Posted 02 April 2008 - 01:44 PM
first of all I use Windows xp, sp 2. Hate to say that it is in greek (I am in greece and this is the pc of my parents, I would never ever ever use any other language for my system other than english) and some programs run in german (we lived in germany for many years, so we are bilingual). I only state that because in order to write this post I will have to translate names and messages either from greek or german into english, under which the accuracy of the descriptions may suffer.
It all happened when I downloaded a video-codec to watch a streamed video. Before running the installer I scanned it with Panda Internet Security 2007 and it came out clean. I ran the installer, and afterwards these things started happening all at once:
There were suddenly shortcuts on my desktop of which I didnt knew any - something like "immediate security" or something like that. Also, an icon on my system tray appeared and continuosly warned me about my pc having been exposed to serious threats and needing protection right now. At the same time, an unknow anti-virus program - antivirus heat? virus heat? something like that - which was installed on my system without me knowing, opened its main window and started performing a virus search since I appeared to have been infected by spywar and trojans. The list of infected objects grew bigger an bigger, but seconds after that Panda internet security sent out a log message informing me about some virus having been blocked and neutralized and as I was kind of overwhelmed by all these things and shocked, I opened Panda and started a antivirus search on my own.
After that I managed to stop anti virus heat and close it, I deleted the shortcuts from my desktop and uninstalled the antivirus program, as it had been installed like any other program, with its own folder in program files and everything.
The system tray icon continued to blink though, and a toolbar had been added to my internet explorer browser window - system security 7.1. Also, my home site had been erased, so when I opened internet explorer it was blank.
I do not remember exactly what I did next, I think I let Panda security continue with the virus search and disconnected from the internet, while I opened the "manually uninstall programms" window through control panel looking for program names I did not recognize. I actually found two of them, their names where "internet security services" and "web browsing security". I chose "uninstall web browsing security" and a window popped up saying that uninstalling this program would cause windows to restart. I was worried this was what the virus "would want me to do", so I did not do it, yet.
I must admit, I was kind of hopeless and scared to connect to the internet to google up some help. So I returned to the main window of Panda Internet security and found an option to look for vulnerabilities of my pc. I did so, and the program recognized a vulnerability named MS07-069, with the status of a heavy security risk. The program also listed the viruses or other threats which could exploit this weak spot, under this category there was one name listed, no_exploit (turns out there seems to be no virus or spyware which exploits this vulnerability). This option of recognizing vulnerabilities on your pc gives you two buttons with choices to proceed, "more information" and "windows update", the latter conecting you to the microsoft update site. I did so, and found two updates for my windows version, one windows genuine advantage tool and the Microsoft Office 2003 Service Pack 3. I started downloading them both (naively hoping it might help with the virus), and while the genuine advantage tool caused no problems, the installation of the service pack got aborted just before finishing. On the microsoft update site one can view ones update history, and for the service pack it showed me a red x with the error code 0x51f. This seems not to have anything to do with the main problem of the infection, but my antivirus program always stops at a certain point, with an error message occurring saying "The profile name you have entered is not valid or contains characters which are not supported in your current windows system codepage. Please enter a different profile name." The title of thÝs message says "Windows office outlook" in its banner, so I assume it has something to do with the office service pack not installing properly. The last time I ran the search for viruses, it seemed to me that the search lasted longer, and it found something (cookie/tribalfusion, cookie/onestat.com, cookie/AntiSpyKit, Cookie/Doubleclick all of them in C:/Documents and Settings/USER/Cookies ) but still, it stopped at the point where the error message appeared.
Anyway, I finally uninstalled "web browsing security" and the computer restarted. I also deleted "internet security services" from the manually uninstall programs-list, as it was not possible to uninstall it because it seemed to already had been removed (a appearing window said so). After the restart the blinking icon on system tray had disapeared, as well as the security toolbar 7.1, but when I reconnected to the internet the toolbar returned, as well as some pop ups with fake warnings about my vulnerability and another icon on system tray, a yellow triangle with an exclamation mark on it, out of which a baloon pops up now and then informing me about the viruses and spyware I have been infected with and with a link on it to antivirus software.
I searched on the internet and found out about smitfraud. I downloaded smitfraudfix, as well as the free version of SUPERAntispyware. I followed a tutorial to block the system security toolbar from appearing on ie, going to: control panel - internet options - programs - manage add-ons and by deactivating suspicious add-ons: Internet service (this is the toolbar, its file is the WAMDL.DLL), Research (no information for this one) and both windows messenger and problem diagnosis (because they had both unknown providers, allthough I dont think that they are harmfull) The toolbar is still installed on my system, but at least its blocked. After that I prepared to follow the usual way to deal with smitfraud - reboot in safe mode and use smitfraudfix.
The problem is, and that is where I want to conclude, that anytime I choose starting windows in safe mode (keeping f8 pressed at startup before the windows screen appears) I get a blue screen of death, which I cant read, because it is written in some weird characters and not letters, but down at the bottom says STOP: 0x0000007B (0xF7B96524, 0x0000034, 0x00000000, 0x00000000)
My question is: What do I do now?
I have Hijackthis and Combofix, I know that I have to be extremely carefull with both since I am not acquainted with their logs and with their meaning, but I thought I should start at the beginning and with as many details as possible, so that nothing gets overlooked in the process. Thats why I did not go to the Hijackthis forum at once, even though thats where I might end up after all.
So, anyone got any advice for me?
Thanks in advance