[A] WinXP security 2012 virus: eliminated, but now Windows Update doesn't work

Inactive
By Bobbyrae
Jan 13, 2012
Topic Status:
Not open for further replies.
  1. Broni

    Broni Malware Annihilator Posts: 46,319   +252

    Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders, UN-check Hide protected operating system files.
    NOTE. Make sure to reverse the above changes, when done with this step.
    Upload following files to http://www.virustotal.com/ for security check:
    - C:\WINDOWS\system32\NILaunch.exe
    - C:\WINDOWS\shicoxp.exe
    IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
    Post scan results.

    ===========================================================

    Unless you installed Viewpoint Manager knowledgeably...
    Go Start>Control Panel>Add\Remove (Programs and Features in Vista), and...
    Uninstall any of the following programs associated with Viewpoint:
    * Viewpoint Manager
    * Viewpoint Media Player
    * Viewpoint Toolbar
    This program does not do anything bad such as deliver ads or spy on you, but it is considered foistware ("drive-by-install") as it is installed without your consent through programs like AOL, AIM, Compuserve, etc.

    =============================================================

    I can see some Avira items.
    Is it still functional and running?
  2. Bobbyrae

    Bobbyrae Newcomer, in training Topic Starter Posts: 25

    Neither Nilaunch.exe nor shicoxp.exe had any detections. the numbers were something like 0/42 and 0/23.

    I DID remove the viewpoint media player.

    Avira is still installed. If you go back to my first post (something like 2 weeks ago!), I believe that I did indicate that I used it to eliminate the virus initially. It is still functioning, but only when I start it. That is, it is not constantly monitoring anything. It is the free version and I do scans once a week or so.

    Going back to ComboFix, even though it did not complete, I DID find a log file in its directory, mbr.log:

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: SEAGATE_ rev.0003 -> Harddisk0\DR0 -> \Device\Scsi\adpu160m1Port2Path0Target2Lun0

    device: opened successfully
    user: MBR read successfully
    kernel: MBR read successfully
    user != kernel MBR !!!
    error: Read The request could not be performed because of an I/O device error.​

    I noticed that the I/O error corresponds to a SCSI error in the event logs. I looked that up online, decoded the error and found this:

    [xxxxx0ce] Scatter/gather limit exceeded
    An I/O request packet from the system contained a Scatter/Gather element list
    that contained more elements than are supported by the miniport.
    Scatter/Gather is a list of data segments that define the entire data transfer.
    Scatter/Gather is a means to improve total data throughput. This error
    might be caused by a component external to the miniport driver, such as
    the operating system or an ASPI application.​

    thanks again!
  3. Broni

    Broni Malware Annihilator Posts: 46,319   +252

    ....
  4. Bobbyrae

    Bobbyrae Newcomer, in training Topic Starter Posts: 25

    Do you have to have a straight yes or no?

  5. Broni

    Broni Malware Annihilator Posts: 46,319   +252

    AV program has to be running 24/7.
    Possibly some files got corrupted.
    You must reinstall it.

    ==============================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      SRV - File not found [Disabled | Stopped] -- -- (NMIndexingService)
      IE - HKU\S-1-5-21-789336058-287218729-682003330-1003\..\URLSearchHook: {38542454-dfb6-44f5-b052-d4e071a3d073} - SOFTWARE\Classes\CLSID\{38542454-dfb6-44f5-b052-d4e071a3d073}\InprocServer32 File not found
      O2 - BHO: (Elf 1.12 Toolbar) - {38542454-dfb6-44f5-b052-d4e071a3d073} - C:\Program Files\Elf_1.12\prxtbElf0.dll File not found
      O3 - HKLM\..\Toolbar: (Elf 1.12 Toolbar) - {38542454-dfb6-44f5-b052-d4e071a3d073} - C:\Program Files\Elf_1.12\prxtbElf0.dll File not found
      O3 - HKU\S-1-5-21-789336058-287218729-682003330-1003\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
      O3 - HKU\S-1-5-21-789336058-287218729-682003330-1003\..\Toolbar\WebBrowser: (Elf 1.12 Toolbar) - {38542454-DFB6-44F5-B052-D4E071A3D073} - C:\Program Files\Elf_1.12\prxtbElf0.dll File not found
      O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" File not found
      O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
      O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupdate.microsoft.co...856.9063425926 (Reg Error: Key error.)
      O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Reg Error: Key error.)
      O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Reg Error: Key error.)
      O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Reg Error: Key error.)
      O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Reg Error: Key error.)
      O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
      O16 - DPF: DirectAnimation Java Classes Reg Error: Value error. (Reg Error: Key error.)
      O16 - DPF: HushEncryptionEngine https://mailserver5.hushmail.com/sha...tionEngine.cab (Reg Error: Key error.)
      O16 - DPF: Microsoft XML Parser for Java Reg Error: Value error. (Reg Error: Key error.)
      O33 - MountPoints2\{302fca80-6e36-11dc-a4b8-806d6172696f}\Shell - "" = AutoRun
      O33 - MountPoints2\{302fca80-6e36-11dc-a4b8-806d6172696f}\Shell\AutoRun - "" = Auto&Play
      O33 - MountPoints2\{302fca80-6e36-11dc-a4b8-806d6172696f}\Shell\AutoRun\command - "" = F:\Programs\Nu2Menu\nu2menu.exe -- [2006/02/07 13:00:46 | 000,084,992 | R--- | M] (Nu2 Productions)
      O33 - MountPoints2\{769375ea-1a2b-11e0-9fb2-002654106f4b}\Shell - "" = AutoRun
      O33 - MountPoints2\{769375ea-1a2b-11e0-9fb2-002654106f4b}\Shell\AutoRun - "" = Auto&Play
      O33 - MountPoints2\{769375ea-1a2b-11e0-9fb2-002654106f4b}\Shell\AutoRun\command - "" = H:\LaunchU3.exe -a
      O33 - MountPoints2\H\Shell - "" = AutoRun
      O33 - MountPoints2\H\Shell\AutoRun - "" = Auto&Play
      O33 - MountPoints2\H\Shell\AutoRun\command - "" = H:\LaunchU3.exe -a
      [2012/01/12 18:59:55 | 000,008,581 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\5f5e9b90
      [2012/01/12 18:59:55 | 000,008,578 | ---- | C] () -- C:\Documents and Settings\Rion\Application Data\32f0799f
      [2012/01/12 18:59:55 | 000,008,526 | ---- | C] () -- C:\Documents and Settings\Rion\Local Settings\Application Data\95b84d65
      [2011/07/10 17:15:57 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Pgoxafonut.dat
      [2011/07/10 17:15:57 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Nvorog.bin
      [2004/05/26 18:46:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
      [2007/06/01 04:52:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rion\Application Data\Viewpoint
      [2007/11/05 02:13:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rion\Application Data\Uniblue
      [2012/01/13 03:32:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rion\Application Data\SpeedMaxPc
      
      :Commands
      [purity]
      [emptytemp]
      [emptyjava]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply. Only one log will be created.

    ===============================================================

    1. Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    2. Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.
    • Do NOT post JavaRa log.

    ==============================================================

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

    2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
      • Windows Update
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.


    3. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    4. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, click on List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
  6. Broni

    Broni Malware Annihilator Posts: 46,319   +252

    Still with me?
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.