ComboFix error but have Windows XP?

Mac1977

Recently downloaded and ran Malwarebytes and Hijackthis, posted logs that showed there was a Trojan virus and followed AliEnRIK's advice.

After this I started to get Windows security messages that my PCguard Firewall and Anti-Virus were switched off although I had not switched them off. Looked around on here and saw that AliEnRIk had advised downloading ComboFix to another user who had had Trojans, so tried that.

I have Windows XP SP3 but am getting this error message - Error Win 32 only. Incompatible OS. ComboFix only works for workstations with Windows 2000 and XP. I then got the Renaming error box for ComboFix.

I've also been getting the Windows Virtual Memeory low message for ages and in the last few days getting LEXPPS.exe which I blocked.

I've run Malwarebytes last night and Hijackthis this morning and can post logs if required.

To be honest, if I could afford a new PC/laptop I'm at the point of giving up on this one, but I can't! I was also getting Dr Watson postmortem debug messages but found out how to switch that off and did so.

I know next to zilch about computers so any advice greatly appreciated.

Thanks

Browntoa

post the malwarebytes log file and the hijackthis log file

it's not advisable to run combofix unless specifically advised to for your infection , its quite a powerful tool and can do damage if not use correctly

spakkker

I have xp pro sp3 and have no probs with combofix and I've put it on other pc's too. It's v. good at sorting these fake anti virus stuff,- ave.exe.
My xp is 32 bit tho' .

Browntoa

LEXPPS.exe is from a Lexmark printer , if you no longer use a Lexmark then go to add/remove programs to uninstall that software

Mac1977

Logs below as requested and thanks for replying.

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org
Database version: 3937
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
02/04/2010 20:44:39
mbam-log-2010-04-02 (20-44-39).txt
Scan type: Full scan (C:\|)
Objects scanned: 172085
Time elapsed: 1 hour(s), 8 minute(s), 14 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:41:27, on 03/04/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\Fws.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Virgin Broadband Wireless\AffinegyService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\Program Files\Virgin Broadband Wireless\Wireless Manager.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinPcap\rpcapd.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\SafeConnect\Bin\SanaAgent.exe
C:\Program Files\Virgin Broadband Wireless\ndis_events.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\Virgin Broadband Wireless\wpa_supplicant.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Virgin Broadband\PCguard\RPS.exe
C:\Program Files\Virgin Broadband\PCguard\RpsSecurityAwareR.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
O4 - HKCU\..\Run: [Wireless Manager] "C:\Program Files\Virgin Broadband Wireless\Wireless Manager.exe" startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://o.aolcdn.com/pictures/ap/Resources/2.0.4.69/cab/aolpPlugins.10.4.0.4.cab
O23 - Service: AffinegyService - Affinegy, Inc. - C:\Program Files\Virgin Broadband Wireless\AffinegyService.exe
O23 - Service: Belkin 54g Wireless USB Network Adapter (Belkin 54g Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: Virgin Broadband PCguard (Radialpoint Security Services) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\RpsSecurityAwareR.exe
O23 - Service: Virgin Broadband PCguard SafeConnectAgent (RadialpointSafeConnectAgent) - Sana Security - C:\Program Files\Virgin Broadband\PCguard\SafeConnect\Bin\SanaAgent.exe
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PCguard Firewall (RP_FWS) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\Fws.exe
--
End of file - 5225 bytes

aliEnRIK

TICK and FIX this ~
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

Right click the combofix file and RENAME to 'qwerty.exe.'
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Run that and post the whole of the log

Mac1977

I've ticked and fixed the Extra button, thanks for info.

As mentioned above, I am getting an error message when trying to run ComboFix telling me about an incompatible OS. When I tried to right click on the Renaming error box that then appeared nothing happened. I'm obviously missing something but don't know what?

aliEnRIK

Right click the EXE file that you downloaded

Mac1977

Clicked on your link above and now getting this;

!!ALERT!! It is NOT SAFE to continue. The contents of the ComboFix package has been compromised. Please download a fresh copy from: http//www.bleepingcomputer.com/combofix/how-to-use-combofix.
Note: You may be infected with a file patching virus 'Virut'.

I also got the renaming error message again.

turbobob

Theres a video here showing how to clean up Virut infections using a bootable CD (Dr Web Live CD) - may be helpful - http://www.youtube.com/watch?v=FGDl-IMOt1g

Seems like a nasty virus as it patches and infects any executables you run (e.g. your copy of Combofix was patched by the virus) amongst other things - http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Virus%3aWin32%2fVirut.BM

Mac1977

Is there a problem trying to use Dr Web Live CD if you use Windows as the OS? The user manual says Dr Web is built on Linux OS.

I've downloaded the file and am trying to write it to a CD-R but keep getting a message to insert a disc?