hidden virus deactivating my windows firewall?

Hi.
So I made a some of careless mistakes in handling some virus’ and now i’m not sure wether I’m still infected or not because my comp is acting suspicious.

It started yesterday, my friend sent me a virus link via facebook without knowing. It automatically "like"ed websites i didn’t. i googled it and found out it was a virus. So, I ran my free Avast and it showed nothing, so i didn’t think too much about it, but changed all my passwords just in case.
Fast-forward to today; going to my normal sites, suddenly utorrent pops open and tells me i want to download torrent file “like.php” and i was all ?!? cause i always deactivate utorrent when I’m not using it. Of course, I refused the download and shut utorrent back off and ran avast right away. It now came up with 5 virus’ but they could not be put into my virus chest, so i deleted them. I ran nother virus scan and nothing came up. I decided to look in my virus chest again and behold, a new trojan that I had never added(windows/32 somthing or rather), and the date was all wierd so… I deleted it (totally realizes now that that was probably a big mistake–;). Run a few more scans, nothing pops up.
About an hour later, my windows firewall turns itself off, so i deciced to dl and run malwarebites. It finds 5 things and fixes them or so i assume. It restarts my computer and thinking I’m cured, I uninstalled it and deleted the info it gave me. :cry: Now, my windows firewall deactivated every 40-50 minutes and idk why. Since then, I looked everywhere, ran avast multipul times, re-dl malwarebytes and ran more scans and nada, registry mechanic ect. Dont have any 3rd party firewalls.

Other than what I have mentioned in the above, I have not changed any settings or dl-ed anything new.
My system is Microsoft Windows XP Media Center Edition 2002 service pack 3. My pc is Hewlett-Packard Company Hp Pavilion Intel(R) Pentium(r) D CPU 3.00GHz 3.00GHz 2.00GB of RAM . Idk if that helps, but just in case…
I’m not really tech savy, so if this is a stupid problem, or if I cause this problem myself, I am sorry :-[ Sorry for it being so long, and Thank You for reading this, I hope someone can help me. Thanks Again.

Run a boot time scan with avast.
Run Mbam again (update the definitions before) and post your logs here.
asyn

Okay,
this is the log from just now

Malwarebytes’ Anti-Malware 1.46
www.malwarebytes.org

Database version: 4284

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

06/07/2010 4:21:00 PM
mbam-log-2010-07-06 (16-21-00).txt

Scan type: Full scan (C:|D:|E:|F:|G:|H:|I:|J:|K:|)
Objects scanned: 319734
Time elapsed: 1 hour(s), 27 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


And this was the log I thought I had previously deleted if it matters

Malwarebytes’ Anti-Malware 1.46
www.malwarebytes.org

Database version: 4281

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

05/07/2010 8:15:07 PM
mbam-log-2010-07-05 (20-15-07).txt

Scan type: Full scan (C:|D:|E:|F:|G:|H:|I:|J:|K:|)
Objects scanned: 317796
Time elapsed: 1 hour(s), 53 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) → Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\0.26331626412650555.gif (Extension.Mismatch) → Quarantined and deleted successfully.


Avastboot picked up one thing

*RAW:C:\hp\bin\KillIt.exe PUP:Win32:KillApp-W[PUP] the severity was low


And i found the logs to the viruses I deleted

321306156.exe Win32: Malware-gen
321306406.exe Win32: Malware-gen
321306562.exe Win32: Malware-gen
321307000.exe Win32: Malware-gen
loader.exe Win32:Cycler-I [Trj]
smss.exe Win32:Cycler-I [Trj]

+4 more Win32: Malware-gen but appear to just be java updates.

I also timed the firewall shutdowns, and it turns off every 70 minutes or so

ThankYou

There maybe a sign of a bootkit.

Please download Bootkit Remover from esage lab to your Desktop.

This is a rar file. If you don’t have an extraction program to open it, use 7-Zip or Peazip.

  • Extract Remover to your desktop
  • Right click Remover and select Run as Administrator
  • It will show a Black screen with some data on it
  • Right click on the screen and click Select All
  • Press Ctrl+C (on keyboard) to copy the data
  • Open a notepad and press Ctrl+V to paste the data

Please copy/paste the log in the next post.

Bootkit Remover version 1.0.0.1
(c) 2009 eSage Lab
www.esagelab.com

\.\C: → \.\PhysicalDrive0
MD5: 24e6e969c5e03633165af062d524329f
\.\D: → \.\PhysicalDrive0
\.\K: → \.\PhysicalDrive5
MD5: 24e6e969c5e03633165af062d524329f

 Size  Device Name          MBR Status

298 GB \.\PhysicalDrive0 Unknown boot code
298 GB \.\PhysicalDrive5 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>

Press any key to quit…

Open Notepad and copy/paste this text without including the word code.

@ECHO OFF
START remover.exe fix \\.\PhysicalDrive0
remover.exe fix \\.\PhysicalDrive5
EXIT

Save it as fix.bat onto your desktop.

Exit Notepad and double-click on fix.bat. When it’s finished, your computer will restart automatically.

When sucessfully finished and restarted, run remover.exe and post a new log.

It flickered open and closed immediately. ???

Did you post the log?

Mabey i did it wrong?

I pasted this exactly, saved it to desktop as bat

@ECHO OFF
remover.exe fix \.\PhysicalDrive0
remover.exe fix \.\PhysicalDrive5
EXIT

but when i run it nothing really happens, it opens and closes in a split second and nothing happens…

Forgot to add START, sorry. Please open fix.bat on Notepad and put START in the second line, click save, then run the batch file again.

Bootkit Remover version 1.0.0.1
(c) 2009 eSage Lab
www.esagelab.com

\.\C: → \.\PhysicalDrive0
MD5: 6def5ffcbcdbdb4082f1015625e597bd
\.\D: → \.\PhysicalDrive0
\.\K: → \.\PhysicalDrive5
MD5: 24e6e969c5e03633165af062d524329f

 Size  Device Name          MBR Status

298 GB \.\PhysicalDrive0 OK (DOS/Win32 Boot code found)
298 GB \.\PhysicalDrive5 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>

Press any key to quit…

Do you have another hard drive or any other removable drives like a USB stick?

Delete the batch file off the desktop you just made and make a new one.

Open Notepad and copy/paste this code onto Notepad without copying the word “code”.

@ECHO OFF
START remover.exe fix \\.\PhysicalDrive5
EXIT

Save it as fixme.bat onto desktop.

Exit Notepad and double-click on fixme.bat. Once its’ finished it will restart automatically again.

When it’s finished and restarted, please run remover.exe again and post a new log.

Bootkit Remover version 1.0.0.1
(c) 2009 eSage Lab
www.esagelab.com

\.\C: → \.\PhysicalDrive0
MD5: 6def5ffcbcdbdb4082f1015625e597bd
\.\D: → \.\PhysicalDrive0
\.\K: → \.\PhysicalDrive5
MD5: 6def5ffcbcdbdb4082f1015625e597bd

 Size  Device Name          MBR Status

298 GB \.\PhysicalDrive0 OK (DOS/Win32 Boot code found)
298 GB \.\PhysicalDrive5 OK (DOS/Win32 Boot code found)

Press any key to quit…

Looks good. Are you having anymore problems?

The firewall is still turning off. Should I just get a different one? or will the samething happen?

You can get a third-party firewal like PC Tools or Comodo.

Plus you will need to keep your computer up-to-date with Secunia PSI.

Remove older versions of Java with JavaRa.

Keep your PC clean and defragged with CCleaner and Defraggler.

okay, I’ll do all of the above and report back

Thank You for all you’re help, your a lifesaver :wink:

Looks like everything is clear!

Thank You so much for everything! ;D