windows firewall disabled and appearance of wfwall1.exe

my fathers dell inspiron 1150 laptop which runs windows xp seems to have every virus/trojan under the sun. i have run many virus scanners to no avail and have also followed the majorgeeks.com steps including bitdefender, panda active scan and hijackthis creating text files and logs as requested. i have attached these. can anyone help? it's driving me up the wall!

 

Convert the Bitfender log uning the following procedure:

Saving BitDefender Log as Text File

 

In HJT Choose Open the Misc Tools Section choose Process Manager, Highlight:

Choose Kill Process

Now scan and have HJT Fix the following:

Download
- Pocket Killbox
- ExplorerXP

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. The file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.


Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Follow the directions for Running Ewido Security Suite.

Post the Ewido log and a fresh HijackThis log.

 

Chaslang, I checked LSASS.EXE is not valid in C:\i386; however LSASS.EX_ is valid. C:\i386 should contain an exact copy of the i386 directory of the installation CD.

 

Many thanks for advice. Followed your instructions and have attached new hijackthis log as well as ewido log.

 

also, although i now notice that wfwall1.exe has disappeared from my task manager processes, i still cannot access windows firewall!

 

wfwall1.exe is not the Windows Firewall, it is a virus. The Windows Firewall is not a true firewall, it only protects your system 1 way (incoming). A true software firewall is bidirectional, in other words protects your system on both outbound and inbound traffic.

You are running your system unprotected. You have no Antivirus program or software firewall. You should read this thread; How to Protect yourself from malware!.

I would like to take a deeper look at your system.

Run CCleaner before doing the below.

Download WinPFind

Extract it to the root folder of drive C ( C:\ ). This will create a folder called WinPFind in the C:\ folder. Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

When it is done, it will show the results of the scan. Click on the Copy to Clipboard button and then paste the contents of the log in your clipboard. Then save it to a file using notepad and upload the text file here as an attachment.

After you have run WinPFind post teh log an an attachment.

 

i do have virus software, i just had it disabled while i was running the other software as i did not want it to conflict. i am slightly wary of doing anything else at this stage as i have just noticed that after the last set of instructions my cd-rom drive is not appearing any more!

 

Malware can do that. You may have to reinstall drivers.

 

am trying to do that, unfortunately have NO idea what driver i need. the laptop used to belong to my dad's old business so we have none of the manuals etc. is there any way of finding out the make of cd-rom drive or would i have to get someone to open up the laptop to find this out?

 

Install and run Everest Free Edition

 

Shut down laptop and then re-started it and for some reason the cd-rom drive re-appeared, very strange but i am not complaining. Have attached winpfind text file as requested.

 

Follow the intructions for Running Ewido Security Suite.

Post teh Ewido log and a fresh HijackThis log when done.

 

Have attached new ewido log and new hijackthis log as requested. I also noticed today that when i first log onto the laptop i get an error message saying that VCMain.exe will not load properly. i'm guessing this might also be related to all the other problems?

 

vcmain.exe and vcclient.exe are a part of Volcano Chat; you may need to uninstall and reinstall Volcano Chat.

PRINT THESE INSTRUCTIONS YOU WILL NEED THEM FOR USE WHEN NOT CONNECTED TO THE INTERNET
​

Disconnect from the internet (Physically remove the Lan cable). Close ALL browser windows (including this one).

Scan with HijackThis and fix the following line:

Now reach behind the computer and UNPLUG it. Yes I said unplug it, we want to avoid a clean shut down.

Now leaving the computer disconnected to the internet; plug it back in and BOOT to Safe Mode.

Open Windows Explorer navigate to and delete C:\WINDOWS\system32\wfwall1.exe.

Shut down your computer, plug everything back in and BOOT to Normal Mode.

Post a fresh HijackThis log.

 

I did as you asked but when i re-booted in safe mode there was no sign of wfwall1.exe in the System32 folder. The closest i could find was wfwnet.drv but i did not delete this. Re-booted into normal mode and posted another hijackthis log anyway.

 

Scan with HijackThis and fix teh following:

REBOOT

Post a fresh HijackThis log.

How is your computer running?

 

computer is running much better thank you. new hijackthis log attached.

 

Your log is clean.

Disable System Restore to flush your Restore Points, then enable System Restore to create a fresh clean Restore Point.


How to Protect yourself from malware!

 

many thanks!

 

You're welcome.