Avast stopped working, virus?

[oldman]

Hi

Here's a lnk on how to run a repair install

You  have scroll down to find it. It's about 11th up from the bottom of the topics cointing from how to acces safe mode.

http://www.webtree.ca/windowsxp/repair_xp.htm#How%20to%20Repair%20Windows%20XP%20by%20Installing%20Over%20top%20of%20Existing%20Setup:

[BJS]

Great site, just what I needed, thanks OM 

(I will let you know when I am done)

[oldman]

Sounds good and good luck!!

[Lisandro]

Hello, I chhose the repair option and after scanning some files, it took me to a dos command prompt.
It said "which windows installation would you like to log onto? (to cancel press enter)"

This is the Windows Repair Console... it won't be installed there.
Can you boot in XP and use the CD? If so, you can run install.exe from it and choose to update.
If you can't boot in your disk and use the CD, you must boot with the CD and choose a way to install Windows.
On the links I've posted before there are some info.

The option for repair was "r" but when we entered that in the DOS screen it said invalid.

Choose the option to install (and not repair), after that you would receive an option to install in the same partition that you have installed before, you can go further. You just do not format the disk.

[BJS]

FINALLY  
I needed to call my brother-in-law (who is a computer programmer) andI told him that I had a copy of XP but it would not let me do a repair. I had tried to copy the ntoskrnl.exe file from the XP CD to the c-drive but it didn't work.  That is because I did not copy it to the windows\system32 folder.  We had to use the expand command to find the file and I had to copy it using ntoskrnl.ex_   but in the end it worked!
Now that I can get into windows, I am going to do the repair as Tech advised from the XP CD. I will post my results (good or bad)

Thanks again

[mauserme]

Now that I can get into windows, I am going to do the repair ...

Is your wife's computer booting to Windows now? 

[BJS]

Yes it is, I am now doing an overinstall from the CD

[mauserme]

Well if you haven't started we may be able to get around that, but if it's already started don't interupt it.  If the product key is on a sticker on the computer case use that instead of the key on the CD, then install as any of the Windows updates as you can.

[BJS]

OK, I am back at my wifes (infected) PC. Right now I am updating the XP SP2 patch.
Once this is done, I think we can resume what we were working on last week which get rid of some rootkits and get Avast back in.

[oldman]

Good. Sounds like you used the recovery console. You could have gotten the file from the i386 folder, but the one on the disk is known to be clean.

Good luck the rest of the way.

[BJS]

Thanks, that whole process wore me out....I'm hitting the sack now...I will check in tomorrow PM..

(Once this PC is "healed" we will definitely be making recovery cd's as well as a copy of XP)

[oldman]

(Once this PC is "healed" we will definitely be making recovery cd's as well as a copy of XP)

Good plan. Something else to look into is something like Acronis True Image, Go Back, etc. Well worth the bucks.

[BJS]

Thanks Oldman, I'll remember that.

I thought I was going to bed but I figured I would check msconfig and see what startup programs were running on her computer.

Guess what? You know that "bagle trojan" that Mauserme saw I had? It was in my startup program.
It was named "wintems.exe". I looked it up. I don't have it in startup anymore but I am sure it is still on my hardrive somewhere.   I also found another startup program names vsnpstd2.exe.  I guess that is some sort of spyware.

Now I am going to bed....

[mauserme]

Since the repair install leaves all the data, etc intact the malware that was remaining before we got sidetracked is also still there.  This was expected.

If you want to, back up the family pics to cd or dvd.  Then post fresh ComboFix and HJT logs (run i that order).


EDIT:  Looking at your first ComboFix log (way back on page 2  ) shows that C:\WINDOWS\system32\wintems.exe was deleted but the registry key that called it was one of the things I wanted to get.  If that key is gone now we're a little farther along than I expected, but for sure we'll double check.

[BJS]

Sorry I have been MIA.  I reinstalled XP and installed XP SP2 on my wifes computer and now I cannot download the windows installer and therefore cannot install any security updates. That, combined with having no Avast has made me hesitant about going online with my wifes computer.

Those problem aside, here are my new Combo Fix and HJT logs...

Also, if I made restore discs for all of our files (pictures, documents, programs etc) and then formatted our computer clean and reinstalled XP (along with our restore discs) would that that take care of some problems? Or would we still be infected from the restore discs?


ComboFix Log

ComboFix 07-08-14.4 - "Ben" 2007-08-22 13:44:54.2 - NTFS  x86
C:\WINDOWS\system32\chkdsk.exe not present


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Ben\Desktop.\internet explorer.lnk


(((((((((((((((((((((((((   Files Created from 2007-07-22 to 2007-08-22  )))))))))))))))))))))))))))))))


2007-08-21 17:18   27,648   --a--c---   C:\WINDOWS\system32\dllcache\xrxftplt.exe
2007-08-21 17:18   23,040   --a--c---   C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2007-08-21 17:18   17,408   --a--c---   C:\WINDOWS\system32\dllcache\xrxscnui.dll
2007-08-21 17:18   116,224   --a--c---   C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2007-08-21 17:17   99,865   --a--c---   C:\WINDOWS\system32\dllcache\xlog.exe
2007-08-21 17:17   8,832   --a--c---   C:\WINDOWS\system32\dllcache\wmiacpi.sys
2007-08-21 17:17   8,192   --a--c---   C:\WINDOWS\system32\dllcache\wshirda.dll
2007-08-21 17:17   4,608   --a--c---   C:\WINDOWS\system32\dllcache\xrxflnch.exe
2007-08-21 17:17   19,455   --a--c---   C:\WINDOWS\system32\dllcache\wvchntxx.sys
2007-08-21 17:17   16,970   --a--c---   C:\WINDOWS\system32\dllcache\xem336n5.sys
2007-08-21 17:17   154,624   --a--c---   C:\WINDOWS\system32\dllcache\wlluc48.sys
2007-08-21 17:17   12,063   --a--c---   C:\WINDOWS\system32\dllcache\wsiintxx.sys
2007-08-21 17:16   87,040   --a--c---   C:\WINDOWS\system32\dllcache\wiafbdrv.dll
2007-08-21 17:16   771,581   --a--c---   C:\WINDOWS\system32\dllcache\winacisa.sys
2007-08-21 17:16   701,386   --a--c---   C:\WINDOWS\system32\dllcache\wdhaalba.sys
2007-08-21 17:16   53,760   --a--c---   C:\WINDOWS\system32\dllcache\wiamsmud.dll
2007-08-21 17:16   35,871   --a--c---   C:\WINDOWS\system32\dllcache\wbfirdma.sys
2007-08-21 17:16   34,890   --a--c---   C:\WINDOWS\system32\dllcache\wlandrv2.sys
2007-08-21 17:16   33,599   --a--c---   C:\WINDOWS\system32\dllcache\watv04nt.sys
2007-08-21 17:16   31,744   --a--c---   C:\WINDOWS\system32\dllcache\wceusbsh.sys
2007-08-21 17:16   29,311   --a--c---   C:\WINDOWS\system32\dllcache\watv01nt.sys
2007-08-21 17:16   23,615   --a--c---   C:\WINDOWS\system32\dllcache\wch7xxnt.sys
2007-08-21 17:16   19,551   --a--c---   C:\WINDOWS\system32\dllcache\watv02nt.sys
2007-08-21 17:16   19,016   --a--c---   C:\WINDOWS\system32\dllcache\w926nd.sys
2007-08-21 17:16   16,925   --a--c---   C:\WINDOWS\system32\dllcache\w940nd.sys
2007-08-21 17:16   12,415   --a--c---   C:\WINDOWS\system32\dllcache\wadv01nt.sys
2007-08-21 17:16   12,127   --a--c---   C:\WINDOWS\system32\dllcache\wadv02nt.sys
2007-08-21 17:16   11,775   --a--c---   C:\WINDOWS\system32\dllcache\wadv05nt.sys
2007-08-21 17:15   765,884   --a--c---   C:\WINDOWS\system32\dllcache\usrti.sys
2007-08-21 17:15   7,556   --a--c---   C:\WINDOWS\system32\dllcache\usroslba.sys
2007-08-21 17:15   687,999   --a--c---   C:\WINDOWS\system32\dllcache\usrwdxjs.sys
2007-08-21 17:15   64,605   --a--c---   C:\WINDOWS\system32\dllcache\vvoice.sys
2007-08-21 17:15   604,253   --a--c---   C:\WINDOWS\system32\dllcache\vmodem.sys
2007-08-21 17:15   5,376   --a--c---   C:\WINDOWS\system32\dllcache\viaide.sys
2007-08-21 17:15   397,502   --a--c---   C:\WINDOWS\system32\dllcache\vpctcom.sys
2007-08-21 17:15   249,402   --a--c---   C:\WINDOWS\system32\dllcache\vinwm.sys
2007-08-21 17:15   24,576   --a--c---   C:\WINDOWS\system32\dllcache\viairda.sys
2007-08-21 17:15   19,528   --a--c---   C:\WINDOWS\system32\dllcache\w840nd.sys
2007-08-21 17:15   113,762   --a--c---   C:\WINDOWS\system32\dllcache\usrpda.sys
2007-08-21 17:14   94,720   --a--c---   C:\WINDOWS\system32\dllcache\umaxud32.dll
2007-08-21 17:14   794,654   --a--c---   C:\WINDOWS\system32\dllcache\usr1801.sys
2007-08-21 17:14   794,399   --a--c---   C:\WINDOWS\system32\dllcache\usr1806v.sys
2007-08-21 17:14   793,598   --a--c---   C:\WINDOWS\system32\dllcache\usr1806.sys
2007-08-21 17:14   69,632   --a--c---   C:\WINDOWS\system32\dllcache\umaxu12.dll
2007-08-21 17:14   50,688   --a--c---   C:\WINDOWS\system32\dllcache\umaxscan.dll
2007-08-21 17:14   50,176   --a--c---   C:\WINDOWS\system32\dllcache\umaxp60.dll
2007-08-21 17:14   47,616   --a--c---   C:\WINDOWS\system32\dllcache\umaxcam.dll
2007-08-21 17:14   32,384   --a--c---   C:\WINDOWS\system32\dllcache\usb101et.sys
2007-08-21 17:14   28,160   --a--c---   C:\WINDOWS\system32\dllcache\umaxu40.dll
2007-08-21 17:14   26,624   --a--c---   C:\WINDOWS\system32\dllcache\umaxu22.dll
2007-08-21 17:14   25,600   --a--c---   C:\WINDOWS\system32\dllcache\usbser.sys
2007-08-21 17:14   224,802   --a--c---   C:\WINDOWS\system32\dllcache\usr1807a.sys
2007-08-21 17:14   22,912   --a--c---   C:\WINDOWS\system32\dllcache\umaxpcls.sys
2007-08-21 17:14   20,480   --a--c---   C:\WINDOWS\system32\dllcache\usbuhci.sys