Daughter's XP antivirus

My daughter's computer started getting very slow and had the constant balloon"Your computer is infected" etc which I believe is the XP Antivirus problem. There was a shortcut on the desktop which her borther helpfully deleted (!). So I took over and ran your run & read me thread. Lots of problems as internet access was impaired and couldn't delete unwanted programs. Computer often froze and had to hard boot.

A bit of background - this is one of 4 computers on our family's wireless network. We all use XP and firefox, not IE. Daughter spends all day every day on youtube etc. She has Avira Antivirus, spybot and adaware but I've seen today that these aren't run or updated too often. I'm out of my comfort zone on all this stuff, so please send any instructions in words of one syllable, assume no knowledge or skill please.

First I did the basic computer maintenance steps. I couldn't close firefox (even though it was not visible or usable) so the CCleaner step wasn't complete on internet cache. Also couldn't remove yahoo toolbar and installer from add/remove programs. I didn't understand the startup cleaner on ccleaner so didn't remove anything.(scary)Ran the IObit defrag.Java files seemed OK.
I downloaded all the programs/tool to a CD using my computer, to use on daughters pc. These are the results:

Could not run or update SAS. or spybot from the CD copy.
Malwarebytes went fine, and at this stage the red cross next to the clock disappeared and the "you are infected" balloon disappeared. Ran Combofix. Had internet connection at this stage. Re-installed firefox (which had disappeared). Downloaded new spybot and ran, also SAS. Then ran MG Tools, which I also downloaded directly to daughter's computer from internet.

I think I'm sorted, so toggled the system restore (its now back on). But so stressed out after this process :cry would be very grateful if you could check I got rid of it all - as I had to run the programs in a different order to your list, and not at all confident in what I've done. 3 attachments enclosed, I'll try and track down the other one for next post.

Many thanks in advance for your time and help. Brilliant tutorials!

 

Here's the other one - I DID rename the program to mb.exe, despite its name. Looking forward to hearing your advice - and again many thanks for your help. (you saved my sanity some years ago on a similar mission so I have great hopes you can help us again!)

 

I forgot to say - had a few problems using combofix - few of the expected screens turned up as per the bleepingcomputer tutorial - it went straight to "RUN/Autoscan" and I didn't find the windows Recovery console either. (Though I think I did download it later - I'm getting muddled now perhaps you can tell from the logs?) - either way I dont know what to do with it. Please advise.

Many thanks.

 

Many thanks chaslang for your attention and detailed advice. Right here's the update:

- Apologies for the SunJava omission - the "updating Sun Java" subtopic in the Read me excludes update 3 as one to remove that's why I left it, despite the earlier instruction to remove all. Have now uninstalled it. There was an error message towards the end of uninstall: "Error Java" Java.lang.Null pointer Exception. I pressed OK.

I then made a mistake (sorry am very weary and muddled) I moved MG Tools to the desktop and ran it MG Tools.exe , got a couple of errors messages, and no menu screen, then realised my mistake. [I only added this in case its relevant to the logs so apologies if I'm rambling]http://forums.majorgeeks.com/images/smilies/redface.gif

So then moved MGTools back to C drive and ran C:MGTools\analyse.exe. Did the Fix on line 03-Toolbar: (no name)

I couldn't find combofix anywhere so downloaded it again to desktop, moved over the CFscript.txt, exited all browsers. Had a couple of incidents running Combofix:

"Combofix has detected the presence of rootkit activity and needs to reboot the machine." So I pressed OK and computer rebooted back into combofix screen.

Then 2 "A virus was found" messages:
"C:combofix\N_\31506 contains Eicar-test-signature virus" I chose delete.
"C:Qoobox\Quarantine\C\Windows\System32\av.dat.vir is the TR/CryptXPack.gen Trojan" Again I selected delete.
I trust this was the right response?

During the reboot, the computer automatically activated Zonealarm, SAS and Antivir, which I quickly tried to disenable - but meanwhile the combofix window said "Do not run any programs until combofix has finished" so I hope this activity didn't ruin the logs. I don't know how I could have stopped them running during an automatic re-boot. Please advise how to do this if I need to re-run.

Then I failed twice to reinstall Sun Java from your link. I downloaded it from both FL and TX. I got the message: "Not a valid W32 application". So I don't have a java installation at the moment.

Then I renamed the nvsvc32.exe, and put it back in system 32.
Then ran ccleaner.
Then ran MGTools getlogs.bat.

Since our last correspondence the computer has been running well, Thank You, with internet/email access fine. However, on trying to reply to this thread, found that I could not access internet at all, even after a couple of re-boots. So I transferred the logs from daughter's pc to mine and here they are.

I don't know why we can't get internet on daughter's pc - don't know if its due to absence of Sun Java as I have no idea at all what these files are for. All the computers in our house are on the same wireless network. I am following your instructions in blind faith, total ignorance, and extreme gratitude. You'll see a long time gap between the 2 logs - I fell asleep in the middle, I am on my knees shattered! http://forums.majorgeeks.com/images/smilies/sleep.gif

Many thanks for your help and time, and I hope you can work with these logs and advise on what to do next. Best wishes from a freezing UK.

 

Hi Chaslang

Many thanks for the reply.I deleted all the AVG folders you listed. ZoneAlarm kept popping up "firewall has blocked internet access to your computer {NetBios session}" TCP ports 445/2217/2216/1231 and listed the IP addresses for 2 other computers on our home network - I added these to the trusted zones. Probably irrelevant to you but thought I'd mention it.

Zonealarm btw is set to "medium" for both trusted and internet sites - should I adjust this to high for internet? I'm not familiar with this program (I use Bullguard) Bear in mind this computer is used by dizzy teenager on youtube mainly 24/7.

Internet access on this computer has been fine since my last post, with no adjustments made. It does sometimes happen that one of the computers can't access internet - I put it down to thick house walls and atmospheric conditions! But I went to the subtopic re the internet connection but failed at first stage - "Windows cannot find 'service.msc' ". I did a search for it on "My computer" and still did not find it. Is this an important file and do I need to do something about it? Anyway have not done anything to improve the wireless connection. Is there aything else I should do?

Apologies for deleting the virus things in Combofix - I did own up to being a tech illiterate, "delete" seemed a sensible response at the time. Have I messed that up then? And do I need to rerun Combofix? You mention the AV had not done its job - Is Avira not good enough? Or is it because daughter hasn't updated and run it properly?

I zipped the files in Qoofix individually then put them in a folder and zipped that for attachment. They're all v small files.

Finally I revisited the java link - it downloads fine but I can't install it - got the same message "not a valid win32 application" .The download is from geeks FL and is called jre-6u10-windows-i586-p.exe. Please advise - I don't even know what java is for and do I need it?

Many thanks again for your help and looking forward to next episode!

 

Hi again,

Just had a quick browse of daughter's outlook. There's 2 emails (to her perfectly correct full email address) from Antivirus 2009 [antivirus@products--daily--news.net] with lots of links to click on.... AAAAAGH! I can see she's opened the emails, hopefully she didn't click the links (She's asleep in bed so can't interrogate her!) I can't see any options in her Outlook or other programs to mark the senders as "blocked" - Any advice please? Obviously her email address is "out there", and there'll be more where this came from. The emails were dated 27 and 29 October.

Thanks chaslang.

 

Wow well that is all good news, chaslang. Thanks very much! (especially for spelling it all out so clearly - it does improve my confidence). Am working on training the daughter - she does intend to follow instructions I think, but is no more successful on the pc than she is in "real life" - s'pose its a teenager thing. I will persevere!

So are we all done?

 

OK. I downloaded another program off your website and got the same response as I did to the Java one - I was able to download, but when I clicked to install got the "not a valid win32 application" message again. Also tried to update a program and got a message to untick the "work offline" File setting (which I hadn't selected?!) I did that but computer was still offline. I assumed this was one of the intermittent issues we get here with unreliable internet connections on the network. So rebooted, and logged on as Main Administrator. Got full internet connection immediately.

Then I realised......... the java download was on my daughter's desktop not the Main Administrator desktop! So I downloaded it again onto Main Administrator desktop from Majorgeeks FL and yippee it installed OK! So that is now done.

So... I investigated User accounts - daughter IS an adminstrator but for some reason on her account although we can download we can't install and it is at that point that the internet connection is flicking off. Had no such instability on Main Admin login. Is this one for the software forum or is this a sign of some other nasty virus? Looks like her User account is damaged in some way? (Way out of my comfortzone here) - If I set up a new account for her and delete the current one what is the impact on access to her SIMS programs etc? I don't know how to do this. Please advise. Also please confirm that whatever SunJava does will work on all accounts on the computer, not just the Main Admin to where it was installed? I am guessing that the damage to her user account is preventing installations AND flicking off the internet after downloads. I don't recall having that problem on the Main Admin account. (Of course, I may well be talking rubbish, and don't mind being told!)

Many thanks again, and look forward to your instructions.

 

Hi chaslang....... fell at the first fence, I'm afraid - I backed up the registry, downloaded the SubInACL from your link, then...... could not install because I was logged in on my daughter's sign-on! That is the problem we're trying to solve!? Got the usual messages about can't install when offline so had to untick the "Work offline" setting which had popped up again on the File menu, but then also got another message "The installation package could not be opened. Contact the application vendor to verify that this is a valid Windows installer package". Her computer then went offline altogether, so returned to mine to post this.

I take your point about her being an administrator - I seem to recall that the reason she is is because a lot of her SIMS games required administrator access to run/install. If I downgrade her account, then can I copy access to the stuff on her current desktop to her new sign-on? If so how do I do this - I don't suppose its as easy as copying shortcuts from one to the other? Or would I have to reinstall afresh? (she would lose her houses and families I think?) Also can I run your instructions on the SubInACL from the Main adminstrator account or do I need to be logged in as her?

Thanks for your advice, again!