Asus EeePC virus problems in China

Viruses and worms
1

I have an Asus Eee PC with windows XP with service pack 3. I am in China right now. I put my flash drive in a computer in China then plugged it back in to my computer. I formatted the flash drive immediately, but apparently that was not good enough. A couple day later the computer started acting funny, and I reset it. When it reset it took several minutes to load windows, and then just froze on the desktop background. I restarted it again and ran it in safe mode, and it worked fine in safe mode. My friend helped me run an Avast! Antivirus (free version) boot time scan, and it scanned overnight. In the morning, the computer was working fine. It was fine for several days, then it started messing up again. This time it will load windows, but will not let me start very many programs, and the system process runs at a fairly constant 50% to 51%. It still runs fine in safe mode. I tried another boot-time scan with Avast!, but it didn’t solve anything. What can I do to find the problem?
I did Malwarebytes, OTL, and aswMBR. The logs are attached

2

Malware removers are notified. it may take hours before one arrive so be patient

topic started here also http://forum.avast.com/index.php?topic=111490

3

it seems you have AVG and avast installed…
never install more then one AV or you will get a slow machine, mysterious windows errors, false positive detections…etc …etc

so uninstall one and then run the vendors removal tool to clear any leftover files that may conflict…
you find the tools here http://singularlabs.com/uninstallers/security-software/

OBS…also run AdwCleaner and click delete button…this will clear all browser/toolbar crap

4

Did you install spoon sandbox ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:OTL
IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\S-1-5-21-1688756520-1041218778-1149557646-1006\..\URLSearchHook: {a060276a-53be-45ec-8ebe-b94b1e803179} - C:\Program Files\Expat_Shield\prxtbExp0.dll (Conduit Ltd.)
IE - HKU\S-1-5-21-1688756520-1041218778-1149557646-1006\..\SearchScopes,DefaultScope = {4E4A4B24-FF69-4C3F-8998-D65499BF8E8A}
IE - HKU\S-1-5-21-1688756520-1041218778-1149557646-1006\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2549263
IE - HKU\S-1-5-21-1688756520-1041218778-1149557646-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Expat Shield Toolbar) - {a060276a-53be-45ec-8ebe-b94b1e803179} - C:\Program Files\Expat_Shield\prxtbExp0.dll (Conduit Ltd.)
O2 - BHO: (no name) - MRI_DISABLED - No CLSID value found.
O3 - HKLM\..\Toolbar: (Expat Shield Toolbar) - {a060276a-53be-45ec-8ebe-b94b1e803179} - C:\Program Files\Expat_Shield\prxtbExp0.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKU\S-1-5-21-1688756520-1041218778-1149557646-1006\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKU\S-1-5-21-1688756520-1041218778-1149557646-1006\..\Toolbar\WebBrowser: (Expat Shield Toolbar) - {A060276A-53BE-45EC-8EBE-B94B1E803179} - C:\Program Files\Expat_Shield\prxtbExp0.dll (Conduit Ltd.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MRI_DISABLED [2010/12/09 20:03:08 | 000,000,000 | -H-D | M]

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

5

Yes, I installed spoon sandbox to run LibreOffice online because I can’t run Microsoft Office in safe mode, and I can’t download Libre Office in safe mode. I ran the OTL and did the Combofix. No change to my computer. The logs are attached.

Thanks again!

6

I can see AVG and 360safe antivirus programmes on the system as well they may be contributing to the problems so I would recommend their removal

Download Windows Repair (all in one) from this site

Install the programme then run

https://dl.dropbox.com/u/73555776/waio%20start.JPG

Go to step 3 and allow it to run SFC

https://dl.dropbox.com/u/73555776/waio%20step3.JPG

On the start repairs tab click start

https://dl.dropbox.com/u/73555776/waiostart%20rep.JPG

Select the following items and tick restart system when finished

https://dl.dropbox.com/u/73555776/waio%20rep%20list.JPG

7

Under Step 3, it says I will need my Windows XP CD. Obviously I don’t have one since this is an EeePC with no CD-Rom. Will that be a problem? Also, I can’t get the images from your message to load; from the last step, which items do I select?
Thanks.

8

Skip the SFC step then

I have now attached it … Can you read this

9

Okay, I can read it, thanks

10

I clicked start on the Start repairs tab. It opened a window, did something, and then closed the window. It did not give me an option to select anything. I restarted the computer and it opened in regular mode and Avast! ran the following programs in a sandbox:
…WPFFontCache_v0400.exe
…csc.exe

The computer was unusabl besides that, and did not start working even after I had let the Avast! search for 13 minutes. I restarted the computer and am now in safe mode.

11

Could you run windows repair tool from safe mode

12

I was able to run Windows Repair in safe mode, but like I said, “I clicked start on the Start repairs tab. It opened a window, did something, and then closed the window.” So i guess it didn’t actually do in anything in safe mode.
Thanks

13

Could you run a fresh OTL log please as I must be missing something

14

Sorry, to take so long in reply, I have been traveling. I did another OTL scan (while in safe mode, like everything else I have been doing) The log is attached. I hope this helps

Thanks!

15

So you are still unable to work in normal mode ?

OK next bit is rather tedious…

What we will do is run just windows files and services
Then add the other files/services one at a time to determine which is causing the problem

Step 1: Start the System Configuration Utility

1.Click Start, click Run, type msconfig, and then click OK.
2.The System Configuration Utility dialog box is displayed.

Step 2: Configure selective startup options

1.In the System Configuration Utility dialog box, click the General tab, and then click Selective Startup.
2.Click to clear the Process SYSTEM.INI File check box.
3.Click to clear the Process WIN.INI File check box.
4.Click to clear the Load Startup Items check box. Verify that Load System Services and Use Original BOOT.INI are checked.
5.Click the Services tab.
6.Click to select the Hide All Microsoft Services check box.
7.Click Disable All, and then click OK.
8.When you are prompted, click Restart to restart the computer.

Step 3: Log on to Windows

1.If you are prompted, log on to Windows.
2.When you receive the following message, click to select the Don’t show this message or launch the System Configuration Utility when Windows start check box, and then click OK.

You have used the System Configuration Utility to make changes to the way Windows starts.
The System Configuration Utility is currently in Diagnostic or Selective Startup mode, causing this message to be displayed and the utility to run every time Windows starts.

Is the computer now running properly ?
If yes then :
Run MSConfig again and enable half of the services
Does it still shut down properly, if yes then re-enable half the remaining services until the problem re-appears
Once it has reappeared disable all bar one of the last services restarted and then check each service to determine which one is stopping the shutdown

16

I completed steps one and two and restarted the computer. It did not run any differently.
Thanks

17

It may be that windows needs refreshing… I have found that as XP gets older (I.e. installed for more than two years) it gets exceedingly slow
A repair install should fix that however, you will need the XP CD