Avira Malwarebytes and SuperAntiSpy helped, am I clear?

[kritius]

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::

Folder::
c:\program files\LimeWire
c:\program files\2Wire\bak
c:\program files\321Studios\Platinum\bak
c:\program files\Common Files\Sonic\Update Manager\bak
c:\program files\Common Files\Symantec Shared\bak
c:\program files\Dell\Media Experience\bak
c:\program files\Dell Support\bak
c:\program files\HP\HP Software Update\bak
c:\program files\HP\hpcoretech\bak
c:\program files\Messenger\bak
c:\program files\MUSICMATCH\MUSICMATCH Jukebox\bak
c:\program files\QuickTime\bak
c:\program files\Yahoo!\browser\bak
c:\program files\Yahoo!\Messenger\bak
c:\program files\Yahoo!\YOP\bak
c:\windows\SYSTEM32\bak
c:\windows\SYSTEM32\dla\bak

Registry::

Driver::

AWF::
c:\program files\iTunes\bak\iTunesHelper.exe

MIA::
c:\windows\system32\wscntfy.exe
c:\windows\system32\xmlprov.dll

KILLALL::

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Post a fresh HijackThis log as well.

 

[Dadof3]

cant open windows now

The computer had been running well, although it had the continuing problem recognized by Kaspersky....It had a version of Fulltilt on the computer that required an update...It worked fine and all was well. I deleted and then downloaded combofix as reccomended. It ran fine and I posted the log output file. Shut off the computer and that was it for the day.....I tried to log in today, and it came up to the blue screen with text saying that I may have a virus or if I recently installed a new hard drive to check the connections...I tried to log in safe mode and it gave me the same screen and text...I even tried to log in last known good configuration and it gave me the same screen and text....what can I do?

 

[Dadof3]

Cant download if I cant boot up

Without able to boot up the computer...I cant download any new programs..I am responding from a separate laptop. The computer in question, I cant boot up in safe mode or regular mode....HELP!! I dont know if my son has a Windows boot disc around?? I can get a command prompt from one of the options when hitting ctrl 8 and choosing one of the options other than Safe mode/networking or ?? What else can I do to get back into the computer?? There are many files that need to be retrieved still that are on this computer.

 

[kritius]

So you didn't get a chance to run the CFScript?

Can you enter the recovery console at boot?

If so,

type the following at the Recovery console command prompt,

cd erdnt\subs

At the next prompt, type the following bolded text, and press Enter:

batch erdnt.con

The erunt backups will begin copying.

At the next prompt, type the following bolded text, and press Enter:

exit

Windows will now begin loading.

 

[kritius]

Mercifies, we have already established that being unable to boot into windows makes it hard to download inferior cleaning tools such as spyware doctor.

 

[kritius]

Stop posting Mercifies, lets try not to have lots of suggestions flying in thick and fast.

 

[Dadof3]

Windows Advanced Options Menu

I am in the Windows Advanced Options Menu....cant do safe mode or safe mode with netowrking....when I go to Safe mode with command prompt I have a choice of Windows Recovery Console or Microsoft Windows XP Home Edition. When I go to recovery Console,,,there is a prompt but I cant type anything from the keyboard..when I go to MW XP Home edition I get the blue screen where it states A problem has been detected and windows has been shut down to prevent damage to your computer...If this is the first time youve seen this Stop error screen, restart your computer....check for viruses on your computer...and so on...
technical information STOP 0x0000007B (0xF7B7C640, OxC0000034, 0x00000000)

 

[kritius]

You cannot type anything in the recovery console? Is this a laptop or a desktop?

 

[Dadof3]

Desktop

This is a Dell Dimension Desktop

 

[kritius]

This looks to be a problem with the keyboard being recognised, quite annoying.

It wouldn't happen to b a multi media usb keyboard?

 

[Dadof3]

Not a multi media keyboard

Its not a multi media keyboard...

when I try to get into recovery console, I dont get the screen i remember in the past...its just a flashing " -" at the top of the screen. When I try and type a bunch of characters, nothing comes up and I get a beep from the box....

 

[Dadof3]

can I do anything from the boot device menu......gives me System Setup as an option??

 

[Dadof3]

I dont think I have a windows boot disc for this box?? Can I create one from another computer?? I need to retrieve more of my sons files from this box for him....

As a last resort, can I remove the hard drive and make it a slave in another desktop and carefully remove the files needed?? Will this hard disc drive be able to be recognized by another computer and possibly different operating system??

 

[kritius]

In theory it should be able to be recognised as a slave. Another option would be to go in with a linux live disc and retrieve the files.

 

[rf6647]

The Linux Live CD would be the least risk route. Although you've gone through a cleaning,
this would remove uncertainties in regards to boot_sector code and autoruns.

I am at a different point for my computer's trojan/worm, so I am considering a Rescue CD with AV scanners.

Here is a link describing a lot of work to make a bootable Recovery Console on CD. However, their purist approach causes me to doubt that this will work, since my brand of oem_xp seems to omit files from the i386 folder. This could be a blessing in disguise -- I used a full version XP installation CD to load the recovery console on the computer with oem_xp.

 

[Dadof3]

turned primary hard drive into slave

I removed the hard drive that I could no longer boot up...put it into an office computer, and it came up as a slave without problem. I backed up the files I needed, and would now like to know....how can I edit the boot files so that I can put the hard drive back into its original Dell box, and run the computer as before? I am concerned that I cannot run combo-fix and specify the slave F drive without potentially infecting the office host computer.

Are the music files that my son has potentially the carrier, so I should not back those up to the office host computer?

 

[kritius]

Only back up what you actually need and then wipe the drive.

 

[Dadof3]

what about drivers

As this is my sons computer, I dont know where or if, he has all of the necessary drivers...I have several Windows XP unopened discs that came with Dell computers that I have purchased for my family over the years...how would I re-initialize the hard disc (what sequence of events) and what about drivers for Monitor, keyboard, mouse, other cards for say graphics or whatever (printer)....

You dont think there is any way to search the files and remove the virus manually while it is a slave and then put it back in the original computer it came from? Just trying to save alot of head ache with trying to get it back up and functioning properly without all of the original discs and pre-installed software...

thanks!!

 

[kritius]

While the drive is slaved do an online scan,

Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

Make sure that the scanner looks at the slaved drive and then post the log back.

 

[Dadof3]

will it put the other computer at risk?

I dont have the office computer online yet as I was concerned that the slave drive and being online was a bad combination...just as a gut check here...I am not putting the host computer at risk by logging online with the slave in tact am I?

 

[kritius]

You shoudl be ok.

 

[Dadof3]

Kaspersky Log file

below is from the HTML file that I could not attach (sorry forgot to save it as a text or log file). again, the drive from my sons computer is now the slave in an office computer. We dont know where all the discs are to reformat with all of the drivers and other programs currently formated on the drive. We would like to be able to save its original formating if possible....

KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, December 3, 2009
Operating system: Microsoft Windows 2000 Professional Service Pack 4 (build 2195)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, December 03, 2009 10:54:33
Records in database: 3326104


Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes

Scan area Folder
F:\

Scan statistics
Objects scanned 85055
Threats found 1
Infected objects found 1
Suspicious objects found 0
Scan duration 05:51:15

File name Threat Threats count
F:\WINDOWS\SYSTEM32\ruvaluno.exe Infected: Packed.Win32.Krap.ai 1

Selected area has been scanned.

 

[kritius]

Please download OTM

• Save it to your desktop.
• Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :Processes
  
  :Services
  
  :Reg
  
  :Files
  F:\WINDOWS\SYSTEM32\ruvaluno.exe
  
  :Commands
  [purity]
  [emptytemp]
  [Reboot]

• Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Can you put the drive back into the main computer now?

 

[Dadof3]

OTM cannot run

I downloaded OTM to the desktop, however when I attempted to run it, an error message came up Warning: system restore interface not present and then nothing happened.

Please advise....This office computer is running Windows 2000. Hope that is not a problem.

 

[kritius]

It may well be. I have not tested OTM on a windows 200 machine so I do not know if it works properly.

I would just replace the drive in the original computer and get a combofix log from it when it is in place.