Author Topic: Win XP Repair virus  (Read 6915 times)

0 Members and 1 Guest are viewing this topic.

Offline ejane

  • Full Member
  • ***
  • Posts: 41
    • View Profile
Re: Win XP Repair virus
« Reply #30 on: July 30, 2011, 01:09:51 AM »
Here's the log.

I have no problem changing AV. Should I remove AVG? Another question, what happened to the 'stuff' ESET found? I never told it to remove.

7/29/2011 9:51:19 PM
mbam-log-2011-07-29 (21-51-19).txt

Scan type: Full scan (C:\|)
Objects scanned: 269027
Time elapsed: 56 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Online Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 14546
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Win XP Repair virus
« Reply #31 on: July 30, 2011, 01:35:05 AM »
Hi, Jane. 

It is your choice as to whether you wish to keep AVG and update it to the latest version or switch to an alternate antivirus solution.

As to the findings by ESET, we'll take care of that with another tool after you've taken care of the antivirus.  :)


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline ejane

  • Full Member
  • ***
  • Posts: 41
    • View Profile
Re: Win XP Repair virus
« Reply #32 on: July 30, 2011, 01:55:29 AM »
Okay, I guess I'll update AVG. I have AVAST on my other computers (the sick one is my dh). If I switch Av's it will complicate things now.

Off to update.
Jane

Offline ejane

  • Full Member
  • ***
  • Posts: 41
    • View Profile
Re: Win XP Repair virus
« Reply #33 on: July 30, 2011, 02:10:27 AM »
Updated to AVG version 10.0.1390

Should I scan with this now?

Offline ejane

  • Full Member
  • ***
  • Posts: 41
    • View Profile
Re: Win XP Repair virus
« Reply #34 on: July 30, 2011, 03:12:05 AM »
AVG is still scanning. I see one virus listed. I am going to bed now, I'll let it finish overnight and check back with you in the morning.

Thanks,
Jane

Offline ejane

  • Full Member
  • ***
  • Posts: 41
    • View Profile
Re: Win XP Repair virus
« Reply #35 on: July 30, 2011, 01:09:10 PM »
Good morning! AVG ran and picked up one virus and fixed it.
Windows updates automatically went in and computer restarted. This morning, when turned on, there was Flash update which I installed. Program files show but are empty.

A bright note is no warnings about hard drive failure.

Jane

Online Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 14546
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Win XP Repair virus
« Reply #36 on: July 30, 2011, 01:12:07 PM »
Hi, Jane.  I'll be away most of the rest of the day and busy much of tomorrow but will do my best to check your log ASAP.  Please do the following:

Please follow these instructions carefully.

Download ComboFix from one of the following locations:

Link 1
Link 2

!!! IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your antivirus and anti-malware security applications. If not disabled, these programs will likely interfere with cleanup process. This can usually be accomplished by a right-click on the icon in the System Tray. 

Note:  If you are unsure how to disable your security software, see the instructions in this topic at Tech Support Forum:  How to disable your security applications.

Now, please run ComboFix:
  • Note:  If infections are found, ComboFix will automatically reboot the machine to complete the removal process.  Please ensure all opened windows are closed before proceeding.
  • Double-click ComboFix.exe on your desktop and follow the prompts.
  • As part of the process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it is strongly recommended to have this pre-installed on your machine before doing any malware removal. The Recovery Console will allow you to start up the computer in a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    Please note: If the Microsoft Windows Recovery Console is already installed on the computer, ComboFix will continue the malware removal procedures.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

  • After the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click "Yes" to continue scanning for malware.
  • When finished, a log will be produced. Please include the C:\ComboFix.txt in your next reply.



Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline ejane

  • Full Member
  • ***
  • Posts: 41
    • View Profile
Re: Win XP Repair virus
« Reply #37 on: July 30, 2011, 01:48:28 PM »
ComboFix Scan

ComboFix 11-07-29.03 - jane 07/30/2011  10:33:34.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2046.1257 [GMT -4:00]
Running from: c:\documents and settings\jane\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\felix\GoToAssistDownloadHelper.exe
c:\documents and settings\jane\GoToAssistDownloadHelper.exe
.
.
(((((((((((((((((((((((((   Files Created from 2011-06-28 to 2011-07-30  )))))))))))))))))))))))))))))))
.
.
2011-07-30 13:54 . 2011-07-30 13:54   --------   d-----w-   c:\windows\LastGood
2011-07-30 03:06 . 2011-07-30 03:06   --------   d-----w-   c:\documents and settings\jane\Application Data\AVG10
2011-07-30 03:05 . 2011-07-30 03:05   --------   d--h--w-   c:\documents and settings\All Users\Application Data\Common Files
2011-07-30 03:04 . 2011-07-30 03:07   --------   d-----w-   c:\windows\system32\drivers\AVG
2011-07-30 03:04 . 2011-07-30 03:06   --------   d-----w-   c:\documents and settings\All Users\Application Data\AVG10
2011-07-30 03:03 . 2011-07-30 03:03   --------   d-----w-   C:\$AVG
2011-07-30 02:58 . 2011-07-30 03:06   --------   d-----w-   c:\documents and settings\All Users\Application Data\MFAData
2011-07-29 21:15 . 2011-07-29 21:15   --------   d-----w-   c:\program files\ESET
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-30 13:53 . 2011-06-24 03:13   404640   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-06 23:52 . 2009-10-28 05:42   41272   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-02 14:02 . 2004-08-11 23:00   1858944   ----a-w-   c:\windows\system32\win32k.sys
2011-05-04 08:52 . 2010-06-06 04:26   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2011-05-04 06:25 . 2008-03-27 03:52   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2011-05-02 15:31 . 2004-08-11 23:12   692736   ----a-w-   c:\windows\system32\inetcomm.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellAutomatedPCTuneUp"="c:\program files\DellAutomatedPCTuneUp\PTAgnt.exe" [2007-10-11 465136]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-03 851968]
"NVHotkey"="nvHotkey.dll" [2008-01-29 86016]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-08-28 36864]
"Logitech Hardware Abstraction Layer"="c:\program files\Common Files\Logitech\khalshared\KHALMNPR.EXE" [2007-04-11 56080]
"SigmatelSysTrayApp"="stsystra.exe" [2007-06-06 405504]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-11-01 189736]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-29 8491008]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"nwiz"="nwiz.exe" [2008-01-29 1626112]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2006-02-24 73728]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2011-04-18 2334560]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 17:41   294912   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2010-11-01 05:01   10536   ----a-w-   c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 07:42   72208   ----a-w-   c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ      autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON Status Monitor 3 Environment Check(3).lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\EPSON Status Monitor 3 Environment Check(3).lnk
backup=c:\windows\pss\EPSON Status Monitor 3 Environment Check(3).lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^felix^Start Menu^Programs^Startup^Microsoft Picture-.lnk]
path=c:\documents and settings\felix\Start Menu\Programs\Startup\Microsoft Picture-.lnk
backup=c:\windows\pss\Microsoft Picture-.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^felix^Start Menu^Programs^Startup^Picture-It Library.lnk]
path=c:\documents and settings\felix\Start Menu\Programs\Startup\Picture-It Library.lnk
backup=c:\windows\pss\Picture-It Library.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 05:04   39792   ----a-w-   c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DELL Webcam Manager]
2007-07-27 21:43   118784   ------w-   c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-10-09 23:57   16384   -c--a-w-   c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R2880]
2007-11-16 11:00   185856   ----a-w-   c:\windows\system32\spool\drivers\w32x86\3\E_FATICXA.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-01-06 18:06   290088   -c--a-w-   c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12   1695232   ----a-w-   c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-01-29 21:14   81920   ----a-w-   c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoshopElements8SyncAgent]
2009-09-06 10:07   1893728   ----a-w-   c:\program files\Adobe\Elements Organizer 8.0\ElementsOrganizerSyncAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38   421888   ----a-w-   c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07   2260480   ------w-   c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2011-01-01 02:14   274608   ----a-w-   c:\program files\Real\RealPlayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"CiSvc"=3 (0x3)
"Bonjour Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dlcccoms.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgemcx.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2/22/2011 8:13 AM 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [3/16/2011 4:03 PM 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [1/7/2011 6:41 AM 248656]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [4/5/2011 12:59 AM 297168]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/28/2008 10:33 AM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/28/2008 10:33 AM 55024]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [2/8/2011 5:33 AM 269520]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [4/14/2011 9:28 PM 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2/10/2011 7:53 AM 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2/10/2011 7:53 AM 27216]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [4/18/2011 5:39 PM 7398752]
S3 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [9/6/2009 6:06 AM 169312]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/11/2004 7:00 PM 14336]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [12/18/2009 12:13 PM 20480]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [12/18/2009 12:12 PM 174720]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/28/2008 10:33 AM 7408]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [5/25/2009 3:43 PM 32408]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - AVGIDSEH
*NewlyCreated* - AVGLDX86
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper   REG_MULTI_SZ      getPlusHelper
nosGetPlusHelper   REG_MULTI_SZ      nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-30 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3968902737-363820220-2249651152-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
2011-07-30 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3968902737-363820220-2249651152-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
2011-06-26 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3968902737-363820220-2249651152-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
2011-06-16 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3968902737-363820220-2249651152-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: DhcpNameServer = 167.206.251.130 167.206.251.129
FF - ProfilePath - c:\documents and settings\jane\Application Data\Mozilla\Firefox\Profiles\xvd4mjom.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{201f27d4-3704-41d6-89c1-aa35e39143ed} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-30 10:38
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1100)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
c:\windows\System32\BCMLogon.dll
.
Completion time: 2011-07-30  10:42:18
ComboFix-quarantined-files.txt  2011-07-30 14:42
.
Pre-Run: 102,824,648,704 bytes free
Post-Run: 102,995,574,784 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 790816EB38EF8B8D7ADC314A28582651

Online Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 14546
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Win XP Repair virus
« Reply #38 on: July 30, 2011, 02:18:50 PM »
Hi, Jane.

I'm slipping in between events!  Please let us know in your next reply if your files are accessible now.

You have an outdated, vulnerable version of Adobe Reader installed.   Install the latest version of Adobe Reader from http://www.adobe.com/products/reader/

Next we'll take care of what ESET found in the scan:

Custom CFScript

Note: The following instructions were created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


  • Please open Notepad (Click Start -> Run -> type notepad in the Open field -> OK).  Copy/Paste all of the text present inside the code box below:
Code: [Select]
Firefox::
FF - ProfilePath - c:\documents and settings\jane\Application Data\Mozilla\Firefox\Profiles\xvd4mjom.default\
FF - C:\Documents and Settings\felix\Local Settings\Application Data\Mozilla\Firefox\Profiles\e5kfsihl.default\Cache\7EAF09E1d01   

File::
C:\Documents and Settings\felix\Local Settings\Temp\plugtmp-5\plugin-xteobtkqytfzct.pdf
  • Save this as CFScript.txt and place it on your desktop.
  • Close any open browsers.
  • Close/disable all antivirus and anti-malware programs so they do not interfere with the running of ComboFix.




  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline ejane

  • Full Member
  • ***
  • Posts: 41
    • View Profile
Re: Win XP Repair virus
« Reply #39 on: July 30, 2011, 03:24:05 PM »
Running scan but want to comment ZA keeps popping us asking for permission to let various things reach the internet. It keeps stopping the scan. I have 'allowed' but don't know if it is safe too. I copied down one item: pev.cfxxe

I'll post the log when finished.

Jane

Offline ejane

  • Full Member
  • ***
  • Posts: 41
    • View Profile
Re: Win XP Repair virus
« Reply #40 on: July 30, 2011, 03:42:23 PM »
Here's the scan. It took so long because of ZA (see above) and then AVG started up again and kept sending warnings of various virus. I told it to ignore.

ComboFix 11-07-29.03 - jane 07/30/2011  11:33:50.2.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2046.1337 [GMT -4:00]
Running from: c:\documents and settings\jane\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\jane\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
FILE ::
"c:\documents and settings\felix\Local Settings\Temp\plugtmp-5\plugin-xteobtkqytfzct.pdf"
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\felix\Local Settings\Temp\plugtmp-5\plugin-xteobtkqytfzct.pdf
.
.
(((((((((((((((((((((((((   Files Created from 2011-06-28 to 2011-07-30  )))))))))))))))))))))))))))))))
.
.
2011-07-30 13:54 . 2011-07-30 13:54   --------   d-----w-   c:\windows\LastGood
2011-07-30 03:06 . 2011-07-30 03:06   --------   d-----w-   c:\documents and settings\jane\Application Data\AVG10
2011-07-30 03:05 . 2011-07-30 03:05   --------   d--h--w-   c:\documents and settings\All Users\Application Data\Common Files
2011-07-30 03:04 . 2011-07-30 03:07   --------   d-----w-   c:\windows\system32\drivers\AVG
2011-07-30 03:04 . 2011-07-30 03:06   --------   d-----w-   c:\documents and settings\All Users\Application Data\AVG10
2011-07-30 03:03 . 2011-07-30 03:03   --------   d-----w-   C:\$AVG
2011-07-30 02:58 . 2011-07-30 03:06   --------   d-----w-   c:\documents and settings\All Users\Application Data\MFAData
2011-07-29 21:15 . 2011-07-29 21:15   --------   d-----w-   c:\program files\ESET
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-30 13:53 . 2011-06-24 03:13   404640   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-06 23:52 . 2009-10-28 05:42   41272   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-02 14:02 . 2004-08-11 23:00   1858944   ----a-w-   c:\windows\system32\win32k.sys
2011-05-04 08:52 . 2010-06-06 04:26   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2011-05-04 06:25 . 2008-03-27 03:52   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2011-05-02 15:31 . 2004-08-11 23:12   692736   ----a-w-   c:\windows\system32\inetcomm.dll
.
.
(((((((((((((((((((((((((((((   SnapShot@2011-07-30_14.38.50   )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-07-30 15:25 . 2011-07-30 15:25   2295808              c:\windows\Installer\5438d6.msi
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellAutomatedPCTuneUp"="c:\program files\DellAutomatedPCTuneUp\PTAgnt.exe" [2007-10-11 465136]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-03 851968]
"NVHotkey"="nvHotkey.dll" [2008-01-29 86016]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-08-28 36864]
"Logitech Hardware Abstraction Layer"="c:\program files\Common Files\Logitech\khalshared\KHALMNPR.EXE" [2007-04-11 56080]
"SigmatelSysTrayApp"="stsystra.exe" [2007-06-06 405504]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-11-01 189736]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-29 8491008]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"nwiz"="nwiz.exe" [2008-01-29 1626112]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2006-02-24 73728]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2011-04-18 2334560]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 17:41   294912   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2010-11-01 05:01   10536   ----a-w-   c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 07:42   72208   ----a-w-   c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ      autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON Status Monitor 3 Environment Check(3).lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\EPSON Status Monitor 3 Environment Check(3).lnk
backup=c:\windows\pss\EPSON Status Monitor 3 Environment Check(3).lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^felix^Start Menu^Programs^Startup^Microsoft Picture-.lnk]
path=c:\documents and settings\felix\Start Menu\Programs\Startup\Microsoft Picture-.lnk
backup=c:\windows\pss\Microsoft Picture-.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^felix^Start Menu^Programs^Startup^Picture-It Library.lnk]
path=c:\documents and settings\felix\Start Menu\Programs\Startup\Picture-It Library.lnk
backup=c:\windows\pss\Picture-It Library.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DELL Webcam Manager]
2007-07-27 21:43   118784   ------w-   c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-10-09 23:57   16384   -c--a-w-   c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R2880]
2007-11-16 11:00   185856   ----a-w-   c:\windows\system32\spool\drivers\w32x86\3\E_FATICXA.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-01-06 18:06   290088   -c--a-w-   c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12   1695232   ----a-w-   c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-01-29 21:14   81920   ----a-w-   c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoshopElements8SyncAgent]
2009-09-06 10:07   1893728   ----a-w-   c:\program files\Adobe\Elements Organizer 8.0\ElementsOrganizerSyncAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38   421888   ----a-w-   c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07   2260480   ------w-   c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2011-01-01 02:14   274608   ----a-w-   c:\program files\Real\RealPlayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"CiSvc"=3 (0x3)
"Bonjour Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dlcccoms.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgemcx.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2/22/2011 8:13 AM 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [3/16/2011 4:03 PM 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [1/7/2011 6:41 AM 248656]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [4/5/2011 12:59 AM 297168]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/28/2008 10:33 AM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/28/2008 10:33 AM 55024]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [4/18/2011 5:39 PM 7398752]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [2/8/2011 5:33 AM 269520]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [4/14/2011 9:28 PM 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2/10/2011 7:53 AM 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2/10/2011 7:53 AM 27216]
S3 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [9/6/2009 6:06 AM 169312]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/11/2004 7:00 PM 14336]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [12/18/2009 12:13 PM 20480]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [12/18/2009 12:12 PM 174720]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/28/2008 10:33 AM 7408]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [5/25/2009 3:43 PM 32408]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - AVGIDSEH
*NewlyCreated* - AVGLDX86
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper   REG_MULTI_SZ      getPlusHelper
nosGetPlusHelper   REG_MULTI_SZ      nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-30 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3968902737-363820220-2249651152-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
2011-07-30 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3968902737-363820220-2249651152-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
2011-06-26 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3968902737-363820220-2249651152-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
2011-06-16 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3968902737-363820220-2249651152-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: DhcpNameServer = 167.206.251.130 167.206.251.129
FF - ProfilePath - c:\documents and settings\jane\Application Data\Mozilla\Firefox\Profiles\xvd4mjom.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-30 12:36
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1100)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
c:\windows\System32\BCMLogon.dll
.
Completion time: 2011-07-30  12:38:14
ComboFix-quarantined-files.txt  2011-07-30 16:38
ComboFix2.txt  2011-07-30 14:42
.
Pre-Run: 102,709,239,808 bytes free
Post-Run: 102,677,151,744 bytes free
.
- - End Of File - - C4FE8BB3C97BFB185D552D7BE79CEA27

Jane

Online Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 14546
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Win XP Repair virus
« Reply #41 on: July 30, 2011, 10:32:55 PM »
Hi, Jane.  Sorry I wasn't here to reassure you and suggest that you disable Zone Alarm while scanning with ComboFix.  The file ZA was warning you about is a legitimate file that is part of the intricate workings of ComboFix.

If you aren't seeing the contents of Program Files, delete the copy of Unhide.exe you previously obtained and download a fresh copy in case the infection interfered. 

Unhide.exe

Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run. 

This program will remove the +H, or hidden, attribute from all the files on your hard drives.  It is important to note that if there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.

How is your computer now? 


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline ejane

  • Full Member
  • ***
  • Posts: 41
    • View Profile
Re: Win XP Repair virus
« Reply #42 on: July 31, 2011, 12:08:38 AM »
Please don't apologize, you should be enjoying your weekend!

A few things I need to explain. This computer (husbands) has 2 log-ons - me and his. Everything I have done to this point was through my log-on. I couldn't do anything through his name because i kept getting popups stating 'hard-drive failure, critical failure, etc.) It kept running a scan and I couldn't do a thing to stop it. When I logged on under my name I didn't have that happening. The folders were empty but I could open IE and follow your directions. As of now, some folders say 'empty' but others, like My Pics and Docs have folders and files. Program files still show as empty but I can get to them through My Computer and opening them there. So something has worked.

I just got home and tried to log on under his name and the screen is blank except for the Start button - no icons. When I open Start, IE is there but says 'Internet Explorer without add-ons.' I clicked on it and got Cannot Display Page. I noticed the address bar had Firefox address in it, not IE. Very weird. I am connected to the internet and can get on through my log-on but not his.

AVG started scanning and I will let it finish. I will then log off his name and log on myself and follow your directions.

I'm starting to feel hopeless about this infection.

Jane

Offline ejane

  • Full Member
  • ***
  • Posts: 41
    • View Profile
Re: Win XP Repair virus
« Reply #43 on: July 31, 2011, 12:46:45 AM »
Sorry to post again, just wanted to update. I am able to connect to a website by typing the address in the address bar. When I open IE I get 'cannot display page' but FF address is in the address bar. I delete it and can type in this address and get here. I don't know why FF shows in the IE address bar but it does but doesn't go anywhere.

Avg finished and said it didn't find anything. I think I'll try typing Mozilla in the address bar and downloading it. I'll wait until I hear back

Jane

Offline ejane

  • Full Member
  • ***
  • Posts: 41
    • View Profile
Re: Win XP Repair virus
« Reply #44 on: July 31, 2011, 01:56:07 PM »
Can't seem to get Unhide to work under husbands log on. The screen just sits blinking. His folders are all empty. I can only shut off AVG for 15 mins at a time. Please advise.

Thanks,
Jane