infected cleaned with your process But won't boot??

no now i can't boot .. only in safe mode: what do i should i do? when i try a regular boot i get to personal settings loading then i get windows desktop image but no icons and hour glass disappears and the hdd light is steady (lit up) but after 12 minutes still no icons??
i had following errors when booted in safe mode..
Bingbar\7.1.360 muex\7.1.360\BingBarSetup-partner
and after sending mail from outlook..[shell Notify icon] failed to perform desired action.

 

i can't find the log for super spy. can u tell me where is and what its called. oh yea they're in notepad.i'll access and upload

 

here are the missing two files. i hope you can help. i may get a new hd as this one is major messed up.
thank you for any help and advice

 

Hello ericbg,

There's not any malware in these logs but you still need to attach C:\MGlogs.zip (from running MGtools.exe)

Also tell me what problems remain. Constant hard drive activity is not necessarily a symptom of malware. Usually it's a sign of hard drive corruption / failure or you simply running too many applications at once.

 

now i'm booting quicker: fastest yet:but my ftm (family tree maker) seems to be a little messed up. will check later today .. have an appointment soon. thanks for your reply.
my hdd is messed up/corrupt. i seem to have two desktops .. one in root then one in docs and settings .. don't know if this is normal?
Eric
will send mgtools scan later today.

 

here's the mgclogs.zip file. i hope that this proves useful.
thanks for any help,
Eric

 

here are the other files .. i downloaded mgtools and ran again but it didn't create the MGlogs.zip.

thanks for all your help. should i set a restore point now?

 

Not sure what you mean but your logs look fine. I don't see any desktop folders in the root of C: - which is good.

You have some very light traces of malware.
Do you know what this is file is for? C:\bst2E.tmp

You can answer after you complete the below set of instructions

__________

http://img196.imageshack.us/img196/3557/tdsskiller.gif I want you to read and follow these instructions: TDSSKiller - How to run


http://img684.imageshack.us/img684/6489/aswmbr.gif Please download aswMBR to your desktop.

• Double-click aswMBR.exe to run (Vista/7 right-click and select Run as Administrator)
• Select No when asked "Would you like to download latest Avast! virus definitions?"
• Click the [Scan] button.
• On completion of the scan click [Save log], save it to your desktop and attach this log to your next message. (How to attach)

__

http://img823.imageshack.us/img823/2039/msnmsg.gif Please download Disable/Remove Windows Messenger to your desktop.

• Double-click MessengerDisable.exe to run it.
• Place checkmarks in "Uninstall Windows Messenger" and "Hide Messenger from Outlook Express"
• Click Apply
• Click Exit

http://img194.imageshack.us/img194/4930/combofix.gif Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]ClearJavaCache::[/COLOR]
[COLOR="DarkRed"]File::[/COLOR]
C:\Documents and Settings\Eric\Local Settings\temp\BIT4CF.tmp
C:\Documents and Settings\Eric\Local Settings\temp\BIT2.tmp
[COLOR="DarkRed"]FileLook::[/COLOR]
C:\bst2E.tmp
[COLOR="DarkRed"]Folder::[/COLOR]
C:\Documents and Settings\All Users\Application Data\{484395D8-1F9B-4C71-9DA9-A64CBD0E8DE2}
C:\Documents and Settings\All Users\Uniblue
C:\Documents and Settings\Eric\Local Settings\temp\BE5BA47218A64BA9BE144747CC598F62
C:\Documents and Settings\Eric\Local Settings\temp\DFBB64AD3FA746A18571EFA59C541DDC
[COLOR="DarkRed"]Registry::[/COLOR]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{1F096B29-E9DA-4D64-8D63-936BE7762CC5}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{c99fdc39-a1ae-4b24-8d71-e5274f8d7c54}]

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
http://softvisia.com/users/Night_Raven/Security/cfsdnd2.gif
This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

http://img254.imageshack.us/img254/945/baticonxp.gif Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

don't know what that temp file u said i have is bst2E.tmp. i see it's pretty big.
here are my scan files.
during one scan most of my Family Tree maker files were deleted .. does that mean whatever i had infected them all or ancestry.com sent me a family tree file of one of my descendant trees was it infected? should i not run FTM?

 

That was my fault. They are fine. Follow these steps to restore those files.

http://img194.imageshack.us/img194/4930/combofix.gif Dequarantine using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

DeQuarantine::
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\{484395D8-1F9B-4C71-9DA9-A64CBD0E8DE2}
Quit::

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
http://softvisia.com/users/Night_Raven/Security/cfsdnd2.gif
This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\DeQuarantine.txt
Attach this log to your next message. (How to attach)

 

here's the file and thanks. when i just loaded Chrome it wouldn't connect so i de selected settings>predict. and now i have a connection as you can tell.
i'm off to bed now.
Eric

 

Good job.
The rest of your logs are clean.
If you are still having a malware related issue, let me know - otherwise, you may proceed with the below:

__

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Be safe

 

thanks for all of your help!
but ... i can't run the code to uninstall Combofix. most likely 'cause i have a couple of Desktops. one where it should be .. another under docs and settings in folder housecalls6.6 and a blank one in docs and settings.
i guess now is the time to format my drive and start with a clean new one.
off hand do you know a program that will spit out my serial numbers of installed software?
Eric thanks so much for all of your help!

 

yes, i know., but u may have overlooked part of one of my posts saying I have Two DESKTOP folders. one where it should be the other in docs and settings which i can't delete 'cause it says its a system file. i don't know how it got there or how to remove it other than formatting disk.
any suggestions?

 

ok, i didn't want to start an argument i was just making a statement that i thought might help .. i guess i didn't look at the code carefully.
so, i tried to uninstall combofix.exe from the desktop but when i click o.k.an error window comes up saying "can't find the file in Docs and settings even though i didn't copy that path into run.??:confused
so what now?

 

thank you.
i didn't put the combo.exe in the above folder ..it just went there. it seems i have a mirrored desktop.
i tried with the command to uninstall combo fix from desktop but it says that it can't find the file in doc and settings even though that's not the path i used!:confused! there is a file combofix in the docs and settings (C:\Documents and Settings\Eric\.housecall6.6\Desktop) desktop folder. i'm stymied as to what to do??

 

Hi,

I attached a .zip file to my post: uninstall.zip

• Inside of it is uninstall.bat
• Copy/extract uninstall.bat into whichever folder ComboFix.exe is in
• Then double-click uninstall.bat to run the batch (.bat) file.
• This should launch ComboFix (acts like it wants to run), but it will uninstall ComboFix instead.

 

alllright! at last i unzipped and ran uninstall ..something flashed by in a fraction of a second but Combofix was still there. restarted xp then right clicked combofix in housecalls6.6 folder saw terminate listed in drop down .clicked it and it uninstalled both combofixes from both desktops.
do you know how i can now uninstall the desktop from the folder housecalls?
thanks for your tenacity and solving this issue.
ericbg

 

Double-check that uninstall.bat and ComboFix.exe are in the SAME folder/directory.

If they are in the same directory, both ComboFix and a dos command prompt will launch.

 

here's the file i was requested to send a few days ago by chaslang.

 

Ran the script again and it gives back a blank txt file. perhaps something more major is going on?
Ericbg

 

i am trying to run it. but nothing happens. with the new file it captured the contents and here's the file. btw i didn't create or the file by copying and pasting. i now hope we can get some where.

 

ok it worked But i didn't see all of your message until after i renamed doc desktop to desktop1 then moved desktop to that folder. omg did i mess things up? i'm in to much of a rush.

 

Not sure if you messed up anything or not without a new set of logs but were you ever able to place both ComboFix.exe and uninstall.bat in the same directory/folder?

 

yup, and it got rid of ComboFix by right clicked icon and selecting terminate.

 

You may like Jalapeno Keyfinder or Magical Jelly Bean Keyfinder
If there are no other issues.. surf safely!

 

Thank you.
now it seems to boot for 13-14 minutes before i can open an application.
Should i start a new thread and scans?:cry

 

I do not see the point in doing that since your latest logs were clean.

It sounds like you have an intermittent hardware problem to me.

We have a couple of forums that would be better suited with your remaining issues: Hardware and/or Software.

Good luck