Posted 13 July 2008 - 10:36 PM
Sure enough, I was disappointed when after running Kaspersky online scanner, Malwarebytes, and ComboFix I noted recurring hicjacked webpages and popups and inability to start Auto Update in Services, etc. but at a reduced rate.
I decided to run Malwarebytes a second time which detected several residual entries not eliminated on the first pass.
I then reexamined System 32 and saw that a number of the infected dlls WERE STILL THERE and were not deleted as promised after rebooting.
I decided to PRINT OUT ALL THE LOG FILES from the initial Kaspersky, Malwarebytes, and ComboFix scans and then tediously went LINE-BY-LINE identifying, deleting, and in cases of the System 32 dlls, using McAfee's more secure recycle bin shredder to remove them (inviting McAFee back for short term use as it is free via my comcast.net subscription--see my last post about this).
It was time-consuming and tedious, but it worked. Much more helpful to refer to a printed page than to squint at the screen swiveling from txt files and the Registry trees...
I also took advantage of a Microsoft "836941 Windows Update guided tool" (self extracting cabinet type) which I downloaded to the desktop. It "automatically" peformed the tasks of placing the update sites in the trusted sites of IE (which I had already done), purging the DNS cache or something like that (which I could not do from other Knowledge Base articles) and probably helped solve the
frustrating 0x80070422, 0x80072ee2, etc. error messages which relate to failure to start Automatic Updates in Services, inability to access the Microsoft Update site, constant barrages from the Security Center icon when I had the OneCareLive running, and so on.
NO PROBLEMS NOW EXCEPT MISSING VOLUME ICON IN SYSTEM OR NOTIFICATIONS TRAY.
I NOW RECALL THAT BEFORE VUNDO INFECTION CONFIRMED, RIGHT CLICKING THE VOLUME ICON RESULTED IN A MESSAGE BOX STATING SOMETHING TO THE EFFECT THAT "Cannot adjust due to a hardware problem." This, besides the hijacked webpages, popup pages, and "Not Responding" was a clearcut sign of infection, later confirmed.
The sound volume exe file is missing in System 32, is not located elsewhere, and cannot locate my original XP Home disc--probably in my son's posession in Chicago-- to reinsert the file. I do have sound but can mute or adjust only via Control Panel. (Checking the "place sound icon in system tray" leads to an error message which requires that I reinstall the missing sndvl32.exe which I cannot get...)
I did download a virus-free file placing an icon on the desktop that shows the full sound volume and effects box as one would see right-clicking the volume icon, for convenience.
BESIDES THE VARIOUS INFECTED REGISTRY KEYS, DLLS, ADIRSS.EXE, MY PROBLEM INVOLVED THESE WEBSITE NAMES:
altered Google search pages (but no Adware 2009 offers as far as I know)...
and a bunch of others I entered in Restricted Sites as I encountered them working on another user's account on the same laptop-- having to do with college degrees, stock tips, ebay searches, PC adware scans (of all things!)...
SO, KEEP TRYING, RUN THE SCANS SEVERAL TIMES, AND THINK ABOUT CONFIRMING DELETION OF ALL ENTRIES ITEM BY ITEM, LINE BY LINE, USING A PRINTOUT OF THE LOG FILE FOR VISUAL CONVENIENCE AS THE PROCESS IS TIME CONSUMING, TEDIOUS, BUT WORTH IT IN THE END.