Author Topic: Please help, virus won't allow me to run some exe files  (Read 23629 times)

0 Members and 1 Guest are viewing this topic.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 19332
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Please help, virus won't allow me to run some exe files
« Reply #30 on: November 22, 2008, 12:05:29 AM »
Hi, trooper.

I believe that the best option to take at this point is to reinstall System Restore.  I have checked the instructions presented at a number of sites but found the best are at the first place I went (as did Winchester73).  Bert Kinney is a Microsoft MVP and a respected expert.  His instructions are clear and the most complete.  (Note, in particular that there are multiple locations provided for the needed i386 folder.)

It appears that the easiest method is to type or paste the command (rundll32.exe advpack.dll,LaunchINFSection C:\Windows\Inf\sr.inf) into the Start/Run box and pressing enter.  Since you have SP3 installed, you should have either the i386 folder or the C:\Windows\ServicePackFiles\i386 folder mentioned in the list Bert provided.

See How to Reinstall System Restore in Windows XP by Bert Kinney and let us know the results.

Notes: 
  • You should log on to the Administrator account to perform this.
  • You may need to show hidden folders.     
    1.  Click Start > My Computer.
    2.  On the Tools menu, click Folder Options.
    3.  Click the View tab.
    4.  Locate and uncheck Hide file extensions for known file types.
    5.  Locate and uncheck Hide protected operating system files. 
    6.  Under the Hidden files folder, locate and check Show hidden files and folders.
    7.  If you see a warning message, click Yes.
    8.  Click Apply > OK.

Please let us know if you have any questions.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline winchester73

  • Half a bubble off plumb
  • Administrator
  • Hero Member
  • *****
  • Posts: 7197
  • Liverpool FC - YNWA
    • View Profile
Re: Please help, virus won't allow me to run some exe files
« Reply #31 on: November 22, 2008, 12:19:54 AM »
This is a disturbing trend ... malware disabling System Restore ...  :(
Speak softly, but carry a big Winchester ... Winchester Arms Collectors Association member

Offline R-C

  • LzD Friends
  • Hero Member
  • *****
  • Posts: 2830
  • Laissez les bons temps rouler!
    • View Profile
Re: Please help, virus won't allow me to run some exe files
« Reply #32 on: November 22, 2008, 05:04:47 AM »
Hey Corrine and Winchester73 on my case with the system restore disabled I have a malwarebytes log there were some infections but do not look serious, instead of putting that in here I will pm it to Corrine, then we can decide if this same step should be next for her also, the reinstalling of system restore.

Yes winchester it is extremely disturbing, especially since they have no idea that it is turned off till they try to use it.
registered Linux user:476595
May inspiration fill your heart and hands, run down your legs onto your feet and cause Spontaneous Dancing! :dance:

Offline trooper

  • Full Member
  • ***
  • Posts: 39
    • View Profile
Re: Please help, virus won't allow me to run some exe files
« Reply #33 on: November 22, 2008, 10:57:49 AM »
System Restore is now reinstalled and working properly.  When I was reinstalling, after running the command line you gave me, I received this request:
SRFRAME.MMF file needed on Xp Home Edition CD.  I found that file in the Windows\I386 folder.  It then reinstalled with no problems. 

This is what the System Restore Properties had before reinstallation:

Path to Executable:
\SystemRoot\C:\Windows\System32\SvcHost.exe -k netsvcs

Error when trying to Start the service:
Could not Start the System Restore Service service on Local Computer.
Error 123: The filename, directory name, or volume label syntax is incorrect.

After reinstalling System Restore:
Path to Executable:
C:WINDOWS\System32\svchost.exe -k netsvcs

Is there anything else I need to run to see if my machine is now virus free?

thanks,

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 19332
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Please help, virus won't allow me to run some exe files
« Reply #34 on: November 22, 2008, 12:12:52 PM »
Hey Corrine and Winchester73 on my case with the system restore disabled I have a malwarebytes log there were some infections but do not look serious, instead of putting that in here I will pm it to Corrine, then we can decide if this same step should be next for her also, the reinstalling of system restore.

Yes winchester it is extremely disturbing, especially since they have no idea that it is turned off till they try to use it.

Hi, R-C.  I'll take a look at the thread at GardenWeb rather than confuse trooper's thread here.  Thanks.

~~~~~~~~~~~~~~~

Hi, trooper.

We saw the following from your logs and knew something was up but didn't know if it was a false entry created by the trojans (i.e. System Restore was still there but this was a fake created) or if the trojan made this change to prevent restoring to a previous point as a means of removal.  Thus, we need you to check first that SR hadn't merely been turned off.

O23 - Service: System Restore Service (srservice) - Unknown owner - C:\WINDOWS\C:\WINDOWS\System32\svchost.exe (file missing)

Now that System Restore is working again, please log on to the administrator account and run ComboFix as indicated below.

Custom CFScript
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Code: [Select]
Extra::
  • Save this as CFScript.txt and place it on your desktop.
  • Close any open browsers
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.



  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline trooper

  • Full Member
  • ***
  • Posts: 39
    • View Profile
Re: Please help, virus won't allow me to run some exe files
« Reply #35 on: November 22, 2008, 12:25:30 PM »
Hi Corrine,

As info, I tried using System Restore on the 17th after my machine was infected.  It would open it, but all the restore points were gone from Sept to the Present.  If I am an administrator on the machine, can I run the script from my account?

thanks,

Offline trooper

  • Full Member
  • ***
  • Posts: 39
    • View Profile
Re: Please help, virus won't allow me to run some exe files
« Reply #36 on: November 22, 2008, 01:23:25 PM »
Combo Fix Log:

ComboFix 08-11-18.02 - Owner 2008-11-22 10:07:01.3 - NTFSx86

Running from: c:\documents and settings\Owner\Desktop\combofix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
.

(((((((((((((((((((((((((   Files Created from 2008-10-22 to 2008-11-22  )))))))))))))))))))))))))))))))
.

2008-11-22 07:43 . 2008-11-22 07:43   439,012   --a------   C:\after-sr.bmp
2008-11-22 07:42 . 2008-11-22 07:42   674,864   --a------   C:\before-sr.bmp
2008-11-21 09:10 . 2008-11-21 09:10   <DIR>   d--------   c:\program files\Sunbelt Software
2008-11-21 09:10 . 2008-10-31 07:09   270,888   -ra------   c:\windows\system32\drivers\SbFw.sys
2008-11-21 09:10 . 2008-06-21 04:54   65,576   --a------   c:\windows\system32\drivers\SbFwIm.sys
2008-11-21 09:06 . 2008-11-21 09:06   <DIR>   d--------   c:\program files\Avira
2008-11-21 09:06 . 2008-11-21 09:06   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Avira
2008-11-21 06:48 . 2008-11-21 06:48   6,000,608   --a------   c:\temp\sunbelt-personal-firewall.exe
2008-11-21 06:45 . 2008-11-21 06:46   25,129,080   --a------   c:\temp\antivir_workstation_winu_en_h.exe
2008-11-20 08:58 . 2008-11-20 17:56   <DIR>   d--------   c:\program files\EsetOnlineScanner
2008-11-19 17:56 . 2008-11-19 17:56   <DIR>   d--------   c:\documents and settings\Owner\Application Data\Malwarebytes
2008-11-18 13:24 . 2008-11-18 13:24   <DIR>   d--------   c:\program files\Malwarebytes' Anti-Malware
2008-11-18 13:24 . 2008-11-18 13:24   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-18 13:24 . 2008-10-22 16:27   38,496   --a------   c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-18 13:24 . 2008-10-22 16:27   15,504   --a------   c:\windows\system32\drivers\mbam.sys
2008-11-18 12:15 . 2004-01-26 08:10   <DIR>   d--------   c:\documents and settings\Administrator\WINDOWS
2008-11-18 12:15 . 2004-01-27 05:21   <DIR>   d--------   c:\documents and settings\Administrator\Application Data\Symantec
2008-11-18 12:15 . 2004-01-26 07:28   <DIR>   d--------   c:\documents and settings\Administrator\Application Data\Sonic
2008-11-18 12:15 . 2004-01-26 08:49   <DIR>   d--------   c:\documents and settings\Administrator\Application Data\SampleView
2008-11-18 12:15 . 2004-01-27 05:26   <DIR>   d--------   c:\documents and settings\Administrator\Application Data\interMute
2008-11-18 12:15 . 2008-11-21 09:01   <DIR>   d--------   c:\documents and settings\Administrator
2008-11-18 07:38 . 2008-11-20 08:55   <DIR>   d--------   C:\HiJack
2008-11-18 07:08 . 2008-11-18 07:07   410,976   --a------   c:\windows\system32\deploytk.dll
2008-11-18 07:08 . 2008-11-18 07:07   73,728   --a------   c:\windows\system32\javacpl.cpl
2008-11-17 15:53 . 2008-11-17 15:53   <DIR>   d--------   C:\rsit
2008-11-17 15:53 . 2008-11-17 15:53   <DIR>   d--------   c:\program files\trend micro
2008-11-17 14:45 . 2008-11-17 14:43   9,830   --a------   c:\temp\exefix.reg
2008-11-17 14:11 . 2008-11-17 14:08   2,373,088   --a------   c:\temp\mb.exe
2008-11-17 14:02 . 2008-08-20 12:46   6,467,096   --a------   c:\temp\SUPERAntiSpyware.exe
2008-11-11 14:52 . 2008-11-11 14:58   <DIR>   d--------   c:\temp\Microsoft - Other hardware - HID Non-User Input Data Filter
2008-11-11 12:45 . 2008-11-11 12:56   278,927,592   --a------   c:\temp\WindowsXP-KB835935-SP2-ENU.exe

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-21 14:01   ---------   d-----w   c:\documents and settings\Owner\Application Data\AVG7
2008-11-21 14:01   ---------   d-----w   c:\documents and settings\All Users\Application Data\Grisoft
2008-11-21 14:01   ---------   d-----w   c:\documents and settings\All Users\Application Data\avg7
2008-11-19 16:10   ---------   d---a-w   c:\documents and settings\All Users\Application Data\TEMP
2008-11-18 18:26   ---------   d-----w   c:\program files\Spybot - Search & Destroy
2008-11-18 18:26   ---------   d-----w   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-18 12:07   ---------   d-----w   c:\program files\Java
2008-10-12 11:38   ---------   d-----w   c:\program files\Big Kahuna Reef
2008-10-04 17:55   ---------   d-----w   c:\documents and settings\Owner\Application Data\iWin
2008-10-04 17:52   ---------   d-----w   c:\program files\Best Buy Games
2008-10-04 17:29   ---------   d-----w   c:\documents and settings\Owner\Application Data\MysteryStudio
2008-10-01 13:41   ---------   d-----w   c:\documents and settings\Owner\Application Data\Ancient Quest of Saqqarah_msn
2002-08-15 16:54   3,198,976   ----a-w   c:\program files\ViewSonicregistration.exe
2005-01-06 13:20   0   --sha-w   c:\windows\SMINST\HPCD.sys
.

(((((((((((((((((((((((((((((   snapshot@2008-11-19_17.29.16.87   )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-21 14:10:31   18,718   ----a-r   c:\windows\Installer\{82B1150E-9B37-49FC-83EB-D52197D900D0}\ARPPRODUCTICON.exe
+ 2008-11-21 14:10:31   18,718   ----a-r   c:\windows\Installer\{82B1150E-9B37-49FC-83EB-D52197D900D0}\NewShortcut1_E659E0EE10E649B7869660F38D0EB174.exe
+ 2008-11-21 14:10:31   57,344   ----a-r   c:\windows\Installer\{82B1150E-9B37-49FC-83EB-D52197D900D0}\NewShortcut4_C665E66BE8EF49DBB30B81BB5E60462C.exe
+ 2008-04-14 09:42:34   380,416   -c--a-w   c:\windows\system32\dllcache\rstrui.exe
+ 2008-04-14 04:06:54   73,472   -c--a-w   c:\windows\system32\dllcache\sr.sys
+ 2008-04-14 09:42:08   67,584   -c--a-w   c:\windows\system32\dllcache\srclient.dll
+ 2008-04-14 09:42:08   239,104   -c--a-w   c:\windows\system32\dllcache\srrstr.dll
+ 2008-04-14 09:42:08   171,008   -c--a-w   c:\windows\system32\dllcache\srsvc.dll
+ 2008-05-09 18:15:51   45,376   ----a-w   c:\windows\system32\drivers\avgntdd.sys
+ 2008-01-21 23:11:28   22,336   ----a-w   c:\windows\system32\drivers\avgntmgr.sys
+ 2008-11-21 14:09:02   75,072   ----a-w   c:\windows\system32\drivers\avipbb.sys
+ 2008-06-21 09:54:54   66,600   ----a-r   c:\windows\system32\drivers\sbhips.sys
+ 2007-03-01 15:34:22   28,352   ----a-w   c:\windows\system32\drivers\ssmdrv.sys
+ 2007-07-27 19:49:02   196,683   ----a-w   c:\windows\system32\lnod32apiA.dll
+ 2007-07-27 19:49:02   225,355   ----a-w   c:\windows\system32\lnod32apiW.dll
+ 2005-12-06 00:25:22   139,264   ----a-w   c:\windows\system32\lnod32umc.dll
+ 2005-12-05 17:37:10   106,496   ----a-w   c:\windows\system32\lnod32upd.dll
+ 2008-02-11 14:39:26   253,952   ----a-w   c:\windows\system32\OnlineScannerDLLA.dll
+ 2008-02-11 14:39:18   237,568   ----a-w   c:\windows\system32\OnlineScannerDLLW.dll
+ 2008-02-08 18:53:46   110,592   ----a-w   c:\windows\system32\OnlineScannerLang.dll
+ 2008-02-05 13:48:04   77,824   ----a-w   c:\windows\system32\OnlineScannerUninstaller.exe
+ 2008-11-22 12:14:16   16,384   ----atw   c:\windows\Temp\Perflib_Perfdata_5b8.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-08-21 483328]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2003-11-03 221184]
"PS2"="c:\windows\system32\ps2.exe" [2003-09-12 98304]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-12-15 188416]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-10-29 4620288]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2004-10-29 86016]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-18 136600]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 c:\windows\LOGI_MWX.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 53248]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2004-10-16 151552]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\fuzz\EuShlExt.dll" [2002-09-30 86016]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup=c:\windows\pss\Compaq Connections.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Event Reminder.lnk
backup=c:\windows\pss\Event Reminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Sonic CinePlayer Quick Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Sonic CinePlayer Quick Launch.lnk
backup=c:\windows\pss\Sonic CinePlayer Quick Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
backup=c:\windows\pss\ymetray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk
backup=c:\windows\pss\spamsubtract.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^TA_Start.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\TA_Start.lnk
backup=c:\windows\pss\TA_Start.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Think-Adz.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Think-Adz.lnk
backup=c:\windows\pss\Think-Adz.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acme.PCHButton]
--a------ 2005-04-10 10:20 159744 c:\progra~1\COMPAQ~2\Presario\XPHNARP4EN\plugin\bin\PCHButton.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
--a------ 2008-02-22 09:33 72192 c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2005-02-25 04:33 127037 c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2004-09-13 14:49 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
--a------ 2003-08-21 06:23 49152 c:\program files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
--a------ 2003-09-05 23:35 40960 c:\program files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a------ 2003-02-11 22:02 61440 c:\hp\KBD\kbd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
--a------ 2006-01-09 17:04 36864 c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2005-05-09 15:32 53248 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-14 04:42 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ovt Wia]
--a------ 2008-01-28 08:53 36864 c:\windows\OV550EM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
--a------ 2003-09-05 23:16 57393 c:\program files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-06-16 16:35 98304 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--a------ 2003-12-18 02:31 118784 c:\windows\CREATOR\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sunkist2k]
--a------ 2003-10-29 10:17 135168 c:\program files\Multimedia Card Reader\shwicon2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-07-21 06:09 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-06-04 06:48 146432 c:\program files\Common Files\Real\Update_OB\evntsvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2003-08-19 11:01 110592 c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2003-04-03 23:35 50176 c:\windows\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTMSG]
--a------ 2003-07-14 20:52 40960 c:\windows\ltmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2004-10-29 15:50 921600 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
--a------ 2004-10-22 11:53 53248 c:\windows\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"Fax"=3 (0x3)
"PhotoshopElementsDeviceConnect"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iWin Games\\iWinGames.exe"=
"c:\\Program Files\\iWin Games\\WebUpdater.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4a53be00-6082-11dd-b5a5-000ea698e879}]
\Shell\AutoRun\command - h:\wd_windows_tools\Setup.exe
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\2b2rd7m2.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com
.

**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\WmiApSrv]
"ImagePath"=""
.
Completion time: 2008-11-22 10:14:00
ComboFix-quarantined-files.txt  2008-11-22 15:13:51
ComboFix2.txt  2008-11-22 14:53:49
ComboFix3.txt  2008-11-19 22:29:41

Pre-Run: 87,287,607,296 bytes free
Post-Run: 87,271,198,720 bytes free

234


thanks,

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 19332
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Please help, virus won't allow me to run some exe files
« Reply #37 on: November 22, 2008, 01:58:05 PM »
Hi, trooper. 

It does not appear that you were logged on as Administrator when you ran ComboFix. 

Quote
please note that you need administrator rights to perform deep scan

What was to be copied from the "code box" is Extra::.  It appears the last run was only with the two colons. 

I would like to see this file:  ComboFix-quarantined-files.txt  2008-11-22 15:13:51

Thanks.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline trooper

  • Full Member
  • ***
  • Posts: 39
    • View Profile
Re: Please help, virus won't allow me to run some exe files
« Reply #38 on: November 22, 2008, 02:52:34 PM »
I am running XP Home Edition and my account shows "computer administrator".  I can only logon to the built-in administrator account in Safe Mode.  Do you want me to run combo fix in safe mode?
Here is the file you requested:

2006-01-09 20:38:30 A-------        29,184 C:\Qoobox\Quarantine\C\WINDOWS\system32\MSINET.oca.vir
2007-03-17 12:21:30 A-------         1,467 C:\Qoobox\Quarantine\C\WINDOWS\IE4 Error Log.txt.vir
2008-11-17 10:22:03 A-------           527 C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSosvd.dat.vir
2008-11-17 10:22:08 A-------         2,351 C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSfxmp.dll.vir
2008-11-17 10:22:08 A-------         7,197 C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSStkdv.log.vir
2008-11-19 17:10:19 A-------           286 C:\Qoobox\Quarantine\catchme.log
2008-11-19 17:11:29 A-------         1,123 C:\Qoobox\Quarantine\Registry_backups\Service_TDSSSERV.SYS.reg.dat
2008-11-19 17:21:05 A-------         7,009 C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2008-11-19 17:21:46 A-------         1,078 C:\Qoobox\Quarantine\Registry_backups\Legacy_ISODRIVE.reg.dat
2008-11-19 17:21:47 A-------           886 C:\Qoobox\Quarantine\Registry_backups\Legacy_IWINGAMESINSTALLER.reg.dat
2008-11-19 17:21:47 A-------         2,930 C:\Qoobox\Quarantine\Registry_backups\Service_iWinGamesInstaller.reg.dat
2008-11-19 17:21:47 A-------         3,338 C:\Qoobox\Quarantine\Registry_backups\Service_ISODrive.reg.dat
2008-11-19 17:29:17 A-------             2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-CFSServ.exe.reg.dat
2008-11-19 17:29:17 A-------             2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-NDSTray.exe.reg.dat
2008-11-19 17:29:17 A-------             2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-TFncKy.reg.dat
2008-11-19 17:29:23 A-------           276 C:\Qoobox\Quarantine\Registry_backups\Notify-AtiExtEvent.reg.dat
2008-11-19 17:29:23 A-------           512 C:\Qoobox\Quarantine\Registry_backups\Notify-vtutstt.reg.dat
2008-11-19 17:29:24 A-------           546 C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-ITPIPSetup.reg.dat
2008-11-19 17:29:24 A-------           596 C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-autoupdatev2.reg.dat
2008-11-19 17:29:24 A-------           600 C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-ExploreUpdSched.reg.dat
2008-11-19 17:29:24 A-------           602 C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-{ED-D7-75-52-ZN}.reg.dat
2008-11-19 17:29:24 A-------           626 C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-ATI Launchpad.reg.dat
2008-11-19 17:29:24 A-------           630 C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-SunJavaUpdateSched.reg.dat
2008-11-19 17:29:24 A-------           658 C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-RoxioAudioCentral.reg.dat
2008-11-19 17:29:24 A-------           660 C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-RoxioEngineUtility.reg.dat
2008-11-19 17:29:24 A-------           662 C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-RoxioDragToDisc.reg.dat

thanks,

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 19332
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Please help, virus won't allow me to run some exe files
« Reply #39 on: November 22, 2008, 04:08:44 PM »
Hi, trooper. 

Thank you.  This is fine.

If you haven't, please create a new system restore point. 

Please do the following
  • Click START then RUN
  • Now type Combofix /u in the runbox  and click OK.  Note the space between the X and the U, it needs to be there.


Having a firewall, anti-virus and anti-malware software are not enough.  You also need to stay current with security updates.  If you don't have your computer set to automatically install the Microsoft Security Updates, please check for updates now.  For additional information, see my blog post Understanding Microsoft Updates

To check if your system is missing security updates or has insecure applications installed, visit http://secunia.com/software_inspector/ .  The Secunia Software Inspector runs through your browser with no installation or download required and does the following:
  • Detects insecure versions of applications installed
  • Verifies that all Microsoft patches are applied
  • Assists you in updating your system and applications

Install and update both SpywareBlaster to prevent the installation of spyware and other potentially unwanted software: http://www.javacoolsoftware.com/spywareblaster.html

My favorite security software is WinPatrol which includes the features described at http://www.winpatrol.com/features.html

Please confirm that you computer is back to "normal" and let me know if you have any questions.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline trooper

  • Full Member
  • ***
  • Posts: 39
    • View Profile
Re: Please help, virus won't allow me to run some exe files
« Reply #40 on: November 22, 2008, 05:05:19 PM »
Hi Corrine,

I created a restore point and uninstalled combofix.  Question:  Will the antivirus, malware and spyware conflict with each other???

Looks like my machine is back running normal again.  Thank Goodness and thanks for your help and all the others that assisted. It was truly a learning experience for me.  You are the BEST!!!!

thanks,

trooper

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 19332
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Please help, virus won't allow me to run some exe files
« Reply #41 on: November 22, 2008, 05:51:57 PM »
Hi, trooper. If this response doesn't answer your questions, please let me know. 

By "spyware", I expect you are referring to SpywareBlaster.  It runs in the background and does not conflict with other software.  You do need to periodically check for updates. 

WinPatrol is also "preventative", notifying you if something is changing your startup, etc.  It also works as a means of correction as well in that you can control BHO's, startup, ActiveX and more. 

Your antivirus, of course, is running all the time.

Updating and scanning with MBAM at least weekly is a good idea.   


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline winchester73

  • Half a bubble off plumb
  • Administrator
  • Hero Member
  • *****
  • Posts: 7197
  • Liverpool FC - YNWA
    • View Profile
Re: Please help, virus won't allow me to run some exe files
« Reply #42 on: November 22, 2008, 07:16:59 PM »
Just to follow up on what Corrine said ...

SpywareBlaster will add tons of "bad" websites into your Restricted zone in Internet Explorer, the net result being fewer popups and increased security to prevent malicious downloads.  I routinely install it on any box I work on.

Same with WinPatrol, a fantastic program that will tell you all sorts of interesting information about your computer, help manage cookies, change the order of startup items, etc.

I'm not a huge AVG fan, but if you like it, keep it ... just be sure to keep it fully updated.

It's always best to try to prevent these pests from infecting your computer, and these products will help protect you ... MBAM is a great tool to remove most infections that should slip through your defenses.  The obvious advice is still the best advice ... be absolutely certain about something before you click "OK", "download", "save", etc.  The sad reality is that the weakest link in the chain is the person sitting in front of the keyboard ... and it's made even worse by some of the new forms of malware that "look" legitimate, but aren't.

If you have any further troubles, please post back.  Or, stop by now and then, and let us know everything is OK.  We have other rooms here in the forum for good, friendly chat, jokes, etc.  Don't be a stranger.
Speak softly, but carry a big Winchester ... Winchester Arms Collectors Association member

Offline trooper

  • Full Member
  • ***
  • Posts: 39
    • View Profile
Re: Please help, virus won't allow me to run some exe files
« Reply #43 on: November 23, 2008, 02:07:25 PM »
Thanks for the info.  Wanted to let you know that I did find one other thing this morning that the virus did to my machine.  It disabled "Auto Play" on all usb, CD/DVD players and card readers.  I downloaded "AutoFix" and ran it on each one and that fixed it.

I will definitely check back to this site.  It is a wonderful place for information!!!!!

Many thanks again,

Trooper

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 19332
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Please help, virus won't allow me to run some exe files
« Reply #44 on: November 23, 2008, 03:19:52 PM »
Hi, Trooper. 

Autoplay was disabled during the cleanup process not as a result of the infection.  Autoplay has increasingly become a source of infection.  See Microsoft MVP, Miekiemoes blog post, published today:  http://miekiemoes.blogspot.com/2008/11/please-disable-autorun-asap.html and Microsoft MVP, Don Patterson's blog post (along with the accompanying links), published a few days ago:  http://msmvps.com/blogs/donpatterson/archive/2008/11/20/malicious-code-spreading-through-usb-flash-drive-devices.aspx



Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.