forward to hearing back from ya!

[miekiemoes]

Hi,

Ok, do the following... Open gmer. It will automatically start a quick scan. Don't click any additional scan options there, but once the scan has finished, click the arrows >>> on top to expand the gmer toolbar. Click the registry tab in there.

Then, under there, navigate to the following key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Drivers32\midi9

Let me know what it says as valuedata for that key.

[RemarkablyDumb]

C:DOCUME~1\DAD\LOCALS~1\Temp\xclrv.tmp 2yAPFDOFNF

forgot to mention that in attempting to fix before i came here i did uninstall all my Java, and i deleted some of the java folders (there are alot of them!)

[miekiemoes]

Hi,

Ok, I assume you still can run HijackThis?

If so, * Open hijackthis, click 'config' (bottom right)

Choose the tab 'misc Tools' on top.

Choose 'delete a file on reboot'

In the field, copy and paste next:

C:\DOCUME~1\DAD\LOCALS~1\Temp\xclrv.tmp

(or browse manually to the C\:DOCUME~1\DAD\LOCALS~1\Temp\xclrv.tmp file from there and select it)

Click open.

Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now. Click Yes/ok

Your system should reboot now.

It's important that this file needs to get deleted after reboot, because if you delete it manually, it will return all the time since it's loaded in memory.

After reboot, test if regedit works again. If so, navigate to the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Drivers32\midi9 key and delete the midi9 key (as this one is not present by default anyway).

Don't delete any other midi keys there.

Let me know how things went.

[RemarkablyDumb]

Way to go Meike~!

Yup Regedit runs now, FF google works, no flickering on startup. Everything seems back to relative normalality.

OK last thing ill bother you with, i mentioned how i got hung up in Safe mode and i had to use recovery console to change my bootconfig so i could get back to regular windows mode. Well 4 questions, should i leave recovery console installed? does it automatically uninstall when i uninstall Combofix? Should i uninstall Combofix (most threads here end with advisor saying to is why i asked that) And lastly and most importantly, when i changed my bootconfig, somehow instead of altering my primary boot, which is the whole windowsXPSP3 etc...etc. i just created a boot file called "1", so every time i start up, i get the option to turn on recovery consol, boot to "1" which is the default now, or boot to the old "windowsXP....etc". Should i go back to my orig and somehow delete "1" ? So far i dont see any downside to staying this way except the 5 seconds on bot up where it asks, but this is a pretty old computer and ive already mucked windows/registry up so much i try to keep the tampering to a minimum. I also dont want to go back to orig boot and bring problem back. If you do recommend getting rid of "1" just please let me know best way as well.

Oh and let me know what else you want me to uninstall, Combo, GMER, MWB, Avira, HJT..i can prob leave them if you say so, but as i mentioned this machine is already quite full of manure. Oh and if you say to leave Avira, should i turn its startup on boot back on? (AVguard). Ive never actually found an Anti virus i liked completely, so in general i get rid of them when i dont need them. Yes, maybe bad idea.....

And thanks again for all your help!

Shawn

PS: you were so helpful i may try to tackle the rootkit that ESET couldnt get rid of on my other puter (its only a HT computer, and it runs, just a few little probs that ESET couldnt fix)...and maybe for the first time in my life actually PAY FOR AN ANTI VIRUS~! I think MWB has earned it, and mostly (more like entirely) because of your support!

[miekiemoes]

Yes, leave the recovery cnsole installed. Uninstalling combofix won't uninstall the recovery console. If you leave the recovery console installed, you'll still see that option during boot for a couple of seconds.

Yes, you should uninstall Combofix, use the ComboFix /Uninstall for that.

For your boot.ini, so, as far as I understand here, the 1 is the working one? What do you get when you boot to the Windows XP? Does that work? Does it load your current OS? If so, then edit the boot.ini again to set it back to the Windows XP one.

Here's how to do this: http://support.microsoft.com/kb/289022

I would keep Avira and Malwarebytes, because you need an Antivirus and antispyware. And yes, you should leave its settings to start with Windows, because otherwise it won't protect as a realtime scanner.

Also, Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

[RemarkablyDumb]

My current Facebook "headline":

Shawn Bittner: "another virus defeated. Great big thanks to Meike at Malwarebytes for some extra help with the cleanup. Malwarebytes is def the place to go if you got puter questions/problems" (and no i dont mind you knowing my real name)

I also posted a link to your blog, hope you dont mind, i think its worth reading for anyone i know.

Was reading through your blog, has alot of grwat tips and hints, many of which i knew but still. Also very helpfull links.

One thing i was wondering, and you may consider adding this to your blog. I was readin what you said about cleaning up unused files. The only one(s) im unsure of are all the files left over form a windows update, like for me when i (finally) installed SP3. I currently have 60 folders in my Windows directory starting with $UninstallKB (then a variety of numbers), as well as the first 3 $hf_mig$ , $MSI31Uninstall_KB89303v2$ and $NTServicePackUinstall$. I also have a folder in C: called accf63372416fb82625d2f130 (long folder name!) Inside this folder is a folder i386 which has 2,923 objects at 398 MBs.

Now ive already backed up all these files on my HT server, just in case. But ive read a lot of conflicting things about deleting or keeping these. Altogether its over a gig of stuff and was wondering 2 things, first, obviously, do you think i should delete, or which ones to delete. Secondly, this is something you may want to mention on your blog, since nearly everyone updates windows at some point, and im sure 99% are like me, tempted but unsure if they should actually get rid of them. Im sure it would be a help to me, since this ol thing only has a 75 gig HD, and ive got about 29 free. But even more important i know this has jsut got to be an issue for people out there who are even less familiar with how theyre computer works.

As for the boot issue, ill consider my options. I agree with somehting you mentioned in your blog, if it aint broke dont try to fix it. Im almost afraid to try booting to the"other "windows. Registry wouldnt include the changes you and i have made, so i dunno if thevirus will somehow manage to still be there. Who knows, i may try it sometime, or just let it be.

Thanks again for all your help~!

Shawn

[miekiemoes]

It's better you don't delete those Windows update files, because these folders contain backups and in case something goes wrong, Windows file protection (or some tools in case malware infected the ones in system32\dllcache) may also look in those folders to restore files. Same applies here, don't fix if it aint broken

And I'm glad I could help

[RemarkablyDumb]

Sorry to keep buggin ya, i cant seem to get rid of ComboFix. I tried Run>ComboFix /Uninstall (and a few vareities of caps and such, as well as just copying/pasting what you typed) and all it did was start it. I tried a quick google search and came across this: http://www.bleepingcomputer.com/forums/topic291074.html where they mention downloading http://oldtimer.geekstogo.com/OTC.exe But before i ran it, i figured id ...well bug you again hehe. I hate DLing things im not certain of, plus they said it reset a few other things in Window which sounds, well not a big deal but still. (i DLd it, but havent installed it or anything)

Also, should i get rid of GooredFix.exe and GMER.exe ? And if so, are these just standalones or is there a particular way of uninstaling them. HJT this i think ill leave, but as i recall if i want to uninstall it, theres a button in the prog itself to do just that.

Sorry to keep harassing you, hopefully youre almost done with me!

[miekiemoes]

Hi,

I assume you still have combofix on your desktop? If not, then it won't indeed work anymore.

If on your desktop, via start > run, try the following command (quotes included):

"C:\Documents and Settings\Dad\Desktop\ComboFix.exe" /uninstall

If still no luck, just delete the C:\qoobox folder manually.

No need to download the OTC.exe.

Also, yes, delete gooredfix and gmer. They are standalone programs and have no uninstall command.

[RemarkablyDumb]

Yes Combo is still on the desktop, and i tried your exact instrucs. Do i have to turn off AVGuard in order to uninstall ComboFix..? I wouldnt have thought so, but every time i try to uninstall, i get the pop up saying AVG is running and to turn it off before continuing. Seemed to me Combo was trying to run a scan/turn on, but maybe i was wrong? I then use Task Manager to turn off the Combo and Nircmd progs. But now im wondering if maybe AVG needs to be off to uninstall Combo..?

I wouldnt have bothered asking you again, but figured maybe this is something you forgot to mention and therefore will remember to mention in future instructions. So im trying to be helpful as well as get help hehe.

Oh yeah, since im so chatty (hopefully not annoyingly so) I know you all have some ties to bleepingcomputer (i have no idea what ties, wasnt going to say "affiliated" cause i know these are 2 diff sites, but i know there are some sort of ties) and as ive been reading over there alot through all this, i noticed that they offer a "Malware Removal Training Program" which is a way of working towards helping other there. I was just wondering if MWB offers anything similar, or in conjunction with them. If not, i may end up giving it a shot there, but if i had a chpoice id prob prefer to do it here, since you all are the ones who actually helped me and are the actual home of MWB.

Sorry if ive becom a pest~! Feel free to chastise me appropriately hehe.

Shawn

[miekiemoes]

Hi,

Yes, you can try with avg disabled.

No, malwarebytes doesn't have a training program here. Most of the helpers here have followed training at bleeping computers or geekstogo or spywareinfo forums.

[miekiemoes]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.