Solved Virus that prevents AV from being installed.

August 23, 2011 at 10:28:46
Specs: Windows XP Service Pack 3, 2.128 GHz / 1015 MB
Virus that invaded first posed as worm blaster and shut down all procesess (How discovered not worm blaster is LAST story.). Finally used malwarebytes: downloaded it from separate clean computer onto cd and then dowloaded through safe mode. So I thought I was home free. NOT. All systems were go again, except 1) malwarebytes turned on me 2) no AV would install or uninstall.

My IT brother in law did manage to uninstall the defunct Malwarebytes and get rid of the AVG traces, which I THOUGHT was what was preventing reinstall of AV, but when he tried to install Microsoft Security Essentials (not MY pick of AV), it would not work. He abandoned me at that point, so I had to uninstall the Microsoft Security Essentials myself using CCleaner, which seems to have been successful.
So here are my issues:
1) I want to try VIPRE Rescue, which I have downloaded from clean computer onto USB, via safe mode with command prompt, since I don't even want to waste my time trying to do it from Windows. My question is this: Does anybody know of any issues with this procedure or this product?

2) Then (and this is a secondary issue), now my computer does not boot normally anymore. I have to go through the process of picking normal or safe mode EVERY time it boots up. At the moment, I can live with it, since I need safe mode with command prompt in order to install VIPRE Rescue anyway.

So, anybody out there know if I should NOT do this VIPRE Rescue? And will I be able to uninstall it later if I don't want to use it anymore? PS I already know about how you have to go back to their site to do scans every time.


See More: Virus that prevents AV from being installed.

Report •


✔ Best Answer
August 25, 2011 at 15:32:29
I must say you are extremely Dramatic...ever consider writing a novel entiltled...'The Clash of the Viruses and Laying a Beating on the Beast'
Or something in that line...never know...you may sell a few ;-)

Some HELP in posting on Computing.net plus free progs and instructions 7 Medals



#1
August 23, 2011 at 14:35:18
did you try the Avast like I suggested in your other post?
MSE is not as good as Avast.
Just use revo uninstaller
http://www.revouninstaller.com/revo...
to remove any problem programs you have...it will also help by cleaning out all the registry junk left behind
Some HELP in posting on Computing.net plus free progs and instructions 7 Medals

Report •

#2
August 23, 2011 at 17:48:03
Yes I tried to install Avast--and I even double-checked your recommendation with other reviewers, and their opinion was consistent with yours that it is a fine AV product--but it just would NOT install, either directly through a download from the net, or through a cd that I downloaded it to from a clean computer. But like I said, it was my "helpful" brother in law who attempted to put in that Microsoft Essentials--bless his little IT heart--even though I said that I would prefer to use Avast! But you probably know how some IT "pros" can be: they are not going to listen to somebody like ME, no matter how much research I have done. And, when (predictably) the silly Microsoft Essentials didn't work, his response was "See you later and good luck!"
So, I was back to my own resources to try and destroy this virus that just wil NOT allow me to download ANYTHING that might stop it.
Oh, and I DID successfullly download the Revo Uninstaller, but like the MalwareBytes AV that I installed on the sly from safe mode, it also began to malfunction rather quickly, so I used my CCleaner to uninstall THAT.
Anyway, after doing a search about this virus that won't let any AV be installed, I found "VIPRE Rescue" here http://live.sunbeltsoftware.com/ and according to its description, this is the sort of last-ditch thing for when viruses are blocking efforts to get rid of them.. I also came across something by a man named David Lipman here: http://www.claymania.com/removal-tr... which is this four-part AV package thing, that looked like a possibility too, although a bit of a hassle, since I would have to download four different things, and I am not all that savvy.
Anyway, I DID read that there were some issues with VIPRE: 1) it may not completely uninstall--but if it gets rid of this virus, I could live with that! And it also has to be re-downloaded from the site everytime you want to scan.
Will you let me know what you think of this VIPRE Rescue or of Dave's AV fix? So far, VIPRE Rescue looks to me like something that I can handle better since it is self-executing. I already downloaded onto a memory stick, but I wanted some objective feedback before I committed myself to it. Thanks again.

Report •

#3
August 23, 2011 at 21:42:11
Okay Friends, I have not yet taken any steps to take care of my AV problem. However, I thought I would post this article which gives the rationale for "portable" AV and malware tools. It also gives a rundown of some of the best ones available. Mainly I am posting this because I am discovering that most people think that they install their AV program and that means they're set. Well, I am clearly an example of one of these unwary people who DOES update their AV software responsibly, and DOES avoid going to questionable sites, etc etc, and I still got caught, The portableis kept on a USB, and it plugs in to fix things that the "real-time" stuff can't, because the bug is designed to bypass and/or disable your AV (like it did my AVG, which I have counted on for FIVE years with no problems). Thanks for all your help and, like I said before, I will post after I try this portable fix. Here is the article: http://thepcsecurity.com/ultimate-l... Hope you find it useful when trying to help others who face a shutdown of their trusty AV software. Peace. HH

Report •

Related Solutions

#4
August 25, 2011 at 08:23:11
VIPRE Rescue did successfully install into my infected computer from USB (via a clean computer) in safe mode with command prompt. However, its processes did not work in the order they described--which made it confusing as to whether or not it was running properly. The site said that it took a long time, but in my case it identified a Trojan Generic right away, but then it stopped its "deep scan" of the rest of my computer. (I left it alone all night, and it never moved from that initial place.) Moreover, VIPRE did NOT remove the Trojan it identified, and the lack of user interface made it impossible for me to figure out how to remove it manually. And finally, to add insult to injury, when I went back to download their new definitions (which they say is required for every time you re-use it since they update it continually), I was redirected to a site where I must pay.
Therefore, thumbs down on this one: Not only did VIPRE Rescue fail to remove the infection, its process was not in the order they described, they are also falsely advertising that this portable infection remover is FREE every time you use it. Maybe the first time it is free, and if it does the job, so what? But after that, it is no longer free. I wouldn't bother with this if your situation is like mine: you cannot download AV directly onto your computer because the infection blocks all your attempts, so you have to install it through safe mode with command prompt. It MAY work fine if you can download directly from the internet in normal mode. But if that is the case, then why would you need THIS AV tool in the first place?

Report •

#5
August 25, 2011 at 09:44:38
Follow the instructions carefully from the website and run combofix
http://www.bleepingcomputer.com/com...
...that should nip it in the bud.

Some HELP in posting on Computing.net plus free progs and instructions 7 Medals


Report •

#6
August 25, 2011 at 11:53:01
Hey, XPUser, I am pretty sure I can do this. I have an extra computer so that I can keep these instructions on screen while doing this fix on my sick one. But what I need to know is if you are you one of these "helpers" they are talking about? Should I post the "log" here in reply to you? Also, if you are not one of these "helpers," or if I am not to post it for you to look at, how important is it that I DO post the "log" this process generates as it says that I should?
Thanks. HH

Report •

#7
August 25, 2011 at 12:06:26
Yes, I am a qualified helper, you can post the logs

Some HELP in posting on Computing.net plus free progs and instructions 7 Medals


Report •

#8
August 25, 2011 at 12:35:14
Thanks, XPUser. I am going to take a brief calm-down walk to rest my eyes, brain, and emotions. I am feeling a little disgusted at the moment from finding alI this crud that "somebodies" feel compelled to install on my computer with no explanation/permission--this includes companies like Java, as well as my aforementioned bro- in- law. I need a few to restore my alertness and confidence so that I can concentrate better. =)

I guess I will post the log when the combo-fix says I post it, k? If I run into any barriers, I will follow up here.

Peace. HH


Report •

#9
August 25, 2011 at 13:19:21
Okay, that stupid Microsoft Security Essentials that SOMEBODY installed but does not work and will not install is giving me a warning message that says it is active and is known to interfere with combofix's running, which could lead to unpredictable results or machine damage. Telling me to disable before I click okay, but we already know I cannot disable this crap. Suggestions?
I am at the point of just drop-kicking either the computer or the brother in law, who should have KNOWN that this simple minded AV program would not work--okay, that is in the past, take a deep breath.....
What should I do: go ahead and do okay or abort?

HH


Report •

#10
August 25, 2011 at 13:34:25
use revo uninstaller in hunter mode to remove that pesky MSE.

That's the reason I never recommend MSE...it is near to impossible to remove from the registry...Revo will do that for you

Some HELP in posting on Computing.net plus free progs and instructions 7 Medals


Report •

#11
August 25, 2011 at 13:59:56
Okay, I will try the Revo again one more time....If this doesn't work, friend, I am just going to either a) just run it without AV until it explodes and enjoy the show or b) wipe the disk and hope I can find my backup restore disks from five years ago

In either case, I sha'nt bother anyone here with it again. This thread is turning into "War and Peace," i.e., a long, boring novel!

HH


Report •

#12
August 25, 2011 at 14:00:59
it is no bother...we all do the help voluntarilly

Some HELP in posting on Computing.net plus free progs and instructions 7 Medals


Report •

#13
August 25, 2011 at 14:02:55
you could also physically remove the drive from your PC and slave it or get a USB conversion cable and slave it to another PC...there you can remove all the viruses, etc and then pop it back in to your PC.

Some HELP in posting on Computing.net plus free progs and instructions 7 Medals


Report •

#14
August 25, 2011 at 14:41:43
Okay, I think we are going to get the explosion after all. It would NOT install a reinstaller but combofix DID start itself on its own (?), so I went with it. It told me I have a RootKit.Zero Access infection inserted in my tp/ip (?) stack, which is very difficult to remove so it needed to reboot. Unfortunately, it now habitually reboots into safe mode which I tried to forestall but was unable to. I have now turned it off and am going to try to reboot into normal mode again....the saga continues.

Report •

#15
Report •

#16
August 25, 2011 at 15:14:24
Holy Sh**! "Completed stage 41"...this IS powerful. I have NO idea how I am going to get a log to you since I am still trapped in safe mode with no dot prompt no task bar, no nothing, but this program going hog wild! (Stage 50 now!)

BTW, that link scares me. Am I in any legal trouble or something with these people for using this? It says I wasn't suppopsed to do this on my own......
Well, whatever the case with that, unless I can get that machine out of safe mode and back into normal mode there will be NO downloads to fix the rootkit.zeroaccess infection from that link cause I get no internet in safe mode.

ProgressReport:
Okay, now I am at the stage where it is noting my infections and attempting to restore....attempting to restore.....etc etc

Well, here is: "WINDOWS/system32wuauclt.exe successfully restored"

"Rebooting windows do not manually reboot"
Okay, it has rebooted into safe mode again.
I am asking you first this time: Should I attempt to reboot back into normal mode via the Run>msconfig>uncheck safeboot? If that doesn't work, I do know how to do F8 on startup and TRY again for a normal mode.....
Dang! This IS War and Peace---mostly War

Preparing Log Report BUT I am being prompted to choose yes to go into safe mode or no to system restore

I am sending this NOW!


Report •

#17
August 25, 2011 at 15:32:29
✔ Best Answer
I must say you are extremely Dramatic...ever consider writing a novel entiltled...'The Clash of the Viruses and Laying a Beating on the Beast'
Or something in that line...never know...you may sell a few ;-)

Some HELP in posting on Computing.net plus free progs and instructions 7 Medals


Report •

#18
August 25, 2011 at 15:36:30
Okay, it did produce the log report. Buuuut, when I minimized it (still in safe mode), I am facing a Sysinternals Software license terms agreement to accept EULA.

I am in the middle of nowhere here, not knowing whether to "Agree" or "Decline" this license to use software. My intuition says agree, so I can move on and try to get back into normal mode and send that log. Any suggestion on this?


Report •

#19
August 25, 2011 at 15:37:50
without seeing it in person, i really don't know what to say

Some HELP in posting on Computing.net plus free progs and instructions 7 Medals


Report •

#20
August 25, 2011 at 15:59:20
LOL!! I am accepting the license agreement. I saved the log as "log backup" in My Documents again just in case. Since I have nothing left to lose here, I will now attempt to reboot into normal mode, and see what I have got.


Knock wood.


Report •

#21
August 25, 2011 at 18:22:43
XPUser:Although I have not been able to get back into normal mode, I did get into safe mode with networking, I have retrieved the log, and my windows recovery console did install. So, I am thinking I am no worse shape than I was before the combofix , since the log reveals that at least some problems were addressed. I cannot tell if the RootKit was fixed or not.
Since the machine did not explode, I guess my main questions are how to deliver this log. I could paste it here, though I would likely have to do it in chunks if there is no way to attach a Notepad or Word file (that I created to attach to an email to myself for safekeeping).. I am also wondering, of course, what my nexts steps (if any are possible) in getting my computer back into normal working mode again....
Whatever the case, I still have my OS, all my Docs, Pics, etc, so what I really care about is not lost--yet.
Will you let me know if you can still analyze that log? Thanks. HH

Peace. HH


Report •

#22
August 25, 2011 at 18:45:01
you can copy and paste the log into a post

Some HELP in posting on Computing.net plus free progs and instructions 7 Medals


Report •

#23
August 25, 2011 at 20:05:53
Thanks, XPUser. Sorry about being too "dramatic"-- just my writing style, I guess, and this makes me nervous. Here the combo log:

ComboFix 11-08-25.01 - Virginia Hanna 08/25/2011 16:46:33.1.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.798 [GMT -5:00]
Running from: c:\documents and settings\Virginia Hanna\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-
99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))
))))
.
.
c:\documents and settings\Virginia Hanna\Application Data\9EFA.230
c:\documents and settings\Virginia
Hanna\g2ax_customer_downloadhelper_win32_x86.exe
c:\documents and settings\Virginia Hanna\My Documents\~WRL0005.tmp
c:\documents and settings\Virginia Hanna\My Documents\~WRL0504.tmp
c:\documents and settings\Virginia Hanna\My Documents\~WRL1010.tmp
c:\documents and settings\Virginia Hanna\My Documents\~WRL1517.tmp
c:\documents and settings\Virginia Hanna\My Documents\~WRL2688.tmp
c:\documents and settings\Virginia Hanna\WINDOWS
c:\windows\$NtUninstallKB9961$
c:\windows\$NtUninstallKB9961$\1930589298
c:\windows\$NtUninstallKB9961$\4056033492\{1B372133-BFFA-4dba-9CCF-
5474BED6A9F6}
c:\windows\$NtUninstallKB9961$\4056033492\click.tlb
c:\windows\$NtUninstallKB9961$\4056033492\L\pdmzmplg
c:\windows\$NtUninstallKB9961$\4056033492\loader.tlb
c:\windows\$NtUninstallKB9961$\4056033492\U\$000000c0
c:\windows\$NtUninstallKB9961$\4056033492\U\$000000cb
c:\windows\$NtUninstallKB9961$\4056033492\U\@00000001
c:\windows\$NtUninstallKB9961$\4056033492\U\@000000c0
c:\windows\$NtUninstallKB9961$\4056033492\U\@000000cb
c:\windows\$NtUninstallKB9961$\4056033492\U\@000000cf
c:\windows\$NtUninstallKB9961$\4056033492\U\@80000000
c:\windows\$NtUninstallKB9961$\4056033492\U\@800000c0
c:\windows\$NtUninstallKB9961$\4056033492\U\@800000cb
c:\windows\$NtUninstallKB9961$\4056033492\U\@800000cf
c:\windows\system32\c_76045.nls
.
Infected copy of c:\windows\system32\drivers\redbook.sys was found and disinfected
Restored copy from - The cat found it :)
c:\program files\Common Files\Apple\Mobile Device
Support\AppleMobileDeviceService.exe . . . is infected!!
.
c:\windows\system32\dlcccoms.exe . . . is infected!!
.

c:\program files\dell printers\Additional Color Laser Software\Status
Monitor\DLPWDNT.EXE . . . is infected!!
.
c:\program files\dell printers\Additional Color Laser Software\Status
Monitor\DLSDBNT.EXE . . . is infected!!
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe . . . is infected!!
.
c:\program files\Citrix\GoToAssist Express Customer\309\g2ax_service.exe . . . is
infected!!
.
c:\program files\Java\jre6\bin\jqs.exe . . . is infected!!
.
c:\windows\system32\lxdncoms.exe . . . is infected!!
.
c:\program files\Common Files\Motive\McciCMService.exe . . . is infected!!
.
c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe . . . is infected!!
.
c:\windows\system32\HPZipm12.exe . . . is infected!!
.
c:\program files\Intel\Wireless\Bin\RegSrvc.exe . . . is infected!!
.
c:\program files\Intel\Wireless\Bin\S24EvMon.exe . . . is infected!!
.
c:\program files\Intel\Wireless\Bin\WLKeeper.exe . . . is infected!!
.
Infected copy of c:\windows\system32\wuauclt.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\wuauclt.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))
)))))
.
.
-------\Service_f1c228d4
.
.
((((((((((((((((((((((((( Files Created from 2011-07-25 to 2011-08-25 ))))))))))))))))))))))))
)))))))
.
.
2011-08-25 21:34 . 2008-04-13 18:40
57600 ----a-w-
c:\windows\system32\drivers\redbook.sys
2011-08-25 15:00 . 2011-08-25 15:00
-------- d-----w-
c:\documents and
settings\NetworkService\Local Settings\Application Data\PCHealth

2011-08-25 15:00 . 2011-08-25 15:00
-------- d-----w-
c:\windows\LastGood
2011-08-25 13:40 . 2011-08-25 13:40
-------- d-----w-
c:\windows\system32\wbem\Repository
2011-08-25 13:40 . 2011-08-25 13:40
-------- d-----w-
c:\program
files\Microsoft Security Client
2011-08-21 22:42 . 2011-08-16 13:48
7152464
----a-w-
c:\documents
and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition
Updates\{E08022E3-DB70-454E-90CF-FD47CEE6044D}\mpengine.dll
2011-08-21 22:42 . 2011-05-25 00:14
222080
------w-
c:\windows\system32\MpSigStub.exe
2011-08-21 22:13 . 2011-08-21 22:13
-------- d-----w-
c:\program files\Citrix
2011-08-21 22:12 . 2011-08-21 22:12
-------- d-----w-
c:\documents and
settings\Virginia Hanna\Local Settings\Application Data\Citrix
2011-08-21 21:00 . 2011-08-21 21:00
-------- d-----w-
c:\program
files\Common Files\xing shared
2011-08-21 20:58 . 2011-08-21 22:19
-------- d-----w-
c:\program
files\Malwarebytes' Anti-Malware
2011-08-21 20:20 . 2011-08-21 20:20
-------- d-----w-
c:\documents and
settings\Administrator\IETldCache
2011-08-21 15:47 . 2011-08-21 15:47
-------- d-----w-
c:\documents and
settings\Virginia Hanna\Local Settings\Application Data\VS Revo Group
2011-08-21 15:47 . 2011-08-21 15:47
-------- d-----w-
c:\program files\VS
Revo Group
2011-08-21 03:19 . 2011-08-21 03:19
56167608
-c--a-w-
C:\setup_av_free.exe
2011-08-21 02:35 . 2011-08-21 02:35
-------- d--h--w-
c:\windows\PIF
2011-08-21 02:18 . 2011-08-21 02:18
1163104
-c--a-w-
C:\avg_remover_stf_x86_2011_1322.exe
2011-08-20 16:39 . 2011-08-20 16:39
-------- d-----w-
c:\documents and
settings\Virginia Hanna\Application Data\Malwarebytes
2011-08-20 16:39 . 2011-08-20 16:39
-------- d-----w-
c:\documents and
settings\All Users\Application Data\Malwarebytes
2011-08-11 02:38 . 2011-06-24 14:10
139656
------w-
c:\windows\system32\dllcache\rdpwd.sys
2011-08-11 02:37 . 2011-07-08 14:02
10496 ------w-
c:\windows\system32\dllcache\ndistapi.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))
))))))))
.
2011-08-20 18:36 . 2011-08-20 18:32
447659
----a-w-
c:\windows\smc.zip
2011-07-15 13:29 . 2006-03-07 04:39
456320
----a-w-
c:\windows\system32\drivers\mrxsmb.sys

2011-07-12 16:20 . 2011-07-12 16:20
83816 ----a-w-
c:\windows\system32\dns-sd.exe
2011-07-12 16:20 . 2011-07-12 16:20
73064 ----a-w-
c:\windows\system32\dnssd.dll
2011-07-12 16:20 . 2011-07-12 16:20
50536 ----a-w-
c:\windows\system32\jdns_sd.dll
2011-07-12 16:20 . 2011-07-12 16:20
178536
----a-w-
c:\windows\system32\dnssdX.dll
2011-07-12 03:43 . 2011-07-12 03:44
737280
----a-w-
c:\windows\iun6002.exe
2011-07-08 14:02 . 2005-08-16 10:18
10496 ----a-w-
c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10 . 2005-08-16 10:37
139656
----a-w-
c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2005-08-16 10:18
916480
----a-w-
c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2005-08-16 10:18
43520 ------w-
c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2005-08-16 10:18
1469440
------w-
c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2005-08-16 10:18
385024
------w-
c:\windows\system32\html.iec
2011-06-20 17:44 . 2005-08-16 10:18
293376
----a-w-
c:\windows\system32\winsrv.dll
2011-06-16 00:35 . 2011-05-19 17:49
404640
----a-w-
c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 14:02 . 2005-08-16 10:18
1858944
----a-w-
c:\windows\system32\win32k.sys
2011-05-28 03:40 . 2003-02-21 10:42
348160
----a-w-
c:\windows\system32\msvcr71.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))
))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe"
[2007-05-10 405504]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe"
[2007-02-26 437160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-3-7 24576]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\winlogon\notify\GoToAssist Express Customer]
2011-08-21 22:13
147832
----a-w-
c:\program files\Citrix\GoToAssist
Express Customer\309\g2ax_winlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 22:08
110592
----a-w-
c:\program
files\Intel\Wireless\Bin\LgNotify.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\Adobe ARM]
2011-06-06 17:55
937920
----a-w-
c:\program files\Common
Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\AppleSyncNotifier]
2011-04-20 17:48
58656 ----a-w-
c:\program files\Common
Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\ccleaner]
2011-06-24 19:53
2423608
----a-w-
c:\program
files\CCleaner\CCleaner.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\DLPSP]
2005-01-13 05:00
126976
----a-w-
c:\program files\Dell
Printers\Additional Color Laser Software\Status Monitor\dlpsp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\FaxCenterServer]

2009-01-29 15:43
320168
----a-w-
c:\program files\Lexmark Fax
Solutions\fm3032.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\ISUSPM]
2007-08-30 15:50
205480
----a-w-
c:\program files\Common
Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\lxdnamon]
2009-01-29 15:43
16040 ----a-w-
c:\program files\Lexmark 2600
Series\lxdnamon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\lxdnmon.exe]
2009-01-29 15:43
660136
----a-w-
c:\program files\Lexmark 2600
Series\lxdnmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\MSC]
2011-06-15 20:16
997920
-c--a-w-
c:\program files\Microsoft Security
Client\msseces.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\TkBellExe]
2011-05-28 03:40
273544
----a-w-
c:\program
files\Real\RealPlayer\Update\realsched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedAp
plications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddtime.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddpswx.exe"=
"c:\\WINDOWS\\system32\\dlcccoms.exe"=
"c:\\WINDOWS\\system32\\lxdncoms.exe"=
"c:\\Program Files\\Lexmark 2600 Series\\lxdnmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdnpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdntime.exe"=
"c:\\Program Files\\Lexmark 2600 Series\\frun.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdnjswx.exe"=
"c:\\Program Files\\Lexmark 2600 Series\\Diagnostics\\LXDNdiag.exe"=

"c:\\Program Files\\Lexmark 2600 Series\\lxdnlscn.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application
Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Real\\RealUpgrade\\realupgrade.exe"=
"c:\\Program Files\\Lexmark 2600 Series\\lxdnmsdmon.exe"=
"c:\\Documents and Settings\\All Users\\Application
Data\\MFAData\\SelfUpd\\avgmfapx.exe"=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
"c:\\Program Files\\Microsoft Security Client\\msseces.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE"=
"c:\\Program Files\\Common Files\\InstallShield\\UpdateService\\agent.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Documents and Settings\\Virginia
Hanna\\Desktop\\cnet_RevoUninProSetup_exe.exe"=
.
S2 bomgar-scc-1313864856;Bomgar Support Customer Client
[1313864856];"c:\documents and settings\All Users\Application Data\bomgar-
scc-4E4FFC97\bomgar-scc.exe" -service:run --> c:\documents and settings\All
Users\Application Data\bomgar-scc-4E4FFC97\bomgar-scc.exe [?]
S2 DLSDB;Dell Printer Status Database;c:\program files\Dell Printers\Additional Color
Laser Software\Status Monitor\dlsdbnt.exe [5/18/2006 6:33 PM 135168]
S2 gupdate;Google Update Service (gupdate);c:\program
files\Google\Update\GoogleUpdate.exe [2/2/2010 8:53 AM 135664]
S2 lxdn_device;lxdn_device;c:\windows\system32\lxdncoms.exe -service -->
c:\windows\system32\lxdncoms.exe -service [?]
S2
lxdnCATSCustConnectService;lxdnCATSCustConnectService;c:\windows\system32\spo
ol\drivers\w32x86\3\lxdnserv.exe [1/6/2010 11:23 PM 98984]
S3 GoToAssist Express Customer;GoToAssist Express Customer;c:\program
files\Citrix\GoToAssist Express Customer\309\g2ax_service.exe [8/21/2011 5:13 PM
161144]
S3 gupdatem;Google Update Service (gupdatem);c:\program
files\Google\Update\GoogleUpdate.exe [2/2/2010 8:53 AM 135664]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [10/
19/2006 10:11 AM 10664]
S3 PTDMBus;PANTECH USB Modem Composite Device
Driver ;c:\windows\system32\drivers\PTDMBus.sys [6/19/2008 8:00 AM 29952]
S3 PTDMMdm;PANTECH USB Modem
Drivers ;c:\windows\system32\drivers\PTDMMdm.sys [6/19/2008 8:00 AM 41856]
S3 PTDMVsp;PANTECH USB Modem Serial
Port ;c:\windows\system32\drivers\PTDMVsp.sys [6/19/2008 8:00 AM 39936]
S3 PTDMWWAN;PANTECH USB Modem WWAN

Driver;c:\windows\system32\drivers\PTDMWWAN.sys [6/19/2008 8:00 AM 59520]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mount
points2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2011-08-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 13:52]
.
2011-08-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 13:52]
.
2011-08-25 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2674488941-
3667878815-1482505049-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 15:47]
.
2011-08-25 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2674488941-
3667878815-1482505049-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 15:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/
cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/
cmcache.html
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/
cmtrans.html
TCP: DhcpNameServer = 192.168.1.254
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-ModemOnHold - c:\program files\NetWaiting\netWaiting.exe
HKCU-Run-OE_OEM - c:\program files\Trend Micro\Internet Security
12\TMAS_OE\TMAS_OEMon.exe

AddRemove-WebCyberCoach_wtrb - c:\program
files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
AddRemove-Win*Writer 2.04.06 - c:\wstar20\UNWISE.EXE
AddRemove-{09FF4DB8-7DE9-4D47-B7DB-915DB7D9A8CA} - c:\documents and
settings\All Users\Application Data\{AB2D8F2E-F7AD-4446-A11A-50D846B2CF2A}
\bm_installer.exe
.
.
.
************************************************************************
**
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://
www.gmer.net
Rootkit scan 2011-08-25 17:12
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
************************************************************************
**
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://
www.gmer.net
Windows 5.1.2600 Disk: ST960822A rev.8.03 -> Harddisk0\DR0 ->
\Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x872CC31B
user & kernel MBR OK
.
************************************************************************
**
.

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\bomgar-scc-1313864856]
"ImagePath"="\"c:\documents and settings\All Users\Application Data\bomgar-scc-
4E4FFC97\bomgar-scc.exe\" -service:run"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(960)
c:\program files\Citrix\GoToAssist Express Customer\309\g2ax_winlogon.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe
.
************************************************************************
**
.
Completion time: 2011-08-25 17:18:49 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-25 22:18
.
Pre-Run: 12,223,471,616 bytes free
Post-Run: 12,283,666,432 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS=""Windows XP Media Center Edition" /
noexecute=optin /fastdetect /safeboot:network /sos /bootlog /noguiboot"
.
- - End Of File - - 51A4A97748CF1AFC28E977052C3CAEB3


Report •

#24
August 25, 2011 at 20:35:45
your pc sure was infested....so now you cannot get into normal mode yet?

Try Trojan Remover and Hitman Pro again...they can possibly find the error that won't let the PC boot up in normal mode.

Also like I said in an earlier post...use revo uninstaller in HUNTER mode to get rid of MSE
http://techdows.com/2010/08/uses-of...

Some HELP in posting on Computing.net plus free progs and instructions 7 Medals


Report •

#25
August 25, 2011 at 21:11:48
Thanks. Will do. I used almost your whole day. You must like mysteries as much as I do.

Report •

#26
August 26, 2011 at 15:15:54
XPUser: I just wanted to thank you again for all the help you have given me. Time is precious, and you took some of yours to help out a stranger.

I thought you might like an update on my progress: I successfully installed Revo --at last! and it did get rid of that awful MSE. I also finally figured out how to get back into Normal mode: First, I had too much on my start menu for Safe mode, so the "Run" option could not be shown. So, I went in and took things off the start menu and used small icons. Voila! The "Run" option reappeared, so that I could run "msconfig." It took a few trials and errors, but when I saw that it was set to "Windows Recovery Console," I took a chance and changed it to "Windows Media Edition." At that point, I was able to uncheck "safeboot," and then check "Regular mode." I restarted and am back in Normal mode, hopefully for good.

At this point, I am about to install Avast! as you originally recommended--and I am looking into the best PAID anti-virus and malware for my budget--which isn't too much, I'm afraid, or I probably would not have done all of this work by myself (with a great helper, by the way!) but just paid someone to do this week-long process the way people with money do. BTW, I did look into Hitman Pro, but it seems there are some ownership and ethics issues that make me not want to touch it. I WILL do at least the trial for Trojan Remover as soon as possible.

Thank you SO MUCH for your time and help with this, but I do have a lingering question about the Combofix work we did: Did my log report show that the RootKit.ZeroAccess bug was disinfected? Or did it show that I still need to get rid of it as well as a lot of other issues to resolve? I am just wondering if I can take your last words, "Your pc sure WAS infested" literally, as in the PAST TENSE, so my infections are gone, or if I should continue trying to kill bugs that combofix could not resolve. If I am set to go, there's no need to use any more of your time to respond to this, okay? I can just take silence as a nod for me to go ahead and download my Avast! AV and do the Trojan Remover trial and see what happens.

Again, I thank you kindly (if a bit dramatically) for all your patient help.

With deep regards, Rev. Virginia H Belt


Report •

#27
August 26, 2011 at 16:42:51
Hi, as far as Hitman Pro goes, I would suggest running it, same as trojan remover. When they both run clean....use the uninstaller from all programs...NOT the add/remove, that way both programs will safely unload.

I don't steer people to use any products that are unsafe or cost money.
Good luck with everything and DON'T let your brother-in-law put crappy progs like MSE on your PC again...LOL

I do PC repairs as a business for the past 10 years....good luck

Some HELP in posting on Computing.net plus free progs and instructions 7 Medals


Report •

#28
August 26, 2011 at 20:00:06
Well, XPUser, You haven't steered me wrong yet, so okay, I'll go ahead with HitMan and Trojan Remover, and if clean, then uninstall them--though NOT via that horrid Windows add-remove! At the moment, Avast! is running an eternal boot scan--which made my heart jump at first when it reported all my files and programs "corrupted," but I went to some Avast! forums and they all said the exact same thing: All it means is that Avast! cannot read them, so stop sweating.
Thanks again for everything, and don't worry, I will not allow anyone to put their grubby paws on my machine. You ought to see how clean it is! And if I am anything, it is a clean freak. Peace. HH

Report •


Ask Question