combofix messed up computer

I inherited a P4, 80g hard drive, 1g memory, running Xp SP2 Home, Norton AV, XP's firewall and I use Firefox.

Yesterday folks on the Software Forum helped with a fix for XP's firewall, which mysteriously was being controlled by a group policy, which was causing the on/off buttons to be disabled and preventing me from turning it off to install a better firewall.

The site with a fix for the issue also stated that many viruses can disable Window's firewall settings and recommended a thorough scan.

Norton AV updates and runs nightly and has found nothing. I ran Spybot a few days ago and though it found nothing new I noted that it was set to ignore four issues and I didn't know what action, if any, to take:

%JavaDir%\QTJava.zip ---missing shared DLL
install.exe ---wrong app path
MsoHtmEd.exe ---wrong app path
winnt32.exe ---wrong app path

I began running Read and Run Me First, but combofix created all sorts of problems - - couldn't get online, couldn't find my LAN connection, couldn't access help or system restore, appearance was strange, everything but Dell support was gone from systray, etc. I stumbled across the qoobox folder and was able to restore the registry with erdnt.exe.

I didn't know if I should attach the combofix log.

Recent strange behavior: few days ago thought I'd downloaded two Firefox extensions but could only find one of them the next day. That night I switched windows while running Spybot and a Firefox window was open and the extension I hadn't been able to find was visible and running. A second or two later the window closed. When I opened Firefox the extension again wasn't there.

Also, after combofix ran I got a message stating I'm running counterfeit Windows. It isn't counterfeit but was wondering if I should wait until current issues are resolved before revalidating with Microsoft?


Thanks for your help!

 

Okee dokee - - thanks for reply.

Starting the other steps. Will post those logs when done.

Yes, combofix had finished running. Here's that log, though wasn't sure if you still wanted it at this point.

Thanks again!!

 

Wow! I assure you, the computer was a mess and lots of things had changed when combofix was done, and erdnt.exe changed it back.

I've run AVG and it found rootkit.small AND acted strange.

I'd followed the instructions from Windows XP Cleaning Procedures yet AVG didn't want to quarantine and it didn't create a report.

I was able to override its desire to delete everything it found, so it just deleted the cookies and quarantined the other items.

There's no report, even though under 'settings' 'create a report after every scan' is selected and the checkbox is unchecked (and besides, it found bad guys).

Should I just proceed with MGtools?

Aside from cookies, this is what AVG found:

rootkit.small
Not-A-Virus.Sniffer.Win32.WpePro.a
Adware.Balloon

 

They've been moved to quarantine and AVG didn't create a log. How do I get the full path and filename info?

I haven't closed AVG, was afraid of losing info that might be there that I don't know how to get.

 

Sorry, found the info!

C:\Documents and Settings\Sam\Desktop\WpeSpy.dll
Infected with: Not-A-Virus.Sniffer.Win32.WpePro.a



C:\Documents and Settings\Sam\Desktop\WPE PRO.exe
Infected with: Not-A-Virus.Sniffer.Win32.WpePro.a

C:\WINDOWS\SYSTEM32\ascbalon.dll
Infected with: Adware.Balloon

C:\WINDOWS\SYSTEM32\ascbalo3N.dll
Infected with: Adware.Balloon

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP555\A0107668.sys
Infected with: Rootkit.Small

 

Yep. Finished just now. Unsure if I ran it correctly. Got error message type 1 and kept getting it after installing the fix and re-running each batch file - - eventually each file ran despite playing 'wack-a-mole' with the error message.

 

Yes, installed into c:\Windows\system32. Will try running again ...

 

Here's the new log from MGtools. First time around I think I hadn't installed the fix, just downloaded it ... doh!