Inactive [A] WinXP security 2012 virus: eliminated, but now Windows Update doesn't work

Status
Not open for further replies.
Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders, UN-check Hide protected operating system files.
NOTE. Make sure to reverse the above changes, when done with this step.
Upload following files to http://www.virustotal.com/ for security check:
- C:\WINDOWS\system32\NILaunch.exe
- C:\WINDOWS\shicoxp.exe
IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
Post scan results.

===========================================================

Unless you installed Viewpoint Manager knowledgeably...
Go Start>Control Panel>Add\Remove (Programs and Features in Vista), and...
Uninstall any of the following programs associated with Viewpoint:
* Viewpoint Manager
* Viewpoint Media Player
* Viewpoint Toolbar
This program does not do anything bad such as deliver ads or spy on you, but it is considered foistware ("drive-by-install") as it is installed without your consent through programs like AOL, AIM, Compuserve, etc.

=============================================================

I can see some Avira items.
Is it still functional and running?
 
Neither Nilaunch.exe nor shicoxp.exe had any detections. the numbers were something like 0/42 and 0/23.

I DID remove the viewpoint media player.

Avira is still installed. If you go back to my first post (something like 2 weeks ago!), I believe that I did indicate that I used it to eliminate the virus initially. It is still functioning, but only when I start it. That is, it is not constantly monitoring anything. It is the free version and I do scans once a week or so.

Going back to ComboFix, even though it did not complete, I DID find a log file in its directory, mbr.log:

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: SEAGATE_ rev.0003 -> Harddisk0\DR0 -> \Device\Scsi\adpu160m1Port2Path0Target2Lun0

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user != kernel MBR !!!
error: Read The request could not be performed because of an I/O device error.​

I noticed that the I/O error corresponds to a SCSI error in the event logs. I looked that up online, decoded the error and found this:

[xxxxx0ce] Scatter/gather limit exceeded
An I/O request packet from the system contained a Scatter/Gather element list
that contained more elements than are supported by the miniport.
Scatter/Gather is a list of data segments that define the entire data transfer.
Scatter/Gather is a means to improve total data throughput. This error
might be caused by a component external to the miniport driver, such as
the operating system or an ASPI application.​

thanks again!
 
I can see some Avira items.
Is it still functional and running?

Do you have to have a straight yes or no?

Avira is still installed. If you go back to my first post (something like 2 weeks ago!), I believe that I did indicate that I used it to eliminate the virus initially. It is still functioning, but only when I start it. That is, it is not constantly monitoring anything. It is the free version and I do scans once a week or so.
 
AV program has to be running 24/7.
Possibly some files got corrupted.
You must reinstall it.

==============================================================

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Code:
    :OTL
    SRV - File not found [Disabled | Stopped] -- -- (NMIndexingService)
    IE - HKU\S-1-5-21-789336058-287218729-682003330-1003\..\URLSearchHook: {38542454-dfb6-44f5-b052-d4e071a3d073} - SOFTWARE\Classes\CLSID\{38542454-dfb6-44f5-b052-d4e071a3d073}\InprocServer32 File not found
    O2 - BHO: (Elf 1.12 Toolbar) - {38542454-dfb6-44f5-b052-d4e071a3d073} - C:\Program Files\Elf_1.12\prxtbElf0.dll File not found
    O3 - HKLM\..\Toolbar: (Elf 1.12 Toolbar) - {38542454-dfb6-44f5-b052-d4e071a3d073} - C:\Program Files\Elf_1.12\prxtbElf0.dll File not found
    O3 - HKU\S-1-5-21-789336058-287218729-682003330-1003\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O3 - HKU\S-1-5-21-789336058-287218729-682003330-1003\..\Toolbar\WebBrowser: (Elf 1.12 Toolbar) - {38542454-DFB6-44F5-B052-D4E071A3D073} - C:\Program Files\Elf_1.12\prxtbElf0.dll File not found
    O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" File not found
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupdate.microsoft.co...856.9063425926 (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    O16 - DPF: DirectAnimation Java Classes Reg Error: Value error. (Reg Error: Key error.)
    O16 - DPF: HushEncryptionEngine https://mailserver5.hushmail.com/sha...tionEngine.cab (Reg Error: Key error.)
    O16 - DPF: Microsoft XML Parser for Java Reg Error: Value error. (Reg Error: Key error.)
    O33 - MountPoints2\{302fca80-6e36-11dc-a4b8-806d6172696f}\Shell - "" = AutoRun
    O33 - MountPoints2\{302fca80-6e36-11dc-a4b8-806d6172696f}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{302fca80-6e36-11dc-a4b8-806d6172696f}\Shell\AutoRun\command - "" = F:\Programs\Nu2Menu\nu2menu.exe -- [2006/02/07 13:00:46 | 000,084,992 | R--- | M] (Nu2 Productions)
    O33 - MountPoints2\{769375ea-1a2b-11e0-9fb2-002654106f4b}\Shell - "" = AutoRun
    O33 - MountPoints2\{769375ea-1a2b-11e0-9fb2-002654106f4b}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{769375ea-1a2b-11e0-9fb2-002654106f4b}\Shell\AutoRun\command - "" = H:\LaunchU3.exe -a
    O33 - MountPoints2\H\Shell - "" = AutoRun
    O33 - MountPoints2\H\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\H\Shell\AutoRun\command - "" = H:\LaunchU3.exe -a
    [2012/01/12 18:59:55 | 000,008,581 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\5f5e9b90
    [2012/01/12 18:59:55 | 000,008,578 | ---- | C] () -- C:\Documents and Settings\Rion\Application Data\32f0799f
    [2012/01/12 18:59:55 | 000,008,526 | ---- | C] () -- C:\Documents and Settings\Rion\Local Settings\Application Data\95b84d65
    [2011/07/10 17:15:57 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Pgoxafonut.dat
    [2011/07/10 17:15:57 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Nvorog.bin
    [2004/05/26 18:46:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
    [2007/06/01 04:52:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rion\Application Data\Viewpoint
    [2007/11/05 02:13:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rion\Application Data\Uniblue
    [2012/01/13 03:32:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rion\Application Data\SpeedMaxPc
    
    :Commands
    [purity]
    [emptytemp]
    [emptyjava]
    [emptyflash]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply. Only one log will be created.

===============================================================

1. Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

2. Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Do NOT post JavaRa log.

==============================================================

1. Download Security Check from HERE, and save it to your Desktop.
  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


3. Download Temp File Cleaner (TFC)
  • Double click on TFC.exe to run the program.
  • Click on Start button to begin cleaning process.
  • TFC will close all running programs, and it may ask you to restart computer.


4. Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click on List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • NOTE. If Eset won't find any threats, it won't produce any log.
 
Status
Not open for further replies.
Back