8 viruses found by BitDefender

Hi all,

Firstly, I've been through the READ & RUN ME FIRST instructions.

I'm running a 3-year old and fully updated XP SP2 Home installation on a Shuttle AK35GT2/AMD Athlon 1500+/160GB Maxtor HD/GeForce4 440 MX and it's probably time to take it out into the yard and shoot it in the head. The humane thing to do perhaps, but as I only have an OEM recovery CD I would like to clean it up before I resort to recovery/reinstallation.

Startup takes up to 10 minutes, all programs take twice as long to open as they do on a recent installation, and every time I right click on a file, or Ctrl+C or delete, the "Windows Installer/preparing to install" dialogue comes up. I can cancel that and the correct menu comes up, but it started happening a couple of months ago after I removed some spyware with Trend Micro House Call. At the same time, all my MS Office programs stopped opening, requesting the installation CD with the PRO11.MSI. As I inherited the PC, I haven't got the CD, so I found PRO11.MSI on the net and it required another .MSI file whose name I forget cos I gave up and installed Open Office and rescued my .pst file by various dark arts.

I'll attach the various scan logs to this and the next post. Results of interest are:
Spybot continually finds Zlob DNS Changer despite fixing it after every scan.
CounterSpy found nothing
BitDefender found 8 viruses as well as a few quarantined remains.
Panda ActiveScan found nothing

I can't find the Panda log, so I'll run it again. In the meantime, Counterspy and BitDefender logs are attached to this post. RunKey and Newfiles I'l attach to the next.

Any help greatly appreciated,
Stuart

 

runkeys.txt and newfiles.txt attached to this post. I'll run Panda again and attach the log asap.
Stuart

 

The panda scan results are attached to this mail:
1 virus found & disinfected
1 spyware found & not disinfected

 

Let's start by running ComboFix, also you did not attach a HJT log.

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Attach this log to your next reply

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Once you complete the above, attach fresh logs from the below.

• GetRunKey
• ShowNew
• HijackThis
• ComboFix

 

Hi BJ,
While I was running the first Combofix scan, Counterspy popped up a "you've not activated Counterspy" dialogue and AVG detected a worm threat and automatically healed it. Not life-threatening, but I thought you should know what's happening (it's the first time in three months that AVG has found a virus).

Before I got much further, Windows Firewall flashed up a warning that certain features of Messenger had been blocked and did I want to unblock/continue

Combofix, GetRunKey and Shownew logs attached to this post. HJT and the newer Combofix logs to the next

Thanks again for your help,
Stuart

 

HJT and second Combofix log attached

 

Please rename HijackThis to "analyzethis.exe" and attach a fresh log once renamed.

 

Renamed hijackthis.exe as requested, HijackThis log attached

 

Run GetRunKey once more and attach a fresh log, something didn't go right.

 

Hi BJ,

I'm running GetRunKey.bat from Windows explorer with all other programs closed. This is all the report in C:runkeys.txt gives:

Binary file C:\rkeysxxx.txt matches

I can't attach the report cos the "Manage Attachments" windows tells me I've already uploaded it in a previous post, despite me moving it and renaming it...

Continuing thanks
Stuart

 

Hi Chas,
No valid runkeys.txt I'm afraid. The command line opens, write about 25 x*.txt file to C:\, asks me if I want to create runkeys.txt cos it doesn't exist, I say Yes, and notepad opens with a blank runkeys.txt.

I had a look at runkeysxxx.txt cos it was referenced in my previous post, and it looks like a decent log file. I'll attach it - see what you think.

Keep up the good work
Stuart

 

Usage: grep [OPTION]... PATTERN [FILE]...
Try 'grep --help' for more information.

"grep" not recognised as an internal or external command, program or executable batch file

Deleted C:\$VAULT$.AVG\*.*
Deleted C:\Documents and Settings\Stewart\.housecall6.6\Quarantine\*.*

Deleted C:\Documents and Settings\Stewart\Configuración local\Datos de programa\Identities\{41D8F490-C258-4DAF-B990-CF46DD0810D6}\Microsoft\Outlook Express\*.*
I know, I've deleted the whole profile, but I don't use Outlook Express anymore and I've got all the mails elsewhere!

Counterspy uninstalled

None of these would uninstall in normal mode, booted into safe mode and uninstalled all except Java(TM) 6 Update 2 (doesn't disappear from the Add/Install Programs)
Back in Normal Mode and all of them still appear in Add/Remove Programs...

Done

Attached

Thanks again
Stuart

 

Hi Chas

Cant' uninstall the Java updates with CCleaner, what other methods are there?

All the xxx*.txt files have been deleted by GetRunKey.bat

Still taking 10 minutes for XP to boot and the Windows Installer dialogue is still coming up every time I right click on a file, but that's damage to the installation, wouldn't you say?

Once we're done here, I'm gonna try a repair install of XP - dunno if you have any experience of reinstalling XP, I'd like to wipe the HD and install afresh but I've only got a recovery CD. Any ideas where I could get help with that?

Cheers,
Stuart

 

The Windows Installer Cleanup Utility seems to have got rid of the Java updates, but that pesky dialogue window is still appearing when I right click on files.

I've moved all my data to the external drive, so wiping the internal HD isn't a problem. I'd love to install Fedora and run this XP through VMware or VirtualBox, but the whole XP license thing is putting me off.

If you've any more ideas about the Windows Installer, I'd love to hear them. Otherwise I guess we can close this thread.

 

Reinstalling the installer didn't fix the problem. Bugger.

FYI I found a forum which suggested deleting registry entries in
HKEY_LOCALMACHINE > Software
and
HKEY_Current_User > Software
for Norton/Symantec programs which may not have been uninstalled properly.

Given that we've found a problem uninstalling those Java updates, I reckon that you were right about the Win Installer being screwed. If so, then all the software I've uninstalled which may appear on a properties menu, could be a candidate for causing the Installer to try and run whenever I right click on a file/icon/etc. Don't you just love finding Microsoft's holes?!

Before we close the thread, I'm finding that I can't delete/rename/move some files as they are "being used by another process". An old chestnut, but symptomatic of malware, don't you think?

And finally, thanks for all your help, I've learnt a lot but I can't say I'll be following your last piece of advice about buying another copy of XP! I'm only using it cos of the MP3 player, Nokia phone, and Canon camera, but now I've found Linux apps which will handle them all I think I can safely stick the XP recovery CD in and play about for a few more weeks!