Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus removal help- Old XP laptop.


  • This topic is locked This topic is locked
10 replies to this topic

#1 Steevow

Steevow

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Local time:02:13 PM

Posted 20 August 2017 - 12:35 AM

First, let me say that though I am no expert like you guys are, I have done this before. A few times, maybe more than a few.

So I am pretty familiar.

I have been having some vague problems for a little while.

 

Here's what I have

Old Lenovo laptop with XP SP3.

I have been using MS Security essentials for years and years.

A month or two ago I stopped being able to get the definitions updates automatically.

Asking the program to update always just crapped out without any error. No updates, it just timed out.

So I have been downloading and running the defs update manually, which was successful. Every week or so.

Tonight things digressed.

The first thing I noticed was I was not able to get to the MS site for the defs updates.

Common for viruses to block those sites.

I looked in the hosts file, and there was nothing there, just the one default line,
127.0.0.1 localhost

So that is not the cause of failed connectivity.

I could get to bleepingcomputer.com which as you know is often blocked by deliberate viruses.
Not this time. Odd.

 

So I ran combofix, and the log is attached.

I know, you guys ask not to do that but I was nowhere. I have done this before.
After that I was able to get to the MS site, so it fixed something.

I uninstalled ms security essential and reinstalled it. It works. I had it scan, it found nothing.

 

The combofix log is attached.

What should I look at next?

Thanks in advance.


Edited by Steevow, 21 August 2017 - 12:03 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:13 PM

Posted 21 August 2017 - 09:27 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

:step1: Please download Malwarebytes Anti-Malware from here
  • Right-click on the MBAM icon and select Run as administrator to run the tool.
  • Click Yes to accept any security warnings that may appear.
  • Once the MBAM dashboard opens, on the right detail pane click on the word "Current" under the Scan Status to update the tool database.
  • On the left menu pane click the Settings tab, and then select the Protection tab on the top.
  • Under the Scan Options, turn on the button Scan for rootkits and Scan within archives.
  • Click the Scan tab on the right detail pane, select Threat Scan and click the Start Scan button
  • Note: The scan may take some time to finish, so please be patient.
  • If potential threats are detected, ensure to checkmark all the listed items, and click the Quarantine Selected button.
  • While still on the Scan tab, click the View Report button, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log can also be viewed by clicking the log to select it, then clicking the View Report button.
Please post the log for my review.

Note: If asked to restart the computer, please do so immediately.
===

:step2: Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

:step3: Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===


Please post the logs.

Let me know what problems persists.
==============================

#3 Steevow

Steevow
  • Topic Starter

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Local time:02:13 PM

Posted 22 August 2017 - 12:16 AM

The system is quiet now.

 

Here is the mbam log.

I downloaded the adwcleaner twice, when launched it says "not a valid win32 application"

What should I do?

I have the installer from before.

adwcleaner_4.202.exe

Should I use that version?

 

I ran frst. The logs are attached.

 

Attached Files


Edited by Steevow, 22 August 2017 - 12:24 AM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:13 PM

Posted 22 August 2017 - 08:24 AM

Hi,

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

SearchScopes: HKU\S-1-5-21-1957994488-329068152-839522115-1003 -> {9E64C473-97C2-4A88-B4BD-1428D52F1116} URL = hxxps://searchbeta.disconnect.me/searchTerms/search?query={searchTerms}
FF SearchPlugin: C:\Documents and Settings\Developmental\Application Data\Mozilla\Firefox\Profiles\dba219oj.default\searchplugins\startpage-https.xml [2015-12-05]
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf -> C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [No File]
CHR DefaultSearchKeyword: Default -> lp
CHR Extension: (Who Deleted Me - Unfriend Finder) - C:\Documents and Settings\Developmental\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\eiepnnbjenknnjgabbodaihlnkkpkgll [2017-08-09]
CHR Extension: (Chrome Web Store Payments) - C:\Documents and Settings\Developmental\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-08-21]

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Firefox:
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F
===

Download Farbar's Service Scanner utility
http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/
and Save to your Desktop.
If using Windows 7 or above, Right-Click on fss.exe and select Run As Administrator.
If using XP, double-click to start.
Answer Yes to ok when prompted.
If your firewall then puts out a prompt, again, allow it to run.
Once FSS is on-screen, be sure the following items are checkmarked:
Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender


Click on "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Copy & Paste contents of FSS.txt into your reply.
===

Please let me know what problem persists with this computer.

#5 Steevow

Steevow
  • Topic Starter

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Local time:02:13 PM

Posted 22 August 2017 - 10:05 PM

It's all quiet.

 

Here are the logs.

 

Farbar Service Scanner Version: 27-01-2016
Ran by Developmental (administrator) on 22-08-2017 at 20:02:56
Running from "C:\Documents and Settings\Developmental\Desktop\antimalware"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Policy:
========================


Security Center:
============


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Other Services:
==============


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\afd.sys => File is digitally signed
C:\WINDOWS\system32\Drivers\netbt.sys => File is digitally signed
C:\WINDOWS\system32\Drivers\tcpip.sys => File is digitally signed
C:\WINDOWS\system32\Drivers\ipsec.sys => File is digitally signed
C:\WINDOWS\system32\dnsrslvr.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\ipnathlp.dll => File is digitally signed
C:\WINDOWS\system32\netman.dll => File is digitally signed
C:\WINDOWS\system32\wbem\WMIsvc.dll => File is digitally signed
C:\WINDOWS\system32\srsvc.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\sr.sys => File is digitally signed
C:\WINDOWS\system32\wscsvc.dll => File is digitally signed
C:\WINDOWS\system32\wbem\WMIsvc.dll => File is digitally signed
C:\WINDOWS\system32\wuauserv.dll => File is digitally signed
C:\WINDOWS\system32\qmgr.dll => File is digitally signed
C:\WINDOWS\system32\es.dll => File is digitally signed
C:\WINDOWS\system32\cryptsvc.dll => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed

Extra List:
=======
AegisP(11) Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4) Tcpip6(12) WSIMD(8)
0x0C0000000500000001000000020000000300000004000000060000000700000008000000090000000A0000000B0000000C000000
IpSec Tag value is correct.

**** End of log ****

Attached Files


Edited by Steevow, 22 August 2017 - 10:07 PM.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:13 PM

Posted 24 August 2017 - 08:08 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
CloseProcesses:

S3 trufos; C:\WINDOWS\System32\drivers\trufos.sys [343456 2015-04-25] (BitDefender S.R.L.)
C:\Windows\logo_1.exe
C:\Windows\RUNDL132.EXE
C:\Windows\VDLL.DLL
C:\Windows\System32\runouce.exe
C:\WINDOWS\System32\drivers\trufos.sys

cmd: ipconfig /flushdns
cmd: IPCONFIG /release
cmd: IPCONFIG /renew
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
CMD: bitsadmin /reset /allusers

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Plase post the log and let me know what problem persists.

#7 Steevow

Steevow
  • Topic Starter

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Local time:02:13 PM

Posted 24 August 2017 - 01:54 PM

Here is the resulting log.

 

 

Attached Files



#8 Steevow

Steevow
  • Topic Starter

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Local time:02:13 PM

Posted 24 August 2017 - 11:31 PM

Ms Security Essentials still fails to update automatically. I can click update, it says "searching" for a minute, then it just stops and the defs are not updated. 

I am able to download them manually and run the update executable and the program is updated.
 



#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:13 PM

Posted 25 August 2017 - 07:40 AM

Hi,

Since Microsoft Security Essentials relies on Microsoft Update and Windows XP is no longer being updated you may have to continue updating it manually.

For your reading.
https://thenextweb.com/microsoft/2014/01/15/microsoft-extends-updates-windows-xp-security-products-july-14-2015/#.tnw_pljq2XPC

#10 Steevow

Steevow
  • Topic Starter

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Local time:02:13 PM

Posted 25 August 2017 - 10:32 AM

OK, that's possible as to the MS Security Essentials update. It just stopped getting updates a month or so ago. It's interesting that I am able to run the updater and it updates. MS could have stopped that but they didn't. I may set up an event.

 

Sorry to change the subject.

What about the virus removal procedure? It all seems quiet here.



#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:13 PM

Posted 25 August 2017 - 01:09 PM


OK, that's possible as to the MS Security Essentials update. It just stopped getting updates a month or so ago. It's interesting that I am able to run the updater and it updates. MS could have stopped that but they didn't. I may set up an event.


You may also want to check with the Experts in the Windows XP forum.
https://www.bleepingcomputer.com/forums/f/56/windows-xp-home-and-professional/

===

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users