Win XP Repair virus

ejane · July 31, 2011, 02:57:51 PM

Ignore previous post, got it to work. Desktop appeared.

ejane · July 31, 2011, 04:13:35 PM

Ran Malwarebytes and it shows 2 infections:
PUM.Hijack.Display Properties
PUM.Hijack.Task Manager

I assume I should let it remove?

Jane

ejane · July 31, 2011, 08:27:15 PM

Ran ESET Scan again and it found:
C:\Qoobox\Quarantine\C\Documents and Settings\felix\Local Settings\Temp\plugtmp-5\plugin-xteobtkqytfzct.pdf.vir JS/Exploit.Pdfka.OYH trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP706\A0153849.exe Win32/RegistryBooster application deleted - quarantined

Computer seems to be running well.

Jane

Corrine · August 01, 2011, 01:50:16 AM

Hi, Jane.

Based on what ESET found, it doesn't appear that you have removed ComboFix yet. I'll repeat the instructions here so you won't have to search for them.

Please do the following to implement cleanup procedures and also to reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

ejane · August 01, 2011, 02:36:44 AM

Did not see where that was explained. Sorry if I missed that. It is now uninstalled.

Jane

Corrine · August 01, 2011, 04:41:11 PM

Good job!

ejane · August 01, 2011, 05:15:35 PM

Do I need to do anything else?

Jane

winchester73 · August 01, 2011, 06:22:48 PM

Jane, how are things now? Everything back to normal?

ejane · August 01, 2011, 06:33:40 PM

Seems to be running fine. Should I run some other scans? How about System Restore - clean out restore points? I'm afraid to trust the computer is clean

winchester73 · August 01, 2011, 07:03:48 PM

Good news.

My preference in general is to leave the restore points alone. It's doubtful that you'll ever need them, but once they are gone they are gone. The restore points will drop out automatically as new ones are created.

However, some people prefer to eliminate them. Here's some Microsoft info on how to do that: http://support.microsoft.com/kb/555367

In your case, that's why Corrine double-checked you had uninstalled ComboFix. As part of its magic, it takes care of infected restore points.

As for what to do now ...

I'd keep the free version of MBAM installed, it's a good on demand scanner. The paid version has some additional features if you choose to go that route. Update and run a scan periodically to see if you have picked anything up.

To check if your system is missing security updates or has insecure applications, install Secunia Personal Software Inspector on your computer or, alternatively, visit http://secunia.com/software_inspector/ and run an online version . The Secunia Software Inspector runs through your browser with no installation or download required and does the following:

Detects insecure versions of applications installed
Verifies that all Microsoft patches are applied
Assists you in updating your system and applications

The PSI is more thorough, but can also be a bit confusing to use. The OSI is a good tool for most folks.

Install and update SpywareBlaster to prevent the installation of spyware and other potentially unwanted software: http://www.javacoolsoftware.com/spywareblaster.html

Corrine and I both recommend WinPatrol, a security program which includes the features described at http://www.winpatrol.com/features.html

There is also a support subforum for WinPatrol here at LandzDown should you have any questions about WP.

Both SpywareBlaster and WinPatrol are free, although there is a pay option for auto-updating SB and for the PLUS version of WP. Neither of these will interfere with what you currently have installed. Layered protection is particularly good with older Windows operating systems like XP.

ejane · August 01, 2011, 07:09:50 PM

I already installed all you mentioned. Should I run scans now to make sure nothing shows?

Jane

winchester73 · August 01, 2011, 08:29:35 PM

Sure, why not ... :D

I'd do a complete shutdown first, before you run any scans. Not just a restart ... I'd have Windows boot from the off position. That way if anything is lurking in the background, it will pop its ugly head up.

Let us know how things go.

Corrine · August 01, 2011, 09:50:01 PM

Quote from: ejane on August 01, 2011, 06:33:40 PM
How about System Restore - clean out restore points?

Prior to running, ComboFix creates a fresh restore point. Then, System Restore points are reset as part of the process of uninstalling ComboFix. Thus, the infected restore points are flushed from the system, leaving a clean point.

One thing to understand about System Restore is that it is not an endless repository. As Winchester73 indicated, the restore points will drop out automatically as new ones are created. Even if System Restore wasn't flushed, the only danger would be restoring to an infected point and having to re-do the cleaning process.

As a "learning" for the future, I recommend creating a fresh restore point prior to making any changes to the computer. However, if you wish to "clean up", I recommend the Disk Cleanup tool which helps you free up space on your hard disk by searching your disk for files that you can safely delete. You can choose to delete some or all of the files. It can also be used to clear all but the most recent System Restore point.

First, create a fresh restore point:

1. Click Start, click All Programs, click Accessories, click System Tools, and then click System Restore.
2. Click Create a Restore Point, and then click Next.
3. Name your restore point. (i.e., clean)
4. Click the Create button.
5. When the new restore point has been created, click Close.

Now select the files to be removed as well as all but the new restore points:

Click start-->Run and type cleanmgr into the run box and then click "OK".
Select the drive where Windows is installed (if you have more than one drive) and click "OK".
When the scan completes, check/uncheck desired boxes.
Next, please click the More Options tab at the top.
Click the "Clean up..." button under the System Restore section at the bottom.
Answer Yes to the question "Are you sure you want to delete all but the most recent restore point?".
Click OK and answer Yes again.

The disk clean up utility will remove the selected items. When it completes, restart the computer to properly record the changes made to the hard disk.

ejane · August 01, 2011, 10:48:09 PM

Ran ESET again and it was clean but shows two entries in quarantine. What do you recommend?

Jane

winchester73 · August 02, 2011, 01:22:38 AM

Jane ...

Can you tell us the filepath that ESET reports the quarantine? I wonder if it is your AVG? If so, you'll have to flush them within the anti-virus, unless the ESET scanner gives you the option to do it.

The items in quarantine won't spring back to life, but yes they should be deleted from the computer just to close the loop.

Over the course of the next few days, reboot the computer a few times, and check both of your user log-ons to make sure everything is working normally again. As the ad says, we'll leave the light on for you.