because she was no longer able to run applications. She receives a message along the lines of “this operation has been cancelled due to restrictions enforced on your computer; contact your administrator” (apologies for the poor translation but she has a French language copy of Windows installed) whenever she tries to open an application.
She has an administrator account but appears to have lost her privilege to run applications (and also cmd, mmc, msconfig, gpedit, regedit etc). I also note that any Flash Drives/USB keys inserted into the pc have the following added to them:
-an autorun.inf file
-a folder named “docs” with a recycle bin icon
This happens whether the computer is started up in safe mode or not.
She had NO antivirus software installed (not entirely surprising then that she’s having virus issues). I installed the following tools (in this order) to try to kill the virus:
Malwarebytes Anti-Malware
SUPERAnti-Spyware
Spybot – Search and Destroy
SDFix
I ran full searches in safe mode using all of them whilst logged into the overall administrator account and deleted anything that they found. All of the above applications now show the PC as being clean.
As you can gather from the above, when running the overall administrator account in safe mode I am able to run applications (including regedit, msconfig etc). I have also checked c:\ and c:\system32 for suspicious hidden files but can’t see anything.
Despite this the problems described above (can’t run applications using my bosses administrator account, autorun.inf virus transferring itself onto any usb keys inserted) remain exactly the same.
Using the administrator account I’ve also tried to install and run Combofix, Avira and AVG 9. When I run the Combofix.exe file from my desktop then I receive a message which reads simply “error”. When I try to install AVG 9 then the installation procedure fails as soon as it attempts to create a registry entry (I guess either of these could be problems with the applications themselves – not necessarily malware). Avira also gives me an error message relating to a temp directory.
I’m relatively computer literate and have had some success in removing viruses from my own pc in the past but this one has really got me stumped. I’ve spent hours on this now and I thought it was time to ask the experts!!!!
If anyone can spare the time to take a look at this it would be very much appreciated.
DDS (Ver_09-12-01.01) - NTFSx86 MINIMAL
Run by Administrateur at 13:50:23,42 on 17/12/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Édition familiale 5.1.2600.2.1252.33.1036.18.446.213 [GMT 3:00]
AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Administrateur\Bureau\dds.scr
============== Pseudo HJT Report ===============
uStart Page = www.google.com
mURLSearchHooks: H - No File
mWinlogon: Taskman=c:\recycler\s-1-5-21-4512735870-8466410163-509615216-3231\yv8g67.exe
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
uRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
uRunOnce: [RegistryDefrag Success Message] "c:\program files\tuneup utilities 2008\TUMessages.exe" /RegDefrag_Success
uRunOnce: [SpybotDeletingB4127] command.com /c del "c:\documents and settings\recup\reader_s.exe"
uRunOnce: [SpybotDeletingD3631] cmd.exe /c del "c:\documents and settings\recup\reader_s.exe"
mRun: [USB Antivirus] c:\program files\usb disk security\USBGuard.exe
IE: E&xporter vers Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
================= FIREFOX ===================
FF - ProfilePath -
============= SERVICES / DRIVERS ===============
R1 fwdrv;Kerio Personal Firewall Driver;c:\windows\system32\drivers\FWDRV.SYS [2009-12-16 102912]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-11-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-23 74480]
S1 unpr;Unprotector;c:\windows\system32\drivers\unpr.sys [2009-12-6 4096]
S3 ALiIRDA;Pilote de périphérique infrarouge ALi;c:\windows\system32\drivers\alifir.sys [2009-5-4 26624]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-23 7408]
=============== Created Last 30 ================
2009-12-17 10:34:01 0 d-----w- c:\docume~1\admini~1\applic~1\AVG8
2009-12-17 10:26:59 0 d-----w- C:\AVGTemp
2009-12-17 07:56:05 178176 ----a-w- c:\windows\system32\unrar.dll
2009-12-17 07:56:04 38 ----a-w- c:\windows\avisplitter.ini
2009-12-17 07:56:03 839680 ----a-w- c:\windows\system32\lameACM.acm
2009-12-17 07:56:03 414 ----a-w- c:\windows\system32\lame_acm.xml
2009-12-17 07:56:02 217088 ----a-w- c:\windows\system32\yv12vfw.dll
2009-12-17 07:56:02 118784 ----a-w- c:\windows\system32\ac3acm.acm
2009-12-17 07:56:01 881664 ----a-w- c:\windows\system32\xvidcore.dll
2009-12-17 07:56:01 205824 ----a-w- c:\windows\system32\xvidvfw.dll
2009-12-17 07:55:59 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-12-17 07:55:59 547 ----a-w- c:\windows\system32\ff_vfw.dll.manifest
2009-12-17 07:55:57 0 d-----w- c:\program files\K-Lite Codec Pack
2009-12-17 07:48:59 3272 ----a-w- c:\windows\system32\wbem\Outlook_01ca7eed6491d930.mof
2009-12-17 00:03:10 0 d-----w- c:\windows\SxsCaPendDel
2009-12-16 23:49:56 0 d-----w- c:\program files\iXi Tools
2009-12-16 23:49:18 0 d-----w- c:\program files\CCleaner
2009-12-16 21:35:43 0 d-----w- c:\windows\system32\wbem\Repository
2009-12-16 21:16:09 0 d-----w- c:\windows\ERUNT
2009-12-16 21:15:35 0 d-----w- C:\SDFix
2009-12-16 15:33:57 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-12-16 15:33:57 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-12-16 09:49:44 0 d-----w- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2009-12-16 09:41:11 8496 ----a-w- c:\windows\system32\qxzv85.exe@
2009-12-16 09:37:21 8496 ----a-w- c:\windows\system32\qxzv87.exe@
2009-12-16 09:23:42 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-12-16 09:23:24 0 d-----w- c:\program files\SUPERAntiSpyware
2009-12-16 08:42:20 102912 ------w- c:\windows\system32\drivers\FWDRV.SYS
2009-12-16 08:42:20 0 d-----w- c:\program files\Kerio
2009-12-16 08:01:14 34352 ----a-w- c:\windows\system32\gpedit.msc
2009-12-16 07:30:40 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-12-16 07:30:37 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-16 07:30:34 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-16 07:30:32 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-16 07:30:32 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-15 12:16:09 0 d-----w- c:\program files\USB Disk Security
2009-12-15 12:02:13 0 d-----w- c:\docume~1\admini~1\applic~1\TuneUp Software
2009-12-15 11:55:53 34352 ----a-w- c:\windows\gpedit.msc
2009-12-15 11:39:22 0 d-----w- C:\autorun.inf
2009-12-08 12:31:05 147616 -c--a-w- c:\windows\system32\dllcache\atapi.sys
2009-12-08 12:28:31 87040 ----a-w- c:\windows\system32\winint.exe
2009-12-08 11:39:23 306432 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2009-12-08 11:39:20 29440 ----a-w- c:\windows\system32\uxtuneup.dll
2009-12-08 11:39:00 0 d-----w- c:\docume~1\alluse~1\applic~1\TuneUp Software
2009-12-08 11:38:30 0 d-----w- c:\program files\TuneUp Utilities 2008
2009-12-08 11:36:33 0 d-----w- c:\program files\fichiers communs\Wise Installation Wizard
2009-12-08 07:32:28 103 ----a-w- c:\windows\WININIT.INI
2009-12-08 07:14:58 32768 ----a-w- c:\windows\system32\msncuxqg.dll
2009-12-06 12:34:28 132 ----a-w- c:\windows\system32\46.tmp
2009-12-06 12:21:39 0 ----a-w- C:\Con.@ Andrana @.386
2009-12-06 12:05:32 0 ----a-w- c:\windows\system32\43.tmp
2009-12-06 07:06:57 4096 ----a-w- c:\windows\system32\drivers\unpr.sys
2009-12-04 05:38:23 359040 ----a-w- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-12-01 12:20:15 0 ----a-w- c:\windows\system32\432.tmp
2009-12-01 11:13:26 0 ----a-w- c:\windows\system32\80.tmp
2009-12-01 05:48:12 4608 ----a-w- c:\windows\system32\drivers\ipsys.sys
2009-11-24 13:33:08 0 ----a-w- c:\windows\system32\B3.tmp
2009-11-24 13:26:26 0 ----a-w- c:\windows\system32\B0.tmp
2009-11-24 13:25:35 0 ----a-w- c:\windows\system32\AF.tmp
2009-11-24 13:25:21 116224 ----a-w- c:\windows\system32\AE.tmp
2009-11-24 13:25:15 28524 ----a-w- c:\windows\system32\AD.tmp
2009-11-24 13:24:25 31744 ----a-w- c:\windows\system32\AC.tmp
2009-11-24 13:21:09 212 ----a-w- c:\windows\system32\AB.tmp
2009-11-24 12:38:40 64512 ------w- c:\windows\system32\winssled.exe
2009-11-23 09:30:20 31744 ----a-w- c:\windows\system32\F3.tmp
2009-11-23 09:30:11 28524 ----a-w- c:\windows\system32\F1.tmp
2009-11-23 09:30:07 27648 ----a-w- c:\windows\system32\EF.tmp
2009-11-23 09:29:43 256 ----a-w- c:\windows\system32\DE.tmp
2009-11-19 17:44:16 0 d-----w- c:\program files\WolfPack
==================== Find3M ====================
2009-12-17 07:48:59 371070 ----a-w- c:\windows\system32\perfh00C.dat
2009-12-17 07:48:58 49932 ----a-w- c:\windows\system32\perfc00C.dat
2009-12-16 19:55:34 1056768 ----a-w- c:\windows\explorer(2).exe
2009-12-16 09:22:02 1056768 ----a-w- c:\windows\explorer.exe
2009-12-08 12:31:06 34816 ----a-w- c:\windows\system32\svchost.exe
2009-12-08 12:31:05 147616 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-06 07:09:06 359040 ----a-w- c:\windows\system32\drivers\TCPIP.SYS
============= FINISH: 13:50:47,46 ===============