Kiwee Toolbar Found on Machine That's Been Off for Weeks

When I booted my desktop computer after it sitting dormant for at least 2 weeks, probably more, PCTools firewall came up with this message asking if some Kiwee Toolbar had permission to do something or other or something or other had permission to do something on behalf of Kiwee Toolbar. (Sorry, can't remember what it said, but I blocked it because I didn't recognize either and wasn't in the process of installing anything new, nor was my computer doing anything that would cause any such thing to ask permission...and what the hell was this Kiwee Toolbar?) After I'd blocked it, I went to Google and did research and, sure enough, found that it was spyware...of the SmileyCentral kind, no less. Goodie.

Anyway, so I started following the READ ME AND RUN ME FIRST steps. I went to my Add and Remove Programs, and it wasn't even listed there. NOT a good sign. So, I then went to my process list and found some very unfamiliar items listed, not the least of which was bootstrapper.exe. I remembered that to be a bad, bad thing, but I Googled it just to be sure. Ummmm, yeah. Killing processes on my drive one by one when I've just installed a $90 external hard drive? I.DON'T.THINK.SO. So, I killed that process right quick, and then one by one (as I killed each new strange process), new ones started to pop up. And, they did exactly what Google said they would do. Some of the applications I tried to start closed right back down. More on that later.

So, anyway, I've gone through all the steps and am attaching the logs. A few important notes:

1. I know damned well that SuperAntispyware didn't get all the database definitions downloaded because I observed as many as 42 in some categories on a verrrrrry long list when downloading the definitions to another computer of mine; but when I downloaded the definitions database to this computer (even after reinstalling the program and trying to download the definitions in Safe Mode with Networking), this list was much shorter and the most in a category was 14.
2. Whatever this is on my machine shut down MGTools almost immediately every time I started it. It did create the folder and the logs, but the window disappeared instantly. I eventually decided to reboot my machine and try to catch this...thing...off guard and run MGTools before the malware had the chance to get to the shutting-things-down point of its little game. Well, MGT got to a point where it got stuck and my tower was making a LOT of noise (this is something I've never seen MGT do before), so I opened task manager and ended the bootstrapper.exe process. MGT was still stuck, so I thought, "Well, shit, I'll just have to tell them it wouldn't run," and ended that process, too. Then, the tower stopped making all the noise, and I was, like, "OOPS." So, I rebooted my computer so bootstrapper.exe would be running again, and then restarted MGT. Then, I remembered that the folder and logs would've still been there from the last time (and it did seem to run a lot faster until it got to a certain place where it had been stuck before), so I stopped MGT again and deleted the old folder and logs, restarted my computer, and ran MGT again. This time, it ran much like it had before.

I hope you won't get too angry with me if I did this all wrong! I'm just really nervous because this Kiwee Toolbar thing sounds really nasty, Combofix took over 1/2 hour to run, and MGT--well, let's just say I gave up and went to bed, but was EXTREMELY nervous to leave my infected computer without resident protection or firewall overnight!

Thanks for your help! This baby remains shut down until I hear from you! Thank God I lost my job--well, not really, but...you know what I mean!

 

Aaaaand, here attacheth mine MGTools log. Thanks again.

At least this time I know I'm not going to be pissing you off with "clean logs." :-o

 

One more thing: Combofix deleted the autorun from my external HD. Any way to get that back?

Thanks!

 

Sorry it took me so long to get back to you. I was checking the wrong e-mail address for responses. OOPS.

Anyway, I followed your directions, and just as a Windows message came up (for the 2nd time, the 1st being before I ran CF) saying my antivirus software might be out of date, a notepad doc that took up the entire screen came up titled DeQuarantine.txt and CF disappeared from the screen.

This is what I read this bootstrapper.exe does: It kills processes 1 by 1 on a computer. I left it running so the logs would be accurate. Last time I ran the programs, I started them immediately upon bootup before bootstrapper.exe got the chance to dig its claws in (I hoped), and CF and MGT ran all the way through. This time, tho, with all the other stuff I had to do first, I think CF got stalled by the bootstrapper. DAMMIT.

Also, when I opened FF to tell you all this, my homepage (Google) said that the connection was lost. I tried other pages, same thing. Also of note, I am being prevented from updating Microsoft Windows and Avast setup is being interrupted in the middle of the update process.

I don't have separate accounts on this computer like I do on my laptop. I tried to set that up on this computer, but I had trouble for some reason, so I decided not to mess with it. I know, bad me. Anyway, so...this is on the whole computer, not just one account. Kick me in the head.

Oh, gee. Firefox just popped up that I have updates for 3 of my add-ons. Should I be shocked if they don't install all the way?

Anyway, I've attached that text document, but all it really says is what you put under DeQuarantine: :
in your instructions to me. It saved on the C:\ drive, but there was no C:\combofix.txt. I did look.

*sigh*

Tell me what to do next. PLEASE.

Thank you,

 

Okay, first and foremost: YOU.ARE.A.GOD.

Now that we have that out of the way....

After watching the end of Combofix go by (the result of your "kill all" script), I doubt I have to tell you this anymore, but...the bootstrapper.exe file was in the

C:\Program Files\AGI\Common directory.

Also of interest: When I put my mouse cursor over the file, the description balloon that came up said, "Kiwee Toolbar Installer by AG Interactive." So...every time my machine booted, so did this Kiwee Toolbar Installer, and it kept running as long as I didn't end the process. And if I did end the process, more unfamiliar ones would pop up in task manager. That's what made me nervous and why I contacted you.

On to the YOU.ARE.A.GOD part of things:
Absolutely no sign of bootstrapper.exe or any other strange processes in task manager, now. There was an issue with PC Tools Firewall being unable to initialize after CF completed and MGTools ran; but I gave restart the old college try, and everything's fine there.

So, I'm attaching the logs for your perusal.

Of note: Combofix restarted my computer before creating the logs; and even though I'd shut down Avast!antivirus and PC Tools Firewall before restart, they came up automatically with reboot. I shut them down as soon as I could when they started themselves. I hope that didn't effect the logs at all.

One more question: If something on this machine does act up in the near future (like, say, the next week or 2), is that considered close enough for me to reply to this same thread, or should I start a new one? Because the instructions always say to let you know how things are going, but I've gotten in trouble in the past for not starting a new thread. Thanks!

 

Microsoft and/or Windows updates refused to work until I had a brainstorm to click on the start button on bootup and immediately go to Microsoft update as soon as the start menu popped up. Then, it went through fine. Since then, though, I have had to update Windows Defender manually whenever there is an update. My little yellow shield doesn't come up and tell me. Also, I have set Windows Defender to always show the icon in the tray, and it won't.

On the bright side, Windows Defender is doing its scans when it's supposed to, and everything is scanning in the background the way it's supposed to.

So...everything seems to be working except for automatic updates and my Windows Defender prefs.

Thanks again for your help!

 

What happens if I did the below steps:

...and Windows Defender came up with 4 instances of SafeBoot changes, asking me to permit or deny them? I had absolutely no idea, so I denied them. I am absolutely not going to do the following until you tell me whether or not I did the correct thing. I didn't think this was the kind of thing that warranted a new set of logs, particularly because I haven't had the machine on since the last exchange. Feel free to give me 10 lashes with a wet noodle if I'm wrong.

Thanks again! :wave

 

Done! Thanks for all your help. I hope to God this is the last time for a long time I'll have to bother you.
:innocent