You may try post #13 to at least get stable enough to get some of the files you need to backup.

I think if the OS is clear like after a reinstall that data files can be cleaned. It is the OS system files that may can not be cleaned.

Mike

I sucessfuly re-formated hard drives and reinstalled win xp! I ran Dr. Web on local hard drives and on external hard drives and everything was clean.

A couple of hours ago, AVG found agent_r.ip on nzm2.exe (a system32 process). I ran Combofix and I believe everything is ok. By the way, how do I unistall Microsoft Windows Recovery Console?

I have a new problem now but I believe it belongs in a new thread. On signing in to Windows Live Messenger, my contact list doesn't show up. it shows up on windows messenger...

Oh, and I was about to end this without thanking you... Thanks a lot for your time spent with me. Although I had to re-format, I believe I learned a lot about virus/spyware troubleshooting and next time (I hope there's none but we never can be sure...) I will be a more advanced user...

Thank You!

Why in the world would you want to uninstall something as potentially beneficial as Recovery Console?

Has no impact at all on how the computer runs, the only cost it incurs is the few seconds it gives to select it and a tiny amount of disk space!

I don't use instant messengers period so I won't be much help. So start a new thread "Help with Live messenger".

OK if you did a full format and install and you already have Malware then think about what you have installed, used a Flash drive, accessed another partition or drive, a website, a video or music file, email etc

This did not come from the windows install.

I wish we could have fixed it. Yours was a case of to many of the really bad ones at the same time.

Keep behind them with MBAM SAS DRWeb ever so often so you have an infection instead of an infestation

My closing may help you so consider it!

Based on what these recent Malwares are doing to userinit, explorer, spoolsv regedit and others I am planning to write a bat/cmd file to do a special backup for recovery from these and others. So below is a few of the things that will be in it.

Make a folder CriticalFiles. This should only be done on a Clean System or you may backup bad files. Put on boot drive so as to be handy in case of a repair, then a copy on another partition, even better offline like removable media.

Then search and copy the following to it.
1. Boot.ini
2. ntldr
3. userinit.exe
4. Explorer.exe
5. Regedit.exe
6. Spoolsv.exe
7. cmd.exe
8. The entire i386 folder from your current XP install CD hopefully with latest SP to match what is installed on the HD!

Thread Closing-------------------------------------------------------------------

Some of these tools update so often they require downloading again later if needed. But keep and run MBAM and SAS to maintain.

Remove ComboFix
Start-Run
type
combofix /u
Hit enter or click OK.

Please download OTCleanIt http://download.bleepingcomputer.com.../OTCleanIt.exe

Save to desktop.

This will remove all the tools we used to clean your computer.

Double-click OTCleanIt.exe. Click CleanUp. Yes to the "Begin cleanup Process?"

Approve all if prompted by Firewall. Approve Widows Defender or other guards or security programs while OTCleanIt attempting access to the Internet to allow all.

If prompted to Reboot click, Yes.
OTCleanit will delete itself when finished, If not delete it by yourself.

-------------------------------------------------------------------------------------
Run CCleaner http://www.ccleaner.com/download/builds (get SLIM at bottom no Yahoo toolbar)
Run twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.

Run ATF-Cleaner http://majorgeeks.com/ATF_Cleaner_d4949.html Temp and Registry, repeatedly until no more found.

KCleaner ftp://ftp2.kcsoftwares.com/kcsoftwa/files/kcleaner.exe
Fantastic cleaner. (When installing uncheck Relevant Knowledge do not install)
-------------------------------------------------------------------------------------
The issues can and are likely found is in System Restore so do the below

Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".

Then Start-Programs-Accessories-System Tools-Disk Cleanup
Click OK to accept C:
Select all Boxes
Then click More Options
Here click System Restore and OK to "Are you sure" and the OK to Run.

As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

It clears what is known as Shadow copies which are used by specialized back up programs.

This is if you have the Volume Shadow Copy running which is the default.
-------------------------------------------------------------------------------------

Every two weeks or so, run MBAM and SAS until clean.

They take a while, so leave scanning while you are sleeping working or watching TV. If not done under the gun they can be scheduled not to interfere with computer time.

If they find something they can not clean, then get back to us.

Additionally run CCleaner. ATF-Cleaner and KCleaner.
----------------------------------------------------------------------------------------
I have been using ThreatFire for more than a year, it just went from ver 3 to ver 4.

It was designed to be used with and to co-exist with other Virus scanners.

Additionally it uses a totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity.

It's like looking at it with 2 sets of eyes and from a different angle.

It works like some Firewalls do to learn what is good/bad.

After install it will ask you about everything that could be a security issue. For example the first time you run IE or FireFox it will prompt you. You would answer to approve and remember the setting. From then on no more prompts about IE or FireFox unless the exe changes like in an update.

As it queries you about the prompt to help you determine to approve or not you can google it with one click.

http://www.threatfire.com/Download/
-------------------------------------------------------------------------------------
Look at http://www.javacoolsoftware.com/spywareblaster.html

Run SpyBot ocassionally and use the Immunize function.
http://www.safer-networking.org/en/download/

I highly reccomend Hostman: Hostman http://majorgeeks.com/HostsMan_d4592.html

Download install run and allow it to disable DNS Client and select all Host files and then Update and install all host files.

A Disk Scan (chkdsk) and Defrag are in order.

Mike

Just that: thank you!

Andy Luis