[ron26]

Okay, I uninstalled those four things, Java 20 was already off.

Then I ran the AVG scan and it finally went to complete. Had been hanging up at 61%

However, it says across the top of the AVG page "You are not fully protected!" When I click the "fix" button I get a message saying, "Could not finish automatic repair. We weren't able to fix one or more component."

I'm not sure if I'm okay and done...or need to do more.

I'll wait to hear what you have to say. Thanks.

[Advertisements]

I think it is saying it was damaged by the malware and was unable to fix some part of itself. You could probably fix it by uninstall and reinstall of AVG but I would suggest you try Avast instead per my previous post. I think it's a bit better than AVG. It's also what I use on my PC.

Ron

[RKinner]

I think it is saying it was damaged by the malware and was unable to fix some part of itself. You could probably fix it by uninstall and reinstall of AVG but I would suggest you try Avast instead per my previous post. I think it's a bit better than AVG. It's also what I use on my PC.

Ron

[ron26]

Okay, did all of that, ran the scan...and it says 0 viruses found.

Seems like I'm in good shape?

Anything else I should do?

[RKinner]

We could check the event logs to see if you have any non-malware problems:

Start, Run, eventvwr.msc, OK to bring up the Event Viewer. Right click on System and Clear All Events, No (we don't want to save the old log), OK. Repeat for Application. Reboot.


1. Please download the Event Viewer Tool by Vino Rosso
http://images.malwar...om/vino/VEW.exe
and save it to your Desktop:
2. Double-click VEW.exe
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning


Then use the 'Number of events' as follows:


1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.


Please post the Output log in your next reply then repeat but select Application.

Ron

[ron26]

Vino's Event Viewer v01c run on Windows XP in English
Report run at 01/09/2011 9:43:13 AM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[ron26]

Vino's Event Viewer v01c run on Windows XP in English
Report run at 01/09/2011 9:45:46 AM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 01/09/2011 9:35:39 AM
Type: warning Category: 1
Event: 32068 Source: Microsoft Fax
The outgoing routing rule is not valid because it cannot find a valid device. The outgoing faxes that use this rule will not be routed. Verify that the targeted device or devices (if routed to a group of devices) is connected and installed correctly, and turned on. If routed to a group, verify that the group is configured correctly. Country/region code: '*' Area code: '*'

Log: 'Application' Date/Time: 01/09/2011 9:35:39 AM
Type: warning Category: 1
Event: 32026 Source: Microsoft Fax
Fax Service failed to initialize any assigned fax devices (virtual or TAPI). No faxes can be sent or received until a fax device is installed.

Log: 'Application' Date/Time: 01/09/2011 9:34:10 AM
Type: warning Category: 0
Event: 1517 Source: Userenv
Windows saved user D97RYQM1\Ryan Asher registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use. This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

[ron26]

I also have a question:

Before I got this virus and started to fix it when I plugged a flash drive or camera into a usb port it would open automatically. This no longer happens. I have to manually open it. Not a huge deal...but any idea why? Or how I can fix it?

Thank you!

[RKinner]

Appears you have the Fax Service turned on but no Fax device. I'm a little vague on how this works. Appears there is a service called Fax something so let's see if we can turn it off.

Start, Run, services.msc , OK to bring up the servies window.

Look for a service called Fax something. IF you find it right click on it and select Properties then change the Startup Type to Manual then Apply and Stop the service.

Another possibility is:

Start, click Administrative Tools, and then click Fax Service Manager. Supposedly there is an option to Stop the service there.

Your other error is common on XP. There is a Microsoft fix for it:

UPHClean

http://www.microsoft...lang=en&id=6676

Instructions at: http://support.microsoft.com/kb/837115

That's about all I see so I think we can clean up now.

We need to clean up System Restore. Follow Jim's procedure here:
http://aumha.net/vie...581099691bf108f


You can uninstall or delete any tools we had you download and their logs.
To uninstall combofix, copy the next line:

"%userprofile%\Desktop\combofix.exe" /Uninstall

Start, Run, cmd, OK then right click, Paste, then hit Enter.

OTL has a cleanup tab so if you run it again and select cleanup it will remove itself and its backup files.

To hide hidden files again (If you do not run OTL cleanup):

XP

# Close all programs so that you are at your desktop.
# Double-click on the My Computer icon.
# Select the Tools menu and click Folder Options.
# After the new window appears select the View tab.
# Uncheck the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the 'Hide protected operating system files (recommended)' option.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and shutdown My Computer.

You probably do not have the latest Java (Java™ 6 Update 27 or 7 update 0). Get the latest at:
http://www.java.com/en/

Save it to your PC then close all browsers and install it. Note on Java and Firefox. For some reason Java does not remove old consoles from Firefox. Any time you update Java you should do Firefox, Add-ons, Extensions and disable any old Java Consoles

They will look like: CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA. The number in bold corresponds to the update number. If they switch to 7 update 0 then the 0016 will turn to 0017.

Multiple Java Consoles will slow down the Firefox boot. After any change to Firefox or its extension you should run Speedyfox. (Mentioned later.)



Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

To help keep your programs up-to-date you should download and run the UpdateChecker:
http://www.filehippo.../updatechecker/
(You don't need to download Betas and if there is a program you don't use you can just uninstall it rather than update it. Exception is MSN messenger which appears to be part of Windows.)


If you use Firefox or Chome then get the AdBlock Plus Add-on. WOT (Web of Trust) is another you might want to try.
The equivalent to AdBlock Plus for IE is called Simple Adblock and you should install it too: Adhttp://simple-adblock.com/

If Firefox is slow loading make sure it only has the current Java add-on. Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox . Click on Speedup my Firefox. When it finishes click on Exit.

Be warned: If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum. If you must use P2P then submit any files you get to http://virustotal.com before you open them.

If you have a router, log on to it today and change the default password! If using a Wireless router you really should be using encryption on the link. Use the strongest (newest) encryption method that your router and PC wireless adapter support especially if you own a business. See http://www.king5.com...-120637284.html and http://www.seattlepi...ted-1344185.php for why encryption is important. If you don't know how, visit the router maker's website. They all have detailed step by step instructions or a wizard you can download.

Ron

[RKinner]

Wasn't a virus that stopped your USB devices. It was a Microsoft update. They decided that it was too dangerous because many viruses were using the autorun.inf file to spread so they turned it off.

You can fix it if you want but you need to edit the registry.



Click Start, click Run, type regedit in the Open box, and then click OK.
Locate and then click the following entry in the registry:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveTypeAutorun
Right-click NoDriveTypeAutoRun, and then click Modify.
In the Value data box, type 0xFF to disable all types of drives. Or, to selectively disable specific drives, use a different value as described in the "How to selectively disable specific Autorun features" section.
Click OK, and then exit Registry Editor.
Restart the computer.

How to selectively disable specific Autorun features
To selectively disable specific Autorun features, you must change the NoDriveTypeAutoRun entry in one of the following registry key subkeys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\

The following table shows the settings for the NoDriveTypeAutoRun registry entry.
Value Meaning
0x1 or 0x80 Disables AutoRun on drives of unknown type
0x4 Disables AutoRun on removable drives
0x8 Disables AutoRun on fixed drives
0x10 Disables AutoRun on network drives
0x20 Disables AutoRun on CD-ROM drives
0x40 Disables AutoRun on RAM disks
0xFF Disables AutoRun on all kinds of drives
The value of the NoDriveTypeAutoRun registry entry determines which drive or drives the Autorun functionality will be disabled for. For example, if you want to disable Autorun for network drives only, you must set the value of NoDriveTypeAutoRun registry entry to 0x10.

If you want to disable Autorun for multiple drives, you must add the corresponding hexadecimal values to the 0x10 value. For example, if you want to disable Autorun for removable drives and for network drives, you must add 0x4 and 0x10, which is the mathematical addition of 2 hexadecimal values, to determine the value to use. 0x4 + 0x10 = 0x14. Therefore, in this example, you would set the value of the NoDriveTypeAutoRun entry to 0x14.

The default value for the NoDriveTypeAutoRun registry entry varies for different Windows-based operating systems. These default values are listed in the following table.
Operating system Default value
Windows Server 2008 and Windows Vista 0x91
Windows Server 2003 0x95
Windows XP 0x91
Windows 2000 0x95


There is a "Fix it for me" you can try so you don't have to edit the registry. It says it is for SP2 but it might work.


http://go.microsoft....?linkid=9743275

Ron

[ron26]

Thanks, Ron!

Okay, I'm at work, not sure I'll get to all of this today, but will give it a shot when I get home tonight.

Thanks so much for all your help! Greatly appreciated!

[ron26]

Just wanted to check in...didn't get to this and probably won't be able to do it tonight.

Should get to it over the weekend and once I do I'll check back in. Thanks for all of your help!

[ron26]

Hi Ron,

Okay, I'm able to devote some time to this.

As per message #23...the UPHClean. It seems like this is for people having trouble starting up/shutting down.

I'm not having that issue. Should I still run this program & follow these steps?

Just wanted to check before I proceeded.

Thanks!

[RKinner]

I'm seeing problems in your event logs even if you don't notice the problem yet so please install UPHClean.

Ron

[ron26]

I'm having some trouble with the UPHClean.

It gives me the option of "repair user profile" or "remover user profile". I chose repair and got a message saying it couldn't install, would have to try again.

Not sure what I should do. Please advise.

[ron26]

Okay, tried it again, and it seemed to work. Now I'm checking the "event viewer" log as stated in the instructions to confirm it worked.

I have one Error message for the MsiInstaller, but right above it there is the MsiIsntaller and it says "information" not error. I'm guessing this tells me it failed the first time but not the second try?

Looks like the UPHClean worked, going to follow the next steps.