I registered today because I followed your "How to remove Antivirus XP 2008 (Uninstall Instructions)", but I believe I was still infected after that. I noticed something that I did not find described anywhere and may be of help to others:
When I was first infected with that thing I noticed a new file %WINDIR%\system32\el32.dll that was in use while the virus did its thing. I removed it in the recovery console (started from XP CD), but it reappeared shortly after that.
The malwarebytes software that you recommend removed most symptoms but left el32.dll in place. Also it claimed that the dll was "not infected". However, it was still newly created and still in use, which made me suspicious. I got rid of it as follows:
- downloaded PrcView 5.2.15 (google for newest version of PrcView)
- In PrcView, go to menu View | Module Usage, find el32.dll in the list. Right-click dll, select "Filter Process List"
- Now only one instance of svchost.exe is shown in the main window of PrcView (note that svchost.exe is a generic process host, it is not necessarily bad). Rightclick that instance and select kill (it would have been smart to first check how it was run - that prcview also can do, but I did not think of that - sorry)
- After that I run combofix which deleted some files:
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\Documents and Settings\Berend\Application Data\macromedia\Flash Player\#SharedObjects\Q92H8EFP\interclick.com
C:\Documents and Settings\Berend\Application Data\macromedia\Flash Player\#SharedObjects\Q92H8EFP\interclick.com\ud.sol
C:\Documents and Settings\Berend\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Berend\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
It also found a new file c:\windows\el.ini, with this contents:
I removed that manually, just to be sure. Will also reinstall symantec antivirus, that appears to be broken (each time I access a file in explorer, it tries to reinstall symantec av).
Edited by berend, 10 August 2008 - 06:09 PM.