Computer cleaned (?) but Control Panel still inaccessible

[Tirhakah]

Family computer just underwent a Win32.Virut infection (including all the other nasties that virut brought in...) After cleaning it with kaspersky, some problems still exist. Each time the computer boots, an error along the lines of 'Cannot find shell.exe' pops up, and also the control panel is missing from the start menu, and inaccessible from everywhere else (insufficient admin priveleges). I've found a couple of threads describing similar symptoms, but none quite similar enough that I can fix this from them without more help.
Unfortunately the affected computer is disconnected from the network at the moment (paranoid parents worried about spread of infection), so i'm posting this from my own mac, and transferring programs/log files via flash drive, if that makes any difference. Side effect is that kasperky's db is well out of date - nov 07 - because it can't connect to update itself, so there may be nasties still that kaspersky doesnt recognise. (Virut infection was about 04 jan 08, computer was connected and recieving more stuff til the 7th, disconnected, installed kaspersky from usb, and disinfected since then)

[PhilliePhan]

(Virut infection was about 04 jan 08, computer was connected and recieving more stuff til the 7th, disconnected, installed kaspersky from usb, and disinfected since then)

Sounds like some malware remain. I have a hard time reading that HJT log - Make sure the Word Wrap is turned off.

I did see some Vundo remnants. So, until Judy can check in, please run the following as per the instructions:

http://vundofix.atribune.org/

Post the Vundofix log and a fresh HJT for Judy. We'll probably need to run ComboFix as well, but the compy will need to be online for that.

I'll defer to Judy now, since she is more up-to-date on baddies than I these days.

Best Luck
PP

** Just wanted to add that the "shell.exe" message is likely due to the removal of a malware file (shell.exe) that remains in the registry to be called at startup.
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,,winwork .exe,taskmar.exe

There remains a bunch more in the HJT log, but I think a run of ComboFix will weed them down considerably!

[jholland1964]

Please do as PP has requested and be absolutely certain that the word wrap is OFF in Notebook before you post the log.

[Tirhakah]

I've run vundofix, took a while but I assume thats usual. Both logs are attached, and I'm pretty certain they have word wrap off, but as I'm posting from a mac it may be that the formatting is different.. I can try resaving them differently (.rtf?) if that would help.

*Quick edit* added another copy of the hjt log with different settings. still in .txt format tho

[PhilliePhan]

*Quick edit* added another copy of the hjt log with different settings. still in .txt format tho

They're fine now . . . Well, they are more easily readable Still a lot of malware.

Let's go ahead and do the following:

• Download combofix.exe by sUBs to the infested computer's Desktop.
  
• Alternate Download
  
• (If you already have a previous version, delete it and download a new version).
• Double click combofix.exe & follow the prompts.
  Note: Combofix will automatically disconnect your Internet connection when it runs, do not reconnect it.

When it finishes, it ought to

• Produce a log for you. ( C:\Combofix.txt)
• Restore your Internet connection.

IMPORTANT:

• Do not use your computer while Combofix is running.
• Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  If you've lost your Internet connection when Combofix has completely finished, re-start your computer to restore it.

Please post the log and a fresh HJT and we'll go from there.

You should also update the Java on this compy and remove ALL older Java versions!

I imagine Judy will check in with further steps before I am able to check back.


Cheers
PP

[jholland1964]

Once you have run the Combofix and saved the log of course then do as PP said and download the newest java version from here
Download the offline install and save it to the desktop. Once you have downloaded then go to Add/Remove and uninstall all the old versions of java that you find there. When they are all removed then install the new version. When the install is complete then go here
to verify the installation. Post back here with the Combofix log and we will go from there.
Judy

[Tirhakah]

Sorry, I didn't have access to the infected computer yesterday, but I've done what you said now. Combifix deleted several files, and control panel is now available again (yay) updated java, but I haven't been able to verify it yet, as I haven't been allowed to reconnect to the internet on that computer... also ran hjt, and the logs are attached.

Notes:
* Kaspersky kept flagging combofix.exe as infected with Heur.Invader(modification), don't know why...
* when the computer restarted during combofix, it complained of not being able to find C:\WINDOWS\system32\ndaTqsVqrX.dll, one of the files that combofix removed.
* Combofix also deleted some of kasperky's files.

[jholland1964]

Looking through the logs will get back as soon as I can. PP may check in with suggestions also.
Judy

[PhilliePhan]

* Kaspersky kept flagging combofix.exe as infected with Heur.Invader(modification), don't know why...

Heuristic detections like this are not uncommon when you are working with tools such as these that shut down various Windows processes. No worries.

* when the computer restarted during combofix, it complained of not being able to find C:\WINDOWS\system32\ndaTqsVqrX.dll, one of the files that combofix removed.

That is another case of a registry remnant calling a removed malware at startup. We'll probably need to remove it manually .

* Combofix also deleted some of kasperky's files.

That is odd, but not surprising. I suggest uninstalling Kaspersky for the time being - until the machine is clean. Then completely re-install it so we can be sure it hasn't been damaged and will work properly in the future.


** This machine is pretty heavily infested - Please run ComboFix again. Download a fresh version as it is constantly updated. Please post the fresh scanlog.
I know all these scans can be a pain, but they do make things easier (if less challenging) than they were back in the old days of ripping out infestations manually
We'll probably have a lot of "manual" removal to do afterward nonetheless.....


@Judy:
I'd suggest a running of SDFix as well as a rerun of combofix and get both fresh logs before starting the manual removal process. What do you think?


Cheers
PP

[jholland1964]

Sounds good to me!
Download SDFix and save it to your Desktop.

• Run the SDFix.exe by double clicking on it.
• Allos it to install into the default location which is c:\SDFix
• Now please reboot your computer into Safe Mode (see this if you don't know how: Starting your computer in Safe mode )
• When you have booted into safe mode, open the C:\SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services or Registry entries found and then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
• Attach the Report.txt file to your next message.