I have a virus that never goes away - could be Vundo. Any help appreciated!

[ashton]

I first noticed something wrong with my computer when I got the infamous "XP Antispyware 2009" popup/virus. It was easily taken care of with Malwarebytes, but I'm afraid its part of a bigger virus, like Vundo, because I started getting IE popups (and I use Firefox as my default browser) even when my browser wasn't open. The popups eventually stopped, but then I started hearing them - like without any visible popup on my computer and my browser closed, I would just hear "Congratulations, you have been selected to win a Nintendo Wii..." etc.

My computer is slow and my control panel has switched to Classic View (I use Windows XP) on its own, without the option to switch back.

My antivirus programs can find infected files, but they seemingly regenerate after the necessary removal boot. Nothing gets rid of it completely.

In addition to having Malwarebytes, and SUPERAntiSpyware, I'm also a registered user of McAfee.

I have followed all the steps recommended before posting here. My SUPERAntiSpyware log is:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/04/2008 at 04:31 AM

Application Version : 4.21.1004

Core Rules Database Version : 3622
Trace Rules Database Version: 1606

Scan type       : Complete Scan
Total Scan Time : 00:43:33

Memory items scanned      : 607
Memory threats detected   : 0
Registry items scanned    : 5993
Registry threats detected : 0
File items scanned        : 68732
File threats detected     : 0

My Malwarebytes log is:

Malwarebytes' Anti-Malware 1.30
Database version: 1357
Windows 5.1.2600 Service Pack 3

11/4/2008 2:19:04 PM
mbam-log-2008-11-04 (14-19-04).txt

Scan type: Full Scan (C:\|)
Objects scanned: 106106
Time elapsed: 53 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\3Gpj7leJ.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.

And my HijackThis log is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:36:32 PM, on 11/4/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Creative\Mixer\CTSVolFE.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\PROGRA~1\DELLSU~1\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [CTSVolFE.exe] "C:\Program Files\Creative\Mixer\CTSVolFE.exe" /r
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Corel Painter Essentials 21a] C:\Program Files\Corel\Corel Painter Essentials 2\registration.exe /title="Corel Painter Essentials 2" /date=111608 serial=PE02CBX-0000003-NMD lang=EN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [DellSupport] "C:\PROGRA~1\DELLSU~1\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Zinio DLM] C:\Program Files\Zinio\ZinioReader.exe /autostart
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: karna.dat
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9619 bytes

Once again, after removal, the virus seemingly replicates itself and is never completely gone. Any help is appreciated greatly!

By the way, I have tried vundofix and vitumundobegone as well, and neither worked. I'm not completely sure it is Vundo at all, it just has very similar symptoms.

Thank you for any help!

[evilfantasy]

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

- O20 - AppInit_DLLs: karna.dat

Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis.

----------

Download ComboFix by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

[ashton]

Thank you so much, evilfantasy! I have followed your instructions. I used HijackThis on what you specified,  and here is my ComboFixer Log:

ComboFix 08-11-04.02 - Mina 2008-11-04 19:39:19.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.932.81.1033.18.484 [GMT -8:00]
Running from: c:\documents and settings\Mina\Desktop\ComboFix.exe
 * Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\bold.log
c:\documents and settings\Mina\Cookies\vypygej._dl
c:\windows\system32\_000006_.tmp.dll

.
(((((((((((((((((((((((((   Files Created from 2008-10-05 to 2008-11-05  )))))))))))))))))))))))))))))))
.

2008-11-04 14:23 . 2008-11-04 14:23   410,976   --a------   c:\windows\system32\deploytk.dll
2008-11-04 03:35 . 2008-11-04 03:35   <DIR>   d--------   c:\program files\CCleaner
2008-11-04 00:27 . 2008-11-04 00:27   <DIR>   d--------   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-11-04 00:26 . 2008-11-04 00:26   <DIR>   d--------   c:\program files\SUPERAntiSpyware
2008-11-04 00:26 . 2008-11-04 00:26   <DIR>   d--------   c:\documents and settings\Mina\Application Data\SUPERAntiSpyware.com
2008-11-04 00:20 . 2008-11-04 00:20   <DIR>   d--------   c:\program files\Common Files\Wise Installation Wizard
2008-11-02 20:22 . 2008-11-04 19:36   9,203   --a------   c:\windows\system32\Config.MPF
2008-11-02 20:21 . 2006-03-03 08:07   143,360   --a------   c:\windows\system32\dunzip32.dll
2008-11-02 20:18 . 2007-11-22 06:44   201,320   --a------   c:\windows\system32\drivers\mfehidk.sys
2008-11-02 20:18 . 2007-07-13 06:20   113,952   --a------   c:\windows\system32\drivers\Mpfp.sys
2008-11-02 20:18 . 2007-11-22 06:44   79,304   --a------   c:\windows\system32\drivers\mfeavfk.sys
2008-11-02 20:18 . 2007-12-02 12:51   40,488   --a------   c:\windows\system32\drivers\mfesmfk.sys
2008-11-02 20:18 . 2007-11-22 06:44   35,240   --a------   c:\windows\system32\drivers\mfebopk.sys
2008-11-02 20:18 . 2007-11-22 06:44   33,832   --a------   c:\windows\system32\drivers\mferkdk.sys
2008-11-02 20:17 . 2008-11-02 20:17   <DIR>   d--------   c:\program files\McAfee.com
2008-11-02 20:17 . 2008-11-02 20:18   <DIR>   d--------   c:\program files\Common Files\McAfee
2008-11-02 20:16 . 2008-11-02 23:43   <DIR>   d--------   c:\program files\McAfee
2008-11-02 20:04 . 2008-11-02 20:22   <DIR>   d--------   c:\documents and settings\All Users\Application Data\McAfee
2008-10-29 00:06 . 2008-10-29 00:28   <DIR>   d--------   c:\documents and settings\Mina\Application Data\T-Time Preferences
2008-10-23 10:36 . 2008-10-15 08:34   337,408   ---------   c:\windows\system32\dllcache\netapi32.dll
2008-10-21 11:22 . 2008-10-21 11:22   19,116   --a------   c:\documents and settings\All Users\Application Data\fuze.dat
2008-10-21 11:22 . 2008-10-21 11:22   18,864   --a------   c:\windows\system32\ijycej.com
2008-10-21 11:22 . 2008-10-21 11:22   17,365   --a------   c:\windows\apymawe._dl
2008-10-21 11:22 . 2008-10-21 11:22   16,852   --a------   c:\windows\system32\nepunufura.dl
2008-10-21 11:22 . 2008-10-21 11:22   15,981   --a------   c:\documents and settings\Mina\Application Data\qypocive.exe
2008-10-21 11:22 . 2008-10-21 11:22   15,595   --a------   c:\windows\system32\cokuk.com
2008-10-21 11:22 . 2008-10-21 11:22   15,310   --a------   c:\windows\lily.sys
2008-10-21 11:22 . 2008-10-21 11:22   15,215   --a------   c:\windows\vyzidyzu.ban
2008-10-21 11:22 . 2008-10-21 11:22   14,621   --a------   c:\documents and settings\Mina\Application Data\aqimu.scr
2008-10-21 11:22 . 2008-10-21 11:22   12,603   --a------   c:\windows\xigepefuhe.inf
2008-10-21 11:22 . 2008-10-21 11:22   11,455   --a------   c:\windows\fovapot.reg
2008-10-21 11:22 . 2008-10-21 11:22   10,189   --a------   c:\windows\emifipis._sy
2008-10-14 11:12 . 2008-08-14 02:11   2,189,184   ---------   c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-14 11:12 . 2008-08-14 02:09   2,145,280   ---------   c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-14 11:12 . 2008-08-14 01:33   2,066,048   ---------   c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-14 11:12 . 2008-08-14 01:33   2,023,936   ---------   c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-14 11:12 . 2008-09-15 04:12   1,846,400   ---------   c:\windows\system32\dllcache\win32k.sys
2008-10-14 11:12 . 2008-09-08 02:41   333,824   ---------   c:\windows\system32\dllcache\srv.sys
2008-10-13 01:37 . 2008-11-02 02:03   <DIR>   d--------   c:\documents and settings\Mina\Incomplete

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-04 22:30   ---------   d-----w   c:\program files\WildTangent
2008-11-04 22:25   ---------   d-----w   c:\program files\Java
2008-11-04 21:21   ---------   d-----w   c:\documents and settings\Mina\Application Data\WTablet
2008-11-02 21:27   2,864   ----a-w   c:\windows\system32\winsock.dll
2008-11-02 21:27   2,864   ----a-w   c:\windows\system32\dllcache\winsock.dll
2008-11-02 05:24   ---------   d-----w   c:\program files\Malwarebytes' Anti-Malware
2008-10-27 10:25   ---------   d-----w   c:\documents and settings\Mina\Application Data\CoreFTP
2008-10-22 23:10   38,496   ----a-w   c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-22 23:10   15,504   ----a-w   c:\windows\system32\drivers\mbam.sys
2008-10-21 19:22   12,553   ----a-w   c:\program files\Common Files\elezu._dl
2008-10-10 22:11   ---------   d-----w   c:\program files\LimeWire
2008-09-24 22:04   ---------   d-----w   c:\program files\iriver
2008-09-24 17:00   ---------   d-----w   c:\documents and settings\LocalService\Application Data\WTablet
2008-09-22 22:19   ---------   d-----w   c:\documents and settings\Mina\Application Data\Malwarebytes
2008-09-22 22:19   ---------   d-----w   c:\documents and settings\All Users\Application Data\Malwarebytes
2008-09-15 12:12   1,846,400   ----a-w   c:\windows\system32\win32k.sys
2008-09-11 04:04   ---------   d-----w   c:\documents and settings\All Users\Application Data\SYSTEMAX Software Development
2008-09-08 10:41   333,824   ----a-w   c:\windows\system32\drivers\srv.sys
2008-09-07 21:52   ---------   d-----w   c:\program files\CoreFTP
2008-08-20 05:30   666,112   ----a-w   c:\windows\system32\wininet.dll
2008-08-20 05:30   666,112   ------w   c:\windows\system32\dllcache\wininet.dll
2008-08-20 05:30   619,520   ------w   c:\windows\system32\dllcache\urlmon.dll
2008-08-20 05:30   3,067,904   ------w   c:\windows\system32\dllcache\mshtml.dll
2008-08-20 05:30   1,499,136   ------w   c:\windows\system32\dllcache\shdocvw.dll
2008-08-14 10:09   2,145,280   ----a-w   c:\windows\system32\ntoskrnl.exe
2008-08-14 10:04   138,496   ------w   c:\windows\system32\dllcache\afd.sys
2008-08-14 09:33   2,023,936   ----a-w   c:\windows\system32\ntkrnlpa.exe
1999-07-07 00:00   6   -csh--r   c:\windows\@@desktop.dat
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"DellSupport"="c:\progra~1\DELLSU~1\DSAgnt.exe" [2006-08-28 395776]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Zinio DLM"="c:\program files\Zinio\ZinioReader.exe" [2008-04-30 3874886]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-08-03 1032192]
"CTSVolFE.exe"="c:\program files\Creative\Mixer\CTSVolFE.exe" [2005-02-23 57344]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-05-02 184320]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2004-02-25 176128]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"Corel Painter Essentials 21a"="c:\program files\Corel\Corel Painter Essentials 2\registration.exe" [2004-03-18 733184]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-11-15 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-11-15 267048]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-04 136600]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Device Detector 3.lnk - c:\program files\Olympus\DeviceDetector\DevDtct2.exe [2008-01-11 118784]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-11-20 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 237568]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= c:\windows\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= c:\windows\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AIM\\AIM Pro\\aimpro.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 JavaQuickStarterService;Java Quick Starter;c:\program files\Java\jre6\bin\jqs.exe [2008-11-04 152984]
R3 wacommousefilter;Wacom Mouse Filter Driver;c:\windows\system32\DRIVERS\wacommousefilter.sys [2006-02-14 5632]
R3 wacomvhid;Wacom Virtual Hid Driver;c:\windows\system32\DRIVERS\wacomvhid.sys [2006-11-15 6272]
S3 VNUSB;VN Series Device;c:\windows\system32\DRIVERS\VNUSB.sys [2006-04-07 38496]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

*Newly Created Service* - JAVAQUICKSTARTERSERVICE
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-11-04 c:\windows\Tasks\At1.job
- c:\windows\system32\2Bj1asxC.exe []

2008-11-02 c:\windows\Tasks\At10.job
- c:\windows\system32\2Bj1asxC.exe []

2008-11-02 c:\windows\Tasks\At11.job
- c:\windows\system32\2Bj1asxC.exe []

2008-11-02 c:\windows\Tasks\At12.job
- c:\windows\system32\2Bj1asxC.exe []

2008-11-02 c:\windows\Tasks\At13.job
- c:\windows\system32\2Bj1asxC.exe []

2008-11-02 c:\windows\Tasks\At14.job
- c:\windows\system32\2Bj1asxC.exe []

2008-11-04 c:\windows\Tasks\At15.job
- c:\windows\system32\2Bj1asxC.exe []

2008-11-02 c:\windows\Tasks\At16.job
- c:\windows\system32\2Bj1asxC.exe []

2008-11-02 c:\windows\Tasks\At17.job
- c:\windows\system32\2Bj1asxC.exe []

2008-11-03 c:\windows\Tasks\At18.job
- c:\windows\system32\2Bj1asxC.exe []

2008-11-03 c:\windows\Tasks\At19.job
- c:\windows\system32\2Bj1asxC.exe []

2008-11-04 c:\windows\Tasks\At2.job
- c:\windows\system32\2Bj1asxC.exe []

2008-11-03 c:\windows\Tasks\At20.job
- c:\windows\system32\2Bj1asxC.exe []

2008-11-03 c:\windows\Tasks\At21.job
- c:\windows\system32\2Bj1asxC.exe []

2008-11-03 c:\windows\Tasks\At22.job
- c:\windows\system32\2Bj1asxC.exe []

2008-11-03 c:\windows\Tasks\At23.job
- c:\windows\system32\2Bj1asxC.exe []

2008-11-04 c:\windows\Tasks\At24.job
- c:\windows\system32\2Bj1asxC.exe []

2008-11-04 c:\windows\Tasks\At3.job
- c:\windows\system32\2Bj1asxC.exe []

2008-11-04 c:\windows\Tasks\At4.job
- c:\windows\system32\2Bj1asxC.exe []

2008-11-04 c:\windows\Tasks\At49.job
- c:\windows\system32\3Gpj7leJ.exe []

2008-11-04 c:\windows\Tasks\At5.job
- c:\windows\system32\2Bj1asxC.exe []

2008-11-04 c:\windows\Tasks\At50.job
- c:\windows\system32\3Gpj7leJ.exe []

2008-11-04 c:\windows\Tasks\At51.job
- c:\windows\system32\3Gpj7leJ.exe []

2008-11-04 c:\windows\Tasks\At52.job
- c:\windows\system32\3Gpj7leJ.exe []

2008-11-04 c:\windows\Tasks\At53.job
- c:\windows\system32\3Gpj7leJ.exe []

2008-11-04 c:\windows\Tasks\At54.job
- c:\windows\system32\3Gpj7leJ.exe []

2008-11-02 c:\windows\Tasks\At55.job
- c:\windows\system32\3Gpj7leJ.exe []

2008-11-02 c:\windows\Tasks\At56.job
- c:\windows\system32\3Gpj7leJ.exe []

2008-11-02 c:\windows\Tasks\At57.job
- c:\windows\system32\3Gpj7leJ.exe []

2008-11-02 c:\windows\Tasks\At58.job
- c:\windows\system32\3Gpj7leJ.exe []

2008-11-02 c:\windows\Tasks\At59.job
- c:\windows\system32\3Gpj7leJ.exe []

2008-11-04 c:\windows\Tasks\At6.job
- c:\windows\system32\2Bj1asxC.exe []

2008-11-02 c:\windows\Tasks\At60.job
- c:\windows\system32\3Gpj7leJ.exe []

2008-11-02 c:\windows\Tasks\At61.job
- c:\windows\system32\3Gpj7leJ.exe []

2008-11-02 c:\windows\Tasks\At62.job
- c:\windows\system32\3Gpj7leJ.exe []

2008-11-04 c:\windows\Tasks\At63.job
- c:\windows\system32\3Gpj7leJ.exe []

2008-11-02 c:\windows\Tasks\At64.job
- c:\windows\system32\3Gpj7leJ.exe []

2008-11-02 c:\windows\Tasks\At65.job
- c:\windows\system32\3Gpj7leJ.exe []

2008-11-03 c:\windows\Tasks\At66.job
- c:\windows\system32\3Gpj7leJ.exe []

2008-11-03 c:\windows\Tasks\At67.job
- c:\windows\system32\3Gpj7leJ.exe []

2008-11-03 c:\windows\Tasks\At68.job
- c:\windows\system32\3Gpj7leJ.exe []

2008-11-03 c:\windows\Tasks\At69.job
- c:\windows\system32\3Gpj7leJ.exe []

2008-11-02 c:\windows\Tasks\At7.job
- c:\windows\system32\2Bj1asxC.exe []

2008-11-03 c:\windows\Tasks\At70.job
- c:\windows\system32\3Gpj7leJ.exe []

2008-11-03 c:\windows\Tasks\At71.job
- c:\windows\system32\3Gpj7leJ.exe []

2008-11-04 c:\windows\Tasks\At72.job
- c:\windows\system32\3Gpj7leJ.exe []

2008-11-02 c:\windows\Tasks\At8.job
- c:\windows\system32\2Bj1asxC.exe []

2008-11-02 c:\windows\Tasks\At9.job
- c:\windows\system32\2Bj1asxC.exe []

2008-11-03 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-11-03 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe
HKLM-Run-<NO NAME> - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Mina\Application Data\Mozilla\Firefox\Profiles\0bxenldk.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com
FF -: plugin - c:\documents and settings\Mina\Application Data\Mozilla\Firefox\Profiles\0bxenldk.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npunagi2.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-04 19:42:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-04 19:44:07
ComboFix-quarantined-files.txt  2008-11-05 03:44:01

Pre-Run: 57,165,721,600 bytes free
Post-Run: 57,190,223,872 bytes free

300   --- E O F ---   2008-10-24 17:25:18

[evilfantasy]

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

File::
c:\documents and settings\All Users\Application Data\fuze.dat
c:\windows\system32\ijycej.com
c:\windows\apymawe._dl
c:\windows\system32\nepunufura.dl
c:\documents and settings\Mina\Application Data\qypocive.exe
c:\windows\system32\cokuk.com
c:\windows\lily.sys
c:\windows\vyzidyzu.ban
c:\documents and settings\Mina\Application Data\aqimu.scr
c:\windows\xigepefuhe.inf
c:\windows\fovapot.reg
c:\windows\emifipis._sy
c:\windows\Tasks\At1.job
c:\windows\system32\2Bj1asxC.exe
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At49.job
c:\windows\system32\3Gpj7leJ.exe
c:\windows\Tasks\At5.job
c:\windows\Tasks\At50.job
c:\windows\Tasks\At51.job
c:\windows\Tasks\At52.job
c:\windows\Tasks\At53.job
c:\windows\Tasks\At54.job
c:\windows\Tasks\At55.job
c:\windows\Tasks\At56.job
c:\windows\Tasks\At57.job
c:\windows\Tasks\At58.job
c:\windows\Tasks\At59.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At60.job
c:\windows\Tasks\At61.job
c:\windows\Tasks\At62.job
c:\windows\Tasks\At63.job
c:\windows\Tasks\At64.job
c:\windows\Tasks\At65.job
c:\windows\Tasks\At66.job
c:\windows\Tasks\At67.job
c:\windows\Tasks\At68.job
c:\windows\Tasks\At69.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At70.job
c:\windows\Tasks\At71.job
c:\windows\Tasks\At72.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

[ashton]

Okay! The new log is too large to copy/paste, so I attached it.



[Saving space - attachment deleted by admin]

[evilfantasy]

• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.
• The above procedure will:
• Delete the following:
• ComboFix and its associated files and folders.
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.
----------

Download

ATF Cleaner by Atribune to your Desktop.

Alternate download link

Note: Vista users must use Run As Administrator

• Under Main: Select Files to Delete choose: Select All.
  
• Click the Empty Selected button.
  
• If you use Firefox browser click Firefox at the top and choose: Select All
  
• Click the Empty Selected button.
  If you would like to keep your saved passwords click No at the prompt.
  
• If you use Opera browser click Opera at the top and choose: Select All
  
• Click the Empty Selected button.
  If you would like to keep your saved passwords click No at the prompt.
  
• Click Exit on the Main menu to close the program.

Note that your system will run slower for a reboot or two after having used this tool so don't panic.

----------

Download OTCleanIt.exe and save it to your Desktop.

• Double-click OTCleanIt.exe.
  
• Click the CleanUp! button.
  
• Select Yes when the "Begin cleanup Process?" prompt appears.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes, if not delete it yourself.

Important: Restart the computer before continuing.

----------

Run the Kaspersky Online Scanner

In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon to open the browser and choose Run as Administrator.

• Click on SCAN NOW
  
• Click Accept.
  
• The program will then begin downloading the latest definition files.
• Once the files have been downloaded locate the Scan Settings and have it scan My Computer.
  
• The scan will take a while, so be patient and let it finish.

When the scan is done, in the Scan is complete window, any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As

• Next, in the Save as prompt, Save in area, select: Desktop.
  
• In the File name area use KScan, or something similar.
  
• In Save as type: click the drop arrow and select: Text file [*.txt]
  
• Then, click: Save

Copy and paste the Kaspersky Online Scanner Report in your next reply.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

[ashton]

The KasperSky scan showed no infected files, and therefore the scan report is blank. I'm wondering if this means that the virus is gone for sure.

My Control Panel is still in "forced Classic mode"without the option to change it back. Is this a side effect of the virus, and how do I fix it?

Thank you so much for all the help so far!

[ashton]

Oh, sorry, here is the clean scan:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
 Tuesday, November 4, 2008
 Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
 Kaspersky Online Scanner 7 version: 7.0.25.0
 Program database last update: Wednesday, November 05, 2008 04:54:52
 Records in database: 1369829
--------------------------------------------------------------------------------

Scan settings:
   Scan using the following database: extended
   Scan archives: yes
   Scan mail databases: yes

Scan area - My Computer:
   C:\
   D:\

Scan statistics:
   Files scanned: 64871
   Threat name: 0
   Infected objects: 0
   Suspicious objects: 0
   Duration of the scan: 01:10:48

No malware has been detected. The scan area is clean.

The selected area was scanned.

[ashton]

By the way, I'm now experiencing trouble with the internet. Certain images (like google's) and icons on certain websites aren't loading. Also, hotmail doesn't load at all, and some sites that do load are strangely formatted.

[evilfantasy]

Let's try a few things.

Download Dial-a-Fix by djlizard, save it to the desktop then extract it to it's own folder.

• Open the folder and run Dial-a-fix.exe
• 2 windows will open. Close the one in the background labeled Restrictive Policies
• Check the box in section 1, Empty temp folders.
• Check the box in section 2, Fix Windows Installer.
• Check the box in section 4, labeled SSL/HTTPS/Cryptography. The 4 boxes under it should be pre-checked
• Check all boxes in Section 5, labeled Registration Center.
• Click Go
• OK any error messages if received, but write them down and post them here.
• Restart the computer when done.

.
----------

Download to your desktop FixPolicies.exe, a self-extracting ZIP archive from HERE.

Double-click FixPolicies.exe.
Click the Install button on the bottom toolbar of the box that will open.
The program will create a new Folder called FixPolicies.
Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd
A black box will briefly appear and then close.
Restart the computer so the changes can take effect.

----------

How is everything now?

[ashton]

While there were no errors with either option, my Control Panel and internet (Firefox 3.0.3) are still the same - Control Panel is stuck in Classic mode without the option to change, and hotmail isn't loading, while other sites are loading strangely and some images are missing.

Thank you so much for all your continued help, I really appreciate it!

[evilfantasy]

1. Download IEFix.zip and run it.
2. Click the Apply button.
3. You'll be prompted for the Operating System CD or the Service Pack Files location.
4. Once finished Restart Windows.

[ashton]

Ah, I did, and there's no change to my control panel or my browser.

(Although IE is working perfectly now, my default browser isn't.)

[evilfantasy]

See if this fixes the Control Panel.

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Go to Start > Run and type notepad.exe then click OK

Copy and paste the below into Notepad and save as fixme.reg to Your Desktop

Code: [Select]

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoVisualStyleChoice"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"SetVisualStyle"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ThemeManager]
"ThemeActive"="1"
"DllName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,72,00,65,00,73,00,6f,00,75,00,72,00,63,00,65,00,73,00,5c,\
  00,54,00,68,00,65,00,6d,00,65,00,73,00,5c,00,6c,00,75,00,6e,00,61,00,5c,00,\
  6c,00,75,00,6e,00,61,00,2e,00,6d,00,73,00,73,00,74,00,79,00,6c,00,65,00,73,\
  00,00,00
"ColorName"="NormalColor"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoSaveSettings"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"ClassicShell"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"ClassicShell"=dword:00000000

Locate fixme.reg on your Desktop and double-click it. Answer Yes when prompted to merge with the Registry.

Make sure that you tell me if you receive a success message about adding the above to the registry. If you do not get a success message, it did not work.

Delete the fixme.reg from the Desktop.

[ashton]

I did it, and I got a success message, however there was no change with my control panel. I've attached a screenshot so you can see the missing options for reference.

And once more, I highly appreciate the ongoing help!

[Saving space - attachment deleted by admin]

[evilfantasy]

Go to Tools > Folder Options > Restore Defaults

[ashton]

It is exactly as before.

[ashton]

Perhaps I should have phrased that better! What I mean to say is that it didn't help!

I realized too late how it sounded, forgive me.

[evilfantasy]

Do you have an XP CD?

If so, place it in your CD ROM drive and follow the instructions below:

• Click on Start > Run and type sfc /scannow then press Enter (note the space between scf and /scannow)
  • Let this run undisturbed until the window with the blue  progress bar goes away

SFC - Which stands for System File Checker, retrieves the correct version of the file from %Systemroot%\System32\Dllcache or the Windows installation source files, and then replaces the incorrect file.

[evilfantasy]

Also for the mail problem try this.

Reset Web Settings & Default Security Settings

Note for IE 7 users:

Select Internet Options, then the Advanced Tab and then the Reset button under Reset Internet Explorer Settings.

Note for IE 6 users:

To Reset Web Settings:

• Right click on your desktop Internet Explorer icon and select Properties.
  
• Click the Programs tab and then click Reset Web Settings.
  
• Now go back to the General tab and set your home page address to something useful like www.computerhope.com
  
• Click Apply.
  
• Next click Delete Cookies, Click Delete Files and select Delete all offline content.
  
• Click OK > OK

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.computerhope.com
Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK

To Reset Default Security Settings:

• Right click on your desktop Internet Explorer icon and select Properties
  
• Then click the Security tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.
  
• For IE 7 users, simply click the "Reset all zones to default level" button.

[ashton]

The only CDs I have for my computer are:

Windows XP Media Center

Dell Media Direct

Inspiron Computer Software

Microsoft Works 8.5

Are any of these sufficient? My internet problems are only with Firefox, which was fine before the virus. IE is working beautifully, actually, just not Firefox, which I prefer to be my default browser.

[evilfantasy]

Try re-installing Firefox.

[ashton]

Ah, no changes.

[evilfantasy]

Download ATF Cleaner by Atribune to your Desktop.

Alternate download link

Note: Vista users must use Run As Administrator

• Under Main: Select Files to Delete choose: Select All.
  
• Click the Empty Selected button.
  
• If you use Firefox browser click Firefox at the top and choose: Select All
  
• Click the Empty Selected button.
  If you would like to keep your saved passwords click No at the prompt.
  
• If you use Opera browser click Opera at the top and choose: Select All
  
• Click the Empty Selected button.
  If you would like to keep your saved passwords click No at the prompt.
  
• Click Exit on the Main menu to close the program.

Note that your system will run slower for a reboot or two after having used this tool so don't panic.

Now DELETE ATF-Cleaner the run CCleaner

Important: Restart the computer before continuing.

Any better?

[ashton]

It fixed Firefox! 8D Thank you!

But now Windows looks different, aha! Not bad, just different - the Start menu now has a white/light blue background and the colors are different! I can live with it though; it doesn't bother me!

How weird that Windows... changed! But the Control Panel is still wonky.

[evilfantasy]

You did restart right?

I'll look around for an answer. You might go ahead and try the sfc /scannow with the Windows XP Media Center CD

[ashton]

I did restart, but I see what happened - the Appearance changed from XP Media Center to just plain XP. I changed it back, and will now run the CD for XP Media Center.

[ashton]

I started the process for the XP CD like you suggested, but near the end of the loading screen, it prompts me to put in the "Windows XP Professional CD2" now. I don't have such a CD. The XP Media Center is the only XP related CD I got with my computer.

[evilfantasy]

XP Media Center is the same as XP Pro.

[ashton]

Then I don't know why it prompts me for a different CD near the end of the blue loading bar's progress. :/ I put it in and did as you told me, and it loads up to about 98% before telling me to put in another CD.

[evilfantasy]

All I can say is that the XP Media Center CD is the same thing as XP Pro. They have the same files.

[ashton]

I don't have another XP CD, but I was able to fix my control panel by:

Going to: Start > Run, and typing gpedit.msc

Then clicking on the left hand pane, under User Configuration, then clicking on Control Panel, and setting it to Not Configured.

I've done another virus scan, and it looks like I'm totally in the clear now! Thank you so so much, evilfantasy! You're a life saver!

[evilfantasy]

Set a New Restore Point to prevent possible reinfection from an old one
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.

• Go to Start > Programs > Accessories > System Tools and click System Restore
  
• Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
  
• The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Next go to Start > Run and type Cleanmgr
  
• Click OK
  
• Click the More Options Tab.
  
• Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide or Windows Vista System Restore Guide
.
----------

Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.

Concerned about Browser Security? Consider using Mozilla Firefox 3.0 with Adblock Plus and NoScript

To prevent unknown applications from being installed on your computer install WinPatrol 2008
* Using Winpatrol to protect your computer from malicious software

I suggest using SiteAdvisor. SiteAdvisor rates sites on business practices and spam. Safety ratings from McAfee SiteAdvisor are based on automated safety tests of Web sites.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

[ashton]

Ace! Done and done; I've taken all your advice, and highly, highly appreciate all your help! Thank you~!

[evilfantasy]

Glad you got it figured out!

Safe surfing...