Jump to content


Photo
- - - - -

winlogon.exe infected. help!


  • This topic is locked This topic is locked
70 replies to this topic

#61 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 15 March 2009 - 09:58 PM

Let's try a combination of tools and see how you like them. the first 2 are your new Firewall and AntiVirus
Plus, we must update some of your software to secure them also
First:
Go to START>>RUN>>Copy/Paste the following

combofix /u

and press enter
This will uninstall ComboFix and it's components'

Download and save to desktop
Sunbelt-Personal-Firewall
This Trial version is still Free and functional after 30 days
DO NOT install it yet

Next:
Go here and download your Free version of Avira AntiVir
http://www.download....cdlpid=10322935
Save the installer to desktop
DO NOT install it yet either

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6.
  • Scroll down to where it says "JRE 6 Update 12".
  • Click the "Download" button to the right.
  • In the Window that opens, select Windows, beside Platform:>>Check the "agree" box and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.
Do NOT install this yet either

Next: Download and save to your Desktop the Norton Removal Tool
The download link is near the bottom of that page
I use Windows Vista/XP/2000. DOWNLOAD

Now, before we go any further, Disconnect the Internet cable from the computer to the Router
Run the Norton Removal tool, follow all the prompts
Allow the computer to reboot, if it doesn't reboot
Reboot manually
Remain Disconnected from the Internet

Access your Add and Remove Programs and remove all the following
Viewpoint Media Player (Remove Only)
Adobe Reader 6.0
Java 2 Runtime Environment, SE v1.4.2_03

When the last one is removed
Reboot the computer again

Run the installer for the Sunbelt-Personal-Firewall
Follow the prompts, I would install with Simple mode, but it is up to you
At the prompt to Restart the computer
Don't do so, instead, please just Shut down the computer

When the computer has shut down
Reconnect the Internet cable to the computer
Boot back up

After you have totally finished booting to Windows
Install Avira AntiVir from desktop
Ensure that you have it check for Updates
The first time it updates may take awhile, but allow it time

NOTE: Avira will display a single big Ad on your computer
Don't be alarmed, just click OK at the bottom of the Ad to close it

A scan of your System should then start after updating
If a scan does not start after updating, double click on the Avira icon by the clock (the red/white umbrella)
and select "Scan system now"
I suspect it won't find anything. But run the scan anyways

I suggest that you add SpywareBlaster to your protection software
SpywareBlaster by JavaCool
At the link you can read more about it then continue with
Free Download on the right>>Continue Download at next page
Basically it *Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
Select Manual updating when installing
After installation, Check for updates
After updating, select "Protection Status" on the Left
Then select "Enable all Protection"
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"
or again, click on Protection Startus>>enable all protection

Run the installer for the latest version of Sun Java from the desktop you saved ealier

Update Adobe Reader
Go to the following link
http://get.adobe.com/reader/
Download and Install the latest
NOTE: When installing, if you have the option to untick any Toolbars, etc.. they may add to the installer
Choose NOT to install any, they are not needed for the A. Reader to function properly
That really goes with any free software, if a toolbar is not needed or wanted, why install it

Post one last Hijackthis log and let me know how things are still running please

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#62 tonez

tonez

    Journeyman

  • Members
  • PipPip
  • 41 posts

Posted 16 March 2009 - 12:46 AM

Ok I managed to do all of that, but Avira caught some viruses that were all quarantined. Here's the log for Avira

Avira AntiVir Personal
Report file date: Sunday, March 15, 2009 21:03

Scanning for 1298139 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 3) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: TONY

Version information:
BUILD.DAT : 8.2.0.337 16934 Bytes 11/18/2008 13:05:00
AVSCAN.EXE : 8.1.4.10 315649 Bytes 11/18/2008 17:21:26
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 16:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 21:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 16:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 20:30:36
ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 04:58:43
ANTIVIR2.VDF : 7.1.2.152 749568 Bytes 3/11/2009 04:58:48
ANTIVIR3.VDF : 7.1.2.172 74752 Bytes 3/15/2009 04:58:50
Engineversion : 8.2.0.114
AEVDF.DLL : 8.1.1.0 106868 Bytes 3/16/2009 04:59:14
AESCRIPT.DLL : 8.1.1.63 364923 Bytes 3/16/2009 04:59:11
AESCN.DLL : 8.1.1.8 127346 Bytes 3/16/2009 04:59:08
AERDL.DLL : 8.1.1.3 438645 Bytes 11/4/2008 22:58:38
AEPACK.DLL : 8.1.3.10 397686 Bytes 3/16/2009 04:59:06
AEOFFICE.DLL : 8.1.0.36 196987 Bytes 3/16/2009 04:59:03
AEHEUR.DLL : 8.1.0.104 1634679 Bytes 3/16/2009 04:59:01
AEHELP.DLL : 8.1.2.2 119158 Bytes 3/16/2009 04:58:57
AEGEN.DLL : 8.1.1.28 336244 Bytes 3/16/2009 04:58:55
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/14/2008 19:05:56
AECORE.DLL : 8.1.6.6 176501 Bytes 3/16/2009 04:58:52
AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 19:05:56
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 17:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 18:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 7/31/2008 21:02:15
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 20:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 17:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 21:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/23/2008 02:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 21:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 21:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 22:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 22:34:37

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, D:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Sunday, March 15, 2009 21:03

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'SbPFCl.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'SbPFSvc.exe' - '1' Module(s) have been scanned
Scan process 'SbPFLnch.exe' - '1' Module(s) have been scanned
Scan process 'CCC.exe' - '1' Module(s) have been scanned
Scan process 'SpamSub.exe' - '1' Module(s) have been scanned
Scan process 'hpqtra08.exe' - '1' Module(s) have been scanned
Scan process 'BackWeb-1940576.exe' - '1' Module(s) have been scanned
Module is infected -> 'C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe'
Scan process 'Steam.exe' - '1' Module(s) have been scanned
Scan process 'ALCXMNTR.EXE' - '1' Module(s) have been scanned
Scan process 'MOM.exe' - '1' Module(s) have been scanned
Scan process 'mmtask.exe' - '1' Module(s) have been scanned
Scan process 'shwicon2k.exe' - '1' Module(s) have been scanned
Scan process 'atiptaxx.exe' - '1' Module(s) have been scanned
Scan process 'ltmsg.exe' - '1' Module(s) have been scanned
Scan process 'kbd.exe' - '1' Module(s) have been scanned
Scan process 'hphmon05.exe' - '1' Module(s) have been scanned
Scan process 'hpsysdrv.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
Process 'BackWeb-1940576.exe' has been terminated
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
[DETECTION] Is the TR/Agent.16384.CX Trojan
[NOTE] The file was moved to '4a20de81.qua'!

40 processes with 39 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.
Master boot sector HD2
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.
Master boot sector HD3
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.
Master boot sector HD4
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.
Master boot sector HD5
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan the registry.

The registry was scanned ( '72' files ).


Starting the file scan:

Begin scan in 'C:\' <PRESARIO>
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\hp\patches\42WW3USB\src\PCIFINDX.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4a06df54.qua'!
C:\Program Files\BackWeb\BackWeb Client\6.2.3.66L\Program\runner.exe
[DETECTION] Is the TR/Agent.16384.CX Trojan
[NOTE] The file was moved to '4a2bdfce.qua'!
C:\System Volume Information\_restore{D1BD6C0F-8411-4455-8163-CEF0F28EC0B2}\RP25\A0009887.exe
[DETECTION] Is the TR/Agent.16384.CX Trojan
[NOTE] The file was moved to '49ede1f6.qua'!
C:\System Volume Information\_restore{D1BD6C0F-8411-4455-8163-CEF0F28EC0B2}\RP25\A0009888.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '49ede1fb.qua'!
C:\System Volume Information\_restore{D1BD6C0F-8411-4455-8163-CEF0F28EC0B2}\RP25\A0009889.exe
[DETECTION] Is the TR/Agent.16384.CX Trojan
[NOTE] The file was moved to '49ede1fe.qua'!
Begin scan in 'D:\' <PRESARIO_RP>
D:\hp\patches\42WW3USB\src\PCIFINDX.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4a06e6b8.qua'!
D:\System Volume Information\_restore{D1BD6C0F-8411-4455-8163-CEF0F28EC0B2}\RP25\A0009891.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '49ede6a9.qua'!


End of the scan: Sunday, March 15, 2009 21:41
Used time: 37:45 Minute(s)

The scan has been done completely.

6481 Scanning directories
290279 Files were scanned
9 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
8 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
290268 Files not concerned
13275 Archives were scanned
6 Warnings
8 Notes



Afterwards, I scanned my system with Drwebcureit and it didnt pick up anything, so I did an HJT and here's a log for it.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:31:52 PM, on 3/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\LTMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avcenter.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\HP\Digital Imaging\bin\hpqdirec.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SbPF.Launcher - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe

--
End of file - 7070 bytes


I also downloaded SpywareBlaster, but I'm wondering if its working in the background because its not on startup icon menu by the clock?

Is it also okay to connect my external harddrive right about now?

#63 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 16 March 2009 - 07:53 AM

I also downloaded SpywareBlaster, but I'm wondering if its working in the background because its not on startup icon menu by the clock?


As mentioned in the link I supplied to you

No-Nonsense Security
SpywareBlaster can help keep your system secure, without interfering with the "good side" of the web. And unlike other programs, SpywareBlaster does not have to remain running in the background. It works alongside the programs you have to help secure your system.


Since you ran ComboFix on this drive, the External harddrive should not autostart
Plug it in, but don't access it yet
Go through MyComputer and right click on the Drive letter(s) of the external harddrive and scan it with Avira
Let me know if it finds anything

I'm a bit concerned, Avira did find a couple infected files in the D: drive
Not sure if you can totally trust that Recovery partition anymore,
I'm almost thinking you should make an image of the C: drive, the Recovery CD's would be the best
But you don't have those, and I'm unsure if you create them now, if they would be any good anyways
I use Acronis for backup, but I'm looking at a free program for you
Let me test it out later and get back to you, I'm off to work
How much room do you have on your External Hard drive?

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#64 tonez

tonez

    Journeyman

  • Members
  • PipPip
  • 41 posts

Posted 16 March 2009 - 12:55 PM

I have a western digital external hdd. I have 4.59 gigs left in my ext drive.
I double checked my D: Recovery Partition for those infected files and they were not their anymore. But for future problems, I could just contact compaq now and order a copy of the disc or if theres a way to create one in the external hdd, then I'm all for that. I could also try and burn a cd of it if its possible.


I ran Avira and DrWeb and they found virut.56 in there and got rid of it. I manually deleted the ones that couldnt be deleted.
Heres the log for Avira:

Avira AntiVir Personal
Report file date: Monday, March 16, 2009 10:33

Scanning for 1298139 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 3) [5.1.2600]
Boot mode: Normally booted
Username: Owner
Computer name: TONY

Version information:
BUILD.DAT : 8.2.0.337 16934 Bytes 11/18/2008 13:05:00
AVSCAN.EXE : 8.1.4.10 315649 Bytes 11/18/2008 17:21:26
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 16:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 21:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 16:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 20:30:36
ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 04:58:43
ANTIVIR2.VDF : 7.1.2.152 749568 Bytes 3/11/2009 04:58:48
ANTIVIR3.VDF : 7.1.2.172 74752 Bytes 3/15/2009 04:58:50
Engineversion : 8.2.0.114
AEVDF.DLL : 8.1.1.0 106868 Bytes 3/16/2009 04:59:14
AESCRIPT.DLL : 8.1.1.63 364923 Bytes 3/16/2009 04:59:11
AESCN.DLL : 8.1.1.8 127346 Bytes 3/16/2009 04:59:08
AERDL.DLL : 8.1.1.3 438645 Bytes 11/4/2008 22:58:38
AEPACK.DLL : 8.1.3.10 397686 Bytes 3/16/2009 04:59:06
AEOFFICE.DLL : 8.1.0.36 196987 Bytes 3/16/2009 04:59:03
AEHEUR.DLL : 8.1.0.104 1634679 Bytes 3/16/2009 04:59:01
AEHELP.DLL : 8.1.2.2 119158 Bytes 3/16/2009 04:58:57
AEGEN.DLL : 8.1.1.28 336244 Bytes 3/16/2009 04:58:55
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/14/2008 19:05:56
AECORE.DLL : 8.1.6.6 176501 Bytes 3/16/2009 04:58:52
AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 19:05:56
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 17:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 18:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 7/31/2008 21:02:15
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 20:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 17:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 21:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/23/2008 02:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 21:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 21:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 22:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 22:34:37

Configuration settings for the scan:
Jobname..........................: ShlExt
Configuration file...............: C:\DOCUME~1\Owner\LOCALS~1\Temp\c306eab8.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: E:,
Process scan.....................: off
Scan registry....................: off
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Monday, March 16, 2009 10:33

Starting the file scan:

Begin scan in 'E:\' <My Book>
E:\wd_windows_tools\Setup.exe
[DETECTION] Contains code of the W32/Virut.Gen Windows virus
[NOTE] The file was moved to '4a328ede.qua'!
E:\wd_windows_tools\Google\GoogleInstaller.exe
[DETECTION] Contains code of the W32/Virut.Gen Windows virus
[NOTE] The file was moved to '4a2d8eed.qua'!
E:\System Volume Information\_restore{D1BD6C0F-8411-4455-8163-CEF0F28EC0B2}\RP29\A0010024.exe
[DETECTION] Contains code of the W32/Virut.Gen Windows virus
[NOTE] The file was moved to '49ee8ec2.qua'!
E:\System Volume Information\_restore{D1BD6C0F-8411-4455-8163-CEF0F28EC0B2}\RP29\A0010025.exe
[DETECTION] Contains code of the W32/Virut.Gen Windows virus
[NOTE] The file was moved to '49ee8ec9.qua'!


End of the scan: Monday, March 16, 2009 10:43
Used time: 10:11 Minute(s)

The scan has been done completely.

2825 Scanning directories
93828 Files were scanned
4 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
4 files were moved to quarantine
0 files were renamed
0 Files cannot be scanned
93817 Files not concerned
869 Archives were scanned
0 Warnings
4 Notes


There is both System Volume Information and wd_windows_tools folder in the external hdd, do I actually need both? I could delete them if theyre not necessary.

This is the DrWeb log
A0010026.exe;E:\System Volume Information\_restore{D1BD6C0F-8411-4455-8163-CEF0F28EC0B2}\RP29;Win32.Virut.56;Cured.;
A0010027.EXE;E:\System Volume Information\_restore{D1BD6C0F-8411-4455-8163-CEF0F28EC0B2}\RP29;Win32.Virut.56;Cured.;
A0010028.EXE;E:\System Volume Information\_restore{D1BD6C0F-8411-4455-8163-CEF0F28EC0B2}\RP29;Win32.Virut.56;Cured.;
A0010029.EXE;E:\System Volume Information\_restore{D1BD6C0F-8411-4455-8163-CEF0F28EC0B2}\RP29;Win32.Virut.56;Cured.;


I think the external hdd is clean now. I'm now scanning my C: drive with avira in case a virus sneaked in. I'll edit this post in a bit if I find anything or not.

edit>> My C: drive is clean.

#65 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 17 March 2009 - 07:14 PM

It looks as if Avira killed some more files related
It also appears that your system is clean,

Don't keep scanning with Dr. Web, the version you have, if you want to, delete your copy and redownload a fresh copy to ensure it is right updated
But first:

I'm just testing out a backup program, it's a lot like Acronis, but I haven't had a chance to try a restore with it yet
For now, can you do the following
Have your External Harddrive on,

Turn off, and then back on System Restore
Let's ensure the System Volume information folders are cleared
Here's directions
http://support.microsoft.com/kb/310405

After that
Access your Add and remove programs and remove "Compaq Connections"
Reboot afterwards
Additionally, Your system comes preinstalled with software you may never use
Look thru this uninstall list you suppled

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop Album Starter Edition
Adobe Reader 6.0
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Control Panel
ATI Display Driver
Blackhawk Striker from Compaq (remove only)
Blasterball 2 from Compaq (remove only)
Bounce Symphony from Compaq (remove only)
Catalyst Control Center - Branding
CC_ccStart
ccCommon
Compaq Connections
Compaq Instant Support
Compaq Organize
Counter-Strike: Source
Easy Internet Sign-up
Excavation from Compaq (remove only)
Five Card Frenzy from Compaq (remove only)
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
HP Deskjet Preloaded Printer Drivers
HP Image Zone 3.5
HP Photo & Imaging 3.5 - HP Devices
HP PSC & OfficeJet 3.0
HP Software Update
IntelliMover Data Transfer Demo
InterVideo WinDVD Creator 2
InterVideo WinDVD Player
Java 2 Runtime Environment, SE v1.4.2_03
KBD
LiveReg (Symantec Corporation)
LiveUpdate 1.90 (Symantec Corporation)
Memories Disc Creator 2.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft Plus! Digital Media Edition
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works 7.0
Mozilla Firefox (3.0.7)
MSRedist
MSXML 4.0 SP2 (KB954430)
Multimedia Card Reader
MUSICMATCH® Jukebox
Norton AntiVirus 2004
Norton AntiVirus 2004 (Symantec Corporation)
Norton AntiVirus Parent MSI
NVIDIA Ethernet Driver
NVIDIA GART Driver
Orbital from Compaq (remove only)
Otto from Compaq (remove only)
Overball from Compaq (remove only)
PC-Doctor for Windows
Photosmart 140,240,7200,7600,7700,7900 Series
Polar Bowler from Compaq (remove only)
PS2
Python 2.2 combined Win32 extensions
Python 2.2.1
Quicken 2004
RealOne Player
RecordNow!
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Slyder from Compaq (remove only)
Sonic Update Manager
SpamSubtract
Steam
SymNet
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Viewpoint Media Player (Remove Only)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
World of Warcraft FREE Trial
Yahoo! Companion
Zone Deluxe Games
Zune Desktop Theme


Don't remove anything yet, we already updated or removed some
But let me know out of that bunch, which you don't think you need, or unsure about

Defragment your Harddrive

Download and save to your desktop the installer for Macrium Reflect FREE Edition
http://www.macrium.com/reflectfree.asp
Don't install yet, I'm just checking it out, so I'll let you know what i think about it
Let me know when you have the above done

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#66 tonez

tonez

    Journeyman

  • Members
  • PipPip
  • 41 posts

Posted 17 March 2009 - 09:28 PM

I have already uninstalled the following in bold font,
and the following underlined programs I'm curious of if they can be safely taken out.

I had a problem uninstalling compaq connections. There was a Backweb error or some sort, so I'll probably leave it. Its not really taking up a lot of space.

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop Album Starter Edition
Adobe Reader 6.0
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Control Panel
ATI Display Driver
Blackhawk Striker from Compaq (remove only)
Blasterball 2 from Compaq (remove only)
Bounce Symphony from Compaq (remove only)

Catalyst Control Center - Branding
CC_ccStart
ccCommon
Compaq Connections
Compaq Instant Support
Compaq Organize

Counter-Strike: Source
Easy Internet Sign-up
Excavation from Compaq (remove only)
Five Card Frenzy from Compaq (remove only)

HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
HP Deskjet Preloaded Printer Drivers
HP Image Zone 3.5

HP Photo & Imaging 3.5 - HP Devices
HP PSC & OfficeJet 3.0
HP Software Update

IntelliMover Data Transfer Demo
InterVideo WinDVD Creator 2
InterVideo WinDVD Player
Java 2 Runtime Environment, SE v1.4.2_03
KBD
LiveReg (Symantec Corporation)
LiveUpdate 1.90 (Symantec Corporation)

Memories Disc Creator 2.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2004
Microsoft Money 2004 System Pack

Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft Plus! Digital Media Edition

Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works 7.0
Mozilla Firefox (3.0.7)
MSRedist
MSXML 4.0 SP2 (KB954430)
Multimedia Card Reader
MUSICMATCH® Jukebox
Norton AntiVirus 2004
Norton AntiVirus 2004 (Symantec Corporation)
Norton AntiVirus Parent MSI

NVIDIA Ethernet Driver
NVIDIA GART Driver
Orbital from Compaq (remove only)
Otto from Compaq (remove only)
Overball from Compaq (remove only)

PC-Doctor for Windows
Photosmart 140,240,7200,7600,7700,7900 Series
Polar Bowler from Compaq (remove only)
PS2
Python 2.2 combined Win32 extensions
Python 2.2.1
Quicken 2004
RealOne Player
RecordNow!

Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Slyder from Compaq (remove only)
Sonic Update Manager
SpamSubtract
Steam
SymNet
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Viewpoint Media Player (Remove Only)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
World of Warcraft FREE Trial
Yahoo! Companion
Zone Deluxe Games

Zune Desktop Theme


I am now degfragging C: drive

#67 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 17 March 2009 - 11:04 PM

After you defrag, why not install Macrium Reflect FREE Edition
After installation
In your External drive, create a new folder, call it something like Backup

It may take a few GB to create this backup, but you can later burn it to disk
Or create a new one to disks, this is so you get used to the software, you can read it's documetation online or in the Help file

Then start Macrium from the shortcut on the desktop
Once it loads, select "Create backup image of entire disk/partion....."
under Backup tasks
In Partition selection select the C: drive
in Backup selection under Local disk, browse to the folder Backup
Click Next >>Finish
Under Backup Save Options>>Ensure the Backup folder on External is still the destination
Then click OK
The backing up should then start

When it's done
Create a Rescue disk
Put a blank CD in your burner>>in Macrium
Click OTHER TASKS>>Create Rescue CD
Try using the LINUX option (default) then click NEXT
This rescue disk will help if the computer becomes unbootable because of Malware, driver problems,etc...

Let me know when that's done, we can test your backup later

Do you have a DVD burner or just a CD burner?
You may of noticed one of the backup options was to DVD/CD

Get to that point then we can deal with the installed programs later
I'm off to bed, so I'll talk to you later

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#68 tonez

tonez

    Journeyman

  • Members
  • PipPip
  • 41 posts

Posted 18 March 2009 - 02:18 PM

How much gigs exactly do I need for this backup? I keep getting an I/O
device error. And I've freed about 30 gigs on the external. This is
the error.


Image ID - 7290B9606552AE61

Imaging Summary

Backup Definition File: C:\Documents and Settings\Owner\My Documents\Reflect\My Backup.xml
Backup Type: Full
Destination: E:\Backup-Dont Del\7290B9606552AE61-00-00.mrimg
Auto Verify: N
Maximum File Size: Automatic
Compression: Medium
Password: N
Intelligent Copy: Y
Total Selected: 54.047 GB

Operation 1 of 1
Hard Disk: 1
Drive Letter: C
File System: NTFS
Label: PRESARIO
Size: 182.090 GB
Free: 128.044 GB
Used: 54.047 GB

Starting Image - Wednesday, March 18, 2009 12:31:07
Initializing
Analysing file system on volume C:

Saving Partition - PRESARIO (C:)
Creating Volume Snapshot
Reading File System Bitmap
Saving Partition

Backup aborted! - Write operation failed - The request could not be performed because of an I/O device error.


Am I suppose to back up the C: drive or the D: partition recovery? You mentioned that it should be C: drive.

I also have an internal dvd/cd-rw burner. I havent used it awhile, hopefully it still works.

#69 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 18 March 2009 - 08:40 PM

Am I suppose to back up the C: drive or the D: partition recovery? You mentioned that it should be C: drive.

As I said, the C: drive

How much gigs exactly do I need for this backup? I keep getting an I/O
device error. And I've freed about 30 gigs on the external. This is
the error.


I see the following

Drive Letter: C
File System: NTFS
Label: PRESARIO
Size: 182.090 GB
Free: 128.044 GB


I see you have already used almost 54 GB on your clean Recovery, how can that be?
Did you backup to your C: drive then try to backup back to your External?
Which now doesn't have enough room?
That will never work, On a Clean install it should be around a 3gb, after compression
But not if you add more to your C: drive?/

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#70 tonez

tonez

    Journeyman

  • Members
  • PipPip
  • 41 posts

Posted 19 March 2009 - 12:10 AM

I transferred my documents back to my C drive from my external, so my external has 27 gigs free.

I've also installed couple of games and programs on the C drive.

It was creating a backup earlier, but there was about 15% left done when it gave me the error.

Was I suppose to backup before doing anything else?

#71 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 19 March 2009 - 08:20 PM

Was I suppose to backup before doing anything else?

Yes you were, what do you think the point behind Imaging your Operating System was about?
I asked you earlier to slow down

Did you read the documentation included with the software?

It seems like you have everything under control, I'll lock this topic now, as it doesn't appear you need my help anymore, take care tonez

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here