Before posting this I had run numerous "malware removal" programs -- to no effect. My IE browser was all but useless. I could see the havoc being caused by scanning with tools such as Windows Defender and then with Hijack This. What I did would not have been possible without the visibility provided by HT. Great free tool.
I had noticed that if an offending registry entry was deleted, it would immediately get rewritten. None of the MW tools would kill the program running in memory.
Also learned that could not find the offending files in C:\Windows\System32 because though the "Show Hidden Files" was checked, had not unchecked "Hide Protected Operating System Files" Duh!
Being desparate and ready to replace the hard drive to solve the problem so could get back to work, decided to try on my own to resolve the issue. I am sure all of the volunteers on this site would agree with me that what I did was not the smartest thing to do and the probability of success was low. Anyway, here is what I learned.
Was wailing to myself about why IE wasn't run in a sandbox to preclude such problems. At that time was checking out Kim Komando's site for MW tools and came across Sandboxie
. This is a great freeware program that will greatly reduce IE MW problems as it runs sandboxed and redirects changes targeted to the "real" registry to the sandbox registry. Same is true for new files being downloaded or modified automatically.
My McAfee and Windows Defender saw the MW changes being made -- but let them occur anyway. Did not ask me what wanted to do as it occured. Not much protection to those at the beginning of a MW issue.
Anyway, running IE in Sandboxie, could see new MW dll's being spawned in the "sandbox" System32 folder. So went to the "real" System32 folder and added a "z" prefix to the MW file names. Those file names by type previously identified from MW scans and by checking the registry. Looked for the files in other folders, not found. When rechecked System32 found another set had been spawned. Gave those the z prefix and about a dozen others that matched the profile of random name, file type, file size, and date. Closed all of the windows and turned off my computer with the computer power switch.
Restarted the computer in Safe Mode and scanned with Hijack This. HT showed the registry entries being loaded but the files were not run as they no longer existed with the called name. The MW program(s) were no longer running in memory. Then deleted from the registry all associated MW file names and ClassId's.
Computer runs great now, very fast. And since I am surfing the internet running "Sandboxie" feel a lot safer. So, with the grace of God, I was able to remove all of the malware.
After thinking about this incident for another day, decided that I needed to edit this post by adding more information to what was written above.
While still infected, Sandboxie showed two files (qmgr0 & qmgr1) being accessed at "C:\Documents and Settings\All Users\Application Data\Microsft\Network\Downloader\". When I added the "z" prefix to the filename of the MW files in System32 (see above), these two files also were renamed. Afterward, these two files were automatically regenerated so believed had nothing to do with the MW. Rethinking, I noticed the MW file size was several k larger and they have not been accessed by my "clean" system. So now believe these two files had been changed by the MW.
MW files in System32 were:
1. A 60kb application with filename "~" that was not hidden. This never spawned.
2. A 2kb file that would spawn marked "Operating System Files and Hidden"
3. A 1-2 mb Configuration Settings file that would spawn.
4. 2 .dll's (83kb & 96kb) Application Extension files that would spawn. Description: Eset Hooks Dll. When these two spawned, they would be marked "Operating System Files and Hidden" but occasionally one would be left unmarked and therefore visible.
Filenames were 8 characters long with random letters and numbers.
Another major enlightment I received was about my McAfee virus protection software. I had "ass u me d" that the software would be loaded locked-down as MS now does with their servers. Babe-in-the-woods me was very wrong. The basic configuration did little more than log the MW being loaded. Guess it makes it easier for them to clean the system when you call and pay $90 for McAfee live help.
Edited by Ranger Tom, 03 January 2009 - 11:06 AM.