Avast picked up a virus infection (winse32.exe) in my desktop PC, running Windows 7 64 bit, as soon as I plugged my portable jump drive into its USB slot. It immediately put this worm into the virus chest. When I restarted the computer later, however, Windows had me wait until it finished making changes to over 15,000 registry files before letting me proceed into Windows! Now I’m paranoid. What do I need to do now to find out if I have a big problem installed in my computer and what do I do to correct this if I really have a problem?

The only change I have noticed so far is:

1. a little beep coming from the computers case occasionally, infrequently, at odd times, which I don’t remember happening before (but maybe I’m just projecting and this may not really be new behavior). And
2. when I right click on the Firefox icon on my desktop there is a whirling noise from the computer case (?? like when the dvd drive starts up) that starts immediately after I right click, and there is a delay in that info window coming up.

What do I need to do now to find out if I have a big problem installed in my computer and what do I do to correct this if I really have a problem?

To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTL.Txt and Extras.Txt. and Malwarebytes scan log)

Essexboy usually arrives in the forum late UK time

Thanks for your advice, Pondus.

I wasn’t sure where you wanted me to send those reports. I think that you wanted me to send them to Essexboy as a reply to his Jan 9, 2010 post, where link you sent took me. I did reply to his post there, attaching the two OTC scan logs that you suggested I attach. I also copied and pasted the MBAM scan log, since I couldn’t figure out how to attach that file. I also sent him a copy of my post and your reply to give him the context for the reply I was sending him.

I hope that is what you wanted me to do. I guess the next step is for me to wait for a reply from Essexboy. Is that right?

and post the log`s here

well Essexboy is notified, he is usually in here from 8:00 to midnight UK time

Hi there is nothing apparent on the logs - so lets look for hidden drivers

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
[]Double click on ComboFix.exe & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Pondus,

I did post my reply in the topic that your link sent me to. It was a link started by Essexboy almost a year ago, “Logs to assist in cleaning malware” which now has 8 pages of replies and responses. I figured that that was where you wanted me to reply since that is a topic that was started by Essexboy.

In any case, as you said, Essexboy did get it and responded here, so all is well. I just need to follow his recommendations (I hope I can do that successfully) and reply. David R, however, responded to me in that “logs to assist in cleaning malware” topic and appears to say that I should not have replied there. He said I should start a new topic. I guess this, here, is the new topic that I had already started. Here is David R’s reply:

Re: Logs to assist in cleaning malware
« Reply #105 on: Today at 01:41:45 PM »
Reply with quoteQuote
@ youisamo
Please start your own topic in the viruses and worms forum, this topic isn’t for problem resolution but to explain the tools (logs) to assist in cleaning.

• Go to this link, http://forum.avast.com/index.php?board=4.0. Click the New Topic button (see image, click to expand) at the top of the list and post there.

  Now that Essexboy has responded here, all is well, I suppose. I’ll do what he suggests, but probably a different day, as we are already in holiday mode here. Happy new year, meanwhile to you Pondus, to Essexboy, and to David R! Hope you all have a great year in 2011.

And a happy new year to you ;D

I did have time to do this today, after all.

Essexboy, I have attached a copy of the .txt log that Combofix made.

What is next, Essexboy?

BTW, when Combofix was preparing this log, Windows repeatedly (maybe a dozen times) popped up a window notifying me that the program PEV.cfxxe had stopped working. They could not automatically find the cause, and repeatedly asked me if I wanted to close that program. I clicked yes each time. Is that important, or does it tell us something? Do I need to do anything about that PEV.cfxxe program now?

Again that does not look to bad - I can see no indications of any hidden elements. What are your current problems

Go to start > All Programs > Accessories
Right Click Command Prompt and select run as administrator
When the prompt opens type the following bolded text and press enter

sfc /scannow (Note: There is a space between sfc and /scannow)

On completion reboot

Essexboy

I did what you suggested and apparently no problems were found on that scan. “Windows Resource Protection did not find any integrity violations”. Great.

You ask, “What are my current problems?”
In my original post, on 12/30, I wrote:

The only change I have noticed so far is:

1. a little beep coming from the computers case occasionally, infrequently, at odd times, which I don’t remember happening before (but maybe I’m just projecting and this may not really be new behavior). And
2. when I right click on the Firefox icon on my desktop there is a whirling noise from the computer case (?? like when the dvd drive starts up) that starts immediately after I right click, and there is a delay in that info window coming up.

That is, my computer seems to be working fine without problems. I mentioned the above observations - (which continue to occur, but might not be abnormal or really new; I just don’t remember those things happening before) - only because after Avast picked up that worm, winse32.exe, and put it into the virus chest, when my computer next rebooted, I got a message from Widows before it would actually shut down. It said something like (you are probably more familiar with the actual wording) “Do not power down your computer util Windows finishes completing changes to (??) 15,473 of your registry files.”

I never had a message like that before and that made me paranoid that there might be something bad going on behind the scenes in my computer. That is what I explained in my original post. I asked what I needed to do to find out whether or not I had some serious, hidden problem in my computer.

I’ll be happy if it turns out that all is well and no further action needs to be taken. If so, I appologize for sending you on a wild goose chase, but that will have set my worried mind at ease, and I thank you for that.

In your opinion, do I need do anything further before I can reasonbly assume that my computer is not harboring some serious problem?

At the moment I can see no cause for concern. Reference Firefox I would recommend a full uninstall and then re-install afresh

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [purity] [emptytemp] [EMPTYFLASH] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[]Click OK.

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:

[*]Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 23.
[*]Click the “Download” button to the right.
[*]Select your Platform and check the box that says: “I agree to the Java SE Runtime Environment 6 License Agreement.”.
[*]Click on Continue.
[*]Click on the link to download Windows Offline Installation (jre-6u23-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager…
[*]Close any programs you may have running - especially your web browser.
[*]Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
[*]Check any item with Java Runtime Environment (JRE or J2SE) in the name.
[*]Click the Remove or Change/Remove button.
[*]Repeat as many times as necessary to remove each Java version.
[*]Reboot your computer once all Java components are removed.
[*]Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u23-windows-i586-p.exe and select “Run as an Administrator.”)

SPRING CLEAN

To manually create a new Restore Point

[*]Go to Control Panel and select System and Maintenance
[*]Select System
[*]On the left select Advance System Settings and accept the warning if you get one
[*]Select System Protection Tab
[*]Select Create at the bottom
[*]Type in a name i.e. Clean
[*]Select Create

Now we can purge the infected ones

[*]Go back to the System and Maintenance page
[*]Select Performance Information and Tools
[*]On the left select Open Disk Cleanup
[*]Select Files from all users and accept the warning if you get one
[*]In the drop down box select your main drive i.e. C
[*]For a few moments the system will make some calculations
[*]Select the More Options tab
[*]In the System Restore and Shadow Backups select Clean up
[*]Select Delete on the pop up
[]Select OK
[]Select Delete

Final stretch

Download and run Puran Disc Defragmenter
For the first run I would recommend a boot defrag and disck check
[attachment=46669:Boot defrag.jpg]

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programme:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes. Update and run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe

Thanks for all your help and advise, Essexboy, and I’m happy that my desktop computer seems to be clean and safe.

Before I clean up everything on my desktop according to your instructions I hope you won’t mind if I check out my laptop which also had been exposed to my infected flash drive. I downloaded and ran Malwarebytes and OTL on the laptop just as I had done on my desktop and I’m attaching to this reply the log from Malwarebytes and the two logs from OTL. [I think I attached the correcr files below.] Could you please look those logs over and let me know if they seem to be clean or not?

If they are clean (I hope so) would you advise me to run ComboFix or not? Should I run sfc /scannow from the Command Prompt? What do you think?

Do you know what these programmes are that are in your startup folder ?

[2010/12/01 07:51:13 | 000,000,000 | ---D | M](C:\Program Files (x86)\???? ??? - 257) -- C:\Program Files (x86)\úåøú àîú - 257 [2010/12/01 07:51:13 | 000,000,000 | ---D | M](C:\Program Files (x86)\???? ??? - 257) -- C:\Program Files (x86)\úåøú àîú - 257 (C:\Users\youisamo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\???? ??? - ???? ????? ????? 257) -- C:\Users\youisamo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\úåøú àîú - îàâø úåøðé çåôùé 257 (C:\ProgramData\Microsoft\Windows\Start Menu\Programs\???? ??? - ???? ????? ????? 257) -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\úåøú àîú - îàâø úåøðé çåôùé 257 (C:\Program Files (x86)\???? ??? - 257) -- C:\Program Files (x86)\úåøú àîú - 257

As the laptop is a 64 bit system it is more resillient than the 32 bit systems

Are you having any problems with the laptop ?

Essexboy,

On 12/1/2010 my son in law downloaded to my computer a large, free, data base program that has the comlete texts, searchable, of hundreds of religious texts written during the past few hundred years. The program and the texts are in Hebrew. My computer did not support the Hebrew font when it was intalled so all those paths that you copied above seem to have replaced that foreign font with all those strange symbols with funny accent marks above its letters. I think those sad face icons with the question marks are showing up for the same reason. [When I open that program, I did succeed in having its contents displayed in a Hebrew font, but I couldn’t get the start menu and the paths to those files to display with a proper font.]

In any case, I haven’t had any problems from when I downloaded that data base and would not anticipate any problems from that program. I believe that everything in the quote that you copied above all refer to that same one data base program.

You ask if I’m having any problems with the laptop. I bought it about 3 months ago but have not noticed any problems with this new laptop so far.

Would you advise running ComboFix and/or that command prompt scan anyway, just to be more sure that all is well? Any idea why when I was shutting down my desktop when this all started, after Avast had picked up a problem with this worm infection, Windows gave me a message not to power down my computer until it finished making changes to a huge number of registry files?

BTW, both my laptop and desktop are running the 64 bit version of Windows 7 which you call “more resilient”. I guess that you mean that that system is more resistant to virus infections. Is that right?

Those files are good then - I do not have many fonts installed on my system

Yes 64bit systems are in general a lot easier to clean as critical system files and paths are protected and all 32 versions have a 64bit version which can be used instead so winlogon/explorer infections are rare and simple to clean

Windows gave me a message not to power down my computer until it finished making changes to a huge number of registry files?

Yes I would recommend that you run SFC /scannow as any damaged files will be replaced

Go to start > All Programs > Accessories
Right Click Command Prompt and select run as administrator
When the prompt opens type the following bolded text and press enter

sfc /scannow (Note: There is a space between sfc and /scannow)

On completion reboot

Essexboy

I ran sfc /scannow on my laptop as you recommended and it was clean. Great. I did not install or run ComboFix on the laptop since I had asked whether I should run ComboFix and/or sfc /scannow on that computer and you only mentioned sfc /scannow in your response. I assume that you didn’t think it necessary for me to run ComboFix on the laptop.

I had already run and sent you the logs from malwarebytes and OTL which I had run on the laptop (which were clean, also). I can leave malewarebytes on that computer but should I remove OTL from that computer as you had recommended that I remove it from my desktop PC? If so, for the laptop, should I follow the same instructions that you had sent for the desktop and just skip the two lines in the middle about removing CombiFix, since that program had been installed on the desktop but was never installed in the first place on the laptop? These were your instructions for the desktop computer:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL

* Under the Custom Scans/Fixes box at the bottom, paste in the following

  Quote
  :Commands
  [resethosts]
  [purity]
  [emptytemp]
  [EMPTYFLASH]
  [Reboot]

* Then click the Run Fix button at the top
* Let the program run unhindered, reboot the PC when it is done

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

BTW, you mentioned keeping ERUNT in the instructions above, but you had never advised or instructed me to download that program to my desktop PC. Should I install, run, and then keep that program on my desktop computer? Should I also do that for my laptop?

After that, I started having a little problem following your instructions. I thought that might be because I use Firefox and am running 64 bit Windows 7 on my desktop computer (same for my laptop) and perhaps your instructions were for a different browser or a different OS or for a 32 bit system. You wrote:

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Do not show hidden files and folders.
* Click Yes to confirm.
* Click OK.

I did search and find the Hidden Files and Folders heading and made sure that they were set to the ‘do not show’ option as you suggested but I couldn’t get to that heading on my computer by following your directions exactly. At least that easy job was accomplished, but then I had some more trouble following your next directions.

You next wanted me to update/upgrade Java. Your instructions:

Upgrading Java:

* Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 23.
* Click the "Download" button to the right.
* Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
* Click on Continue.
* Click on the link to download Windows Offline Installation (jre-6u23-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
* Close any programs you may have running - especially your web browser.
* Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
* Check any item with Java Runtime Environment (JRE or J2SE) in the name.
* Click the Remove or Change/Remove button.
* Repeat as many times as necessary to remove each Java version.
* Reboot your computer once all Java components are removed.
* Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u23-windows-i586-p.exe and select "Run as an Administrator.")

I clicked on your link: Java SE Runtime Environment (JRE)JRE 6 Update 23, and it took me to this page: http://www.oracle.com/technetwork/java/javase/downloads/index.html. I clicked on the download link to “DOWNLOAD JRE” from the ‘Java Platform, Standard Edition, Java SE 6 Update 23’ box, which seemed correct. I selected the platform ‘Windows x64’ from the drop down menu on the Java SE Runtime Enviroment 6u23 page that the download link took me to, but the check box was for “I agree to the Java SE Runtime Environment 6u23 with JavaFX License Agreement” and not “I agree to the Java SE Runtime Environment 6 License Agreement” that was in your instructions. That brought me to a down loadable file: jre-6u23-windows-x64.exe, not the: jre-6u23-windows-i586-p.exe file from your instructions. If I clicked on that it brought me to a box to download that file and run it directly, immediately removing old versions and installing the new version (with JavaFX which I did not think I wanted) but did not give me a choice to download the .exe file to my desktop. I couldn’t figure out how to download the installation file to my desktop as you wanted, before manually removing old versions, rebooting, and then loading the updated version from the executable file on my desktop.

Could you give me instructions. please, on removing old versions and then downloading the proper Java version for my Firefox, Windows 7, 64 bit program, without JavaFX added (unless you think that is a worthwhile addition)?

The instructions that follow to manually create a new Restore Point and then purge the old, infected ones also does not seem to jive with what I see on my computer. In addition we did not find any infected files with any of the tools we used to check both my desktop and my laptop computers. Are there any infected Restore Points to purge? Should I purge old Restore Points anyway? Should I manually create a new Restore Point on either of my computers? If so, could you please send my instructions that will work for my OS version and my browser? Thanks.

Finally, I have not yet downloaded and run the Puran Disc Defragmenter that you advised at the end of your instructions. I’ll do that after I hear from you about the above issues (removing old and downloading new Java, and creating new and removing old Restore Points) if you still advise that I run that defragmenter program.

Well, that was quite a mouthful! Sorry for the length of my questions, but, as always, I am very grateful for your advise and amazed at your expertise (which an old geezer/newby like me can hardly fathom). I’m so happy that your forums are there to help people like me who would be lost without the advise given there. BTW, this is the first time that I ever participated in a computer forum, so I thank you again for your patience!

No problems - so lets commence…

Re Java the majority of systems I work on are 32bit and being an idle bugger I have not set up an alternative post for 64bit, but jre-6u23-windows-x64.exe, is the correct one - they have changed the terminology slightly. But you are good with that

For the restore points it depends on whether you are in classic or Normal windows 7 control panel. An alternative is to

To manually purge old Restore Points

[*]Go to Start > All programmes > Accessories > System tools
[*]Right click Disk cleanup select run as Admin…
[*]Select your main drive
[*]Select the More Options tab
[*]Select under System restore and Shadow copies Cleanup
[*]Select OK

.
Download and run Javara and select remove older versions, that kills all old jave versions

Erunt was not used on your system as I did not do any manual registry changes

Run OTL and hit the cleanup button - it will remove all tools used on that system