Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

System Check/ Hard drive virus


  • Please log in to reply

#16
northernbird

northernbird

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Heres what I was able to do for the uninstalls..

x Bing Bar - uninstalled
Bing Bar Platform - not listed in apps to uninstall
Bing Rewards Client Installer - not listed in apps to uninstall
x J2SE Runtime Environment 5.0 Update 6 - uninstalled
x Java™ SE Runtime Environment 6 Update 1 - uninstalled
x Java™ 6 Update 3 - uninstalled
x Java™ 6 Update 5 - Get the latest Java from java.com - uninstalled
Adobe Reader 8.1.1 - get the latest adobe reader from adobe.com - unable to uninstall. get a message about source not found.
x Adobe Flash Player 10 ActiveX - get latest flash from adobe.com (must use IE) - uninstalled
x SearchAssist - uninstalled

I'm continuing on with your instructions.
  • 0

Advertisements


#17
northernbird

northernbird

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Here are the two logs from VEW.exe

System -

Vino's Event Viewer v01c run on Windows XP in English
Report run at 02/02/2012 11:48:52 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application -


Vino's Event Viewer v01c run on Windows XP in English
Report run at 02/02/2012 11:49:51 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 02/02/2012 11:40:08 PM
Type: warning Category: 1
Event: 32068 Source: Microsoft Fax
The outgoing routing rule is not valid because it cannot find a valid device. The outgoing faxes that use this rule will not be routed. Verify that the targeted device or devices (if routed to a group of devices) is connected and installed correctly, and turned on. If routed to a group, verify that the group is configured correctly. Country/region code: '*' Area code: '*'

Log: 'Application' Date/Time: 02/02/2012 11:40:08 PM
Type: warning Category: 1
Event: 32026 Source: Microsoft Fax
Fax Service failed to initialize any assigned fax devices (virtual or TAPI). No faxes can be sent or received until a fax device is installed.
  • 0

#18
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,796 posts
  • MVP
Look for

C:\Documents and Settings\Arlie Norwood\Local Settings\Temp\smtp\

Normally it has four folder called 1, 2, 3, and 4. Each one is a collection of links that it had stolen from where they belong.

When we ran OTL it was supposed to copy the contents back to where they belonged. It apparently only did the contents of folder 2. I don't know why it didn't do the others. Either there weren't any files or the destination doesn't exist on this PC.

< xcopy %Temp%\smtmp\1 "%AllUsersProfile%\Start Menu" /H /I /S /Y /C >
0 File(s) copied
C:\Documents and Settings\Arlie Norwood\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Arlie Norwood\Desktop\cmd.txt deleted successfully.
< xcopy %Temp%\smtmp\2 "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch" /H /I /S /Y /C >
C:\DOCUME~1\ARLIEN~1\LOCALS~1\Temp\smtmp\2\CS2.lnk
C:\DOCUME~1\ARLIEN~1\LOCALS~1\Temp\smtmp\2\desktop.ini
C:\DOCUME~1\ARLIEN~1\LOCALS~1\Temp\smtmp\2\Microsoft Office Excel 2007.lnk
C:\DOCUME~1\ARLIEN~1\LOCALS~1\Temp\smtmp\2\Microsoft Office Outlook.lnk
C:\DOCUME~1\ARLIEN~1\LOCALS~1\Temp\smtmp\2\Microsoft Office Visio 2007.lnk
C:\DOCUME~1\ARLIEN~1\LOCALS~1\Temp\smtmp\2\Microsoft Office Word 2007.lnk
C:\DOCUME~1\ARLIEN~1\LOCALS~1\Temp\smtmp\2\Microsoft Visual Studio 2008 Beta 2.lnk
C:\DOCUME~1\ARLIEN~1\LOCALS~1\Temp\smtmp\2\Mozilla Firefox.lnk
C:\DOCUME~1\ARLIEN~1\LOCALS~1\Temp\smtmp\2\My Computer.lnk
C:\DOCUME~1\ARLIEN~1\LOCALS~1\Temp\smtmp\2\Show Desktop.scf
C:\DOCUME~1\ARLIEN~1\LOCALS~1\Temp\smtmp\2\SQL Server Management Studio.lnk
C:\DOCUME~1\ARLIEN~1\LOCALS~1\Temp\smtmp\2\Windows Media Player.lnk
12 File(s) copied
C:\Documents and Settings\Arlie Norwood\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Arlie Norwood\Desktop\cmd.txt deleted successfully.
< xcopy %Temp%\smtmp\3 "%AppData%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar" /H /I /S /Y /C >
0 File(s) copied
C:\Documents and Settings\Arlie Norwood\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Arlie Norwood\Desktop\cmd.txt deleted successfully.
< xcopy %Temp%\smtmp\4 "%AllUsersProfile%\Desktop" /H /I /S /Y /C >
0 File(s) copied


Do the folders 1, 3, and 4 exist? Are there any files in them?

If you start, Run, cmd , OK then type with an enter after the line it will tell you where each destination folder is supposed to be:

cd  "%AllUsersProfile%\Start Menu"
(Files from 1 go in the above folder)

cd  "%AppData%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar"
(files from 3 go in the above folder)

cd  "%AllUsersProfile%\Desktop"
(files from 4 go in the above folder)

If both the files exist and the destination folder exists then try to manually copy them.
  • 0

#19
northernbird

northernbird

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
I don't have a local settings directory in my "c:/documents and settings/arlie norwood" folder.
  • 0

#20
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,796 posts
  • MVP
It's a hidden system folder:

Close all programs so that you are at your desktop.
Double-click on the My Computer icon.
Select the Tools menu and click Folder Options.
After the new window appears select the View tab.
Put a checkmark in the checkbox labeled Display the contents of system folders.
Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
Remove the checkmark from the checkbox labeled Hide protected operating system files.
Press the Apply button and then the OK button and exit My Computer.
Now your computer is configured to show all hidden files.
  • 0

#21
northernbird

northernbird

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
ahhh yes. I should have known that. So I can now see C:\Documents and Settings\Arlie Norwood\Local Settings\Temp but theres no smpt folder in there.
  • 0

#22
northernbird

northernbird

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
ya know, thats not really that big of a deal for me. If the rest of my system is cleaned up, I can rebuild that as I need to.
  • 0

#23
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,796 posts
  • MVP
Might be able to help you with the rebuilding.

Restore Accessories Program Files Menu

Please download this tool here.

You will need to unzip the tool first.

Once you've unzipped the tool, please double-click on it to run it.

Ensure that the following check boxes are checked (as seen in this image below):

Posted Image

Once they are, click on the Restore button.



Restore Admin Tools Program Files Menu

Please download this tool here.

You will need to unzip the tool first.

Once you've unzipped the tool, please double-click on it to run it.

Click on the Restore Administrative Tools Items button.

As seen in this image below:

Posted Image

This next one will produce the necessary shortcut links which you can cut and paste into the start menu folder
[attachment=50717:Repair.zip]
To use this download the attached zip file
Extract the repair.vbs file to your destop
Run the repair.vbs
It will ask for a folder name call it recovery
The tool will let you know when it is finished
On the desktop will be a recovery folder
Open the folder
Cut and Paste the links that you want to C:\documents and settings\your name\start menu
Posted Image
Posted Image
  • 0

#24
northernbird

northernbird

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
I'll be working on your last post here tonight.. one thing we found out today, it looks like my wifes outlook accounts and mail are all gone? Is there a way to get that back?
  • 0

#25
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,796 posts
  • MVP
We don't usually lose the outlook stuff with this bug.

Look in

C:\Documents and Settings\Arlie Norwood\Local Settings\Application Data\Microsoft\Outlook\

for outlook.pst. That should be her personal folders. archive.pst is where they keep stuff that has been archived.

Other files which may or not be there are:

ShowOutlook data files (.pst)

ShowOffline Folders file (.ost)

ShowPersonal Address Book (.pab)

ShowOffline Address Books (.oab)

ShowCommand bar and menu customizations (.dat)

ShowNavigation Pane settings (.xml)

ShowRegistered Microsoft Exchange extensions (.dat)

ShowOutlook contacts nicknames (.nk2)

ShowRules (.rwz)

ShowPrint styles (Outlprnt with no extension)

ShowSignatures (.rtf, .txt, .htm)

ShowStationary (.htm)

ShowCustom forms

ShowDictionary (.dic)

ShowTemplates (.oft)

ShowSend/Receive settings (.srs)

ShowMessage (.msg, .htm, .rtf)

If you don't find them there then do what they say here:

http://office.micros...0890.aspx?CTT=1
  • 0

Advertisements


#26
northernbird

northernbird

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
I see the outlook.pst file in her /local settings/application data/microsoft/outlook/ folder. How do I get outlook to load it again and show it to me?
  • 0

#27
northernbird

northernbird

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
could you reattach the repair.zip file? That post just has this : [attachment=50717:Repair.zip]

The accessories and admin tools have been restored.
  • 0

#28
northernbird

northernbird

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
I think i figured it out.
I opened outlook, cancelled out of the account set up..
Then went to tools, account settings, then clicked on the data files tab..
clicked add, selected outlook 97-2002, then selected the outlook.pst file that had her old data..
took a few minutes to validate the data file then it seems to have shown up.

I've moved all her email accounts over to gmail, instead of outlook. so I dont want her getting mail from outlook anymore anyway.

Let me know if I didnt do anything right there.

As far as her system being cleaned up, is there anything else we need to do, or are we good to go now?
  • 0

#29
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,796 posts
  • MVP
Sorry about the repair.zip file. I thought the script was complete. I found a copy that is a slightly different version. It created a file test.txt on my desktop when I ran it from the desktop. Wait until it finishes (It says that's all folks) before you open the test.txt file.

I guess the only thing left is cleanup:

We need to clean up System Restore.

Copy the following:

:Commands
[CLEARALLRESTOREPOINTS]
[Reboot]

Run OTL. In the Custom Scans/Fixes box at the bottom, paste in the copied text (Ctrl + v) and then hit Run Fix.

You can uninstall or delete any tools we had you download and their logs.
To uninstall combofix, copy the next line:

"%userprofile%\Desktop\combofix.exe" /Uninstall

Start, Run, cmd, OK then right click, Paste, then hit Enter.

OTL has a cleanup tab so if you run it again and select cleanup it will remove itself and its backup files.

To hide hidden files again (If you do not run OTL cleanup):

XP

# Close all programs so that you are at your desktop.
# Double-click on the My Computer icon.
# Select the Tools menu and click Folder Options.
# After the new window appears select the View tab.
# Uncheck the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the 'Hide protected operating system files (recommended)' option.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and exit My Computer.



Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

To help keep your programs up-to-date you should download and run the UpdateChecker:
http://www.filehippo.../updatechecker/
(You don't need to download Betas and if there is a program you don't use you can just uninstall it rather than update it. You can right click on the updatechecker icon (looks like a downward green arrowhead) and select Settings and tell it no betas. If you don't use MSN Messenger I would not upgdate it. MS installs a bunch of stuff when you do. You can tell the program to not show you that update.)
If you use Firefox or Chome then get the AdBlock Plus Add-on. WOT (Web of Trust) is another you might want to try.
The equivalent to AdBlock Plus for IE is called Simple Adblock and you should install it too: Adhttp://simple-adblock.com/

If Firefox is slow loading make sure it only has the current Java add-on. Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox . Click on Speedup my Firefox. When it finishes click on Exit.

Be warned: If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum. If you must use P2P then submit any files you get to http://virustotal.com before you open them.

If you have a router, log on to it today and change the default password! If using a Wireless router you really should be using encryption on the link. Use the strongest (newest) encryption method that your router and PC wireless adapter support especially if you own a business. See http://www.king5.com...-120637284.html and http://www.seattlepi...ted-1344185.php for why encryption is important. If you don't know how, visit the router maker's website. They all have detailed step by step instructions or a wizard you can download.

Ron
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP