Computer cleaned (?) but Control Panel still inaccessible

[PhilliePhan]

I still get the same error when trying to allow it to merge.

Well . . .crap! I have attached a tiny batch file to have a look at the registry policy.
-- Please download the attached Looky.bat and DoubleClick it to run it.
A log will pop up in Notepad - please post the contents for me.

Also, even on safe mode with hidden files enabled, I can't find wowfx.dll
There's a wowfax.dll, though...

wowfax.dll is legit. Often malware will have similarly named .exes.

I think most of the actual malware files have been cleaned along the way and we are just dealing with remnants. But, just to be certain, I have attached a fresh CFScript.txt.
-- Please DL the latest version of ComboFix.exe and delete any older versions and then drag and drop this new CFScript over ComboFix.exe to run it.
--Also, since you have StartupCPL onboard, I am going to remove most of those MSConfig keys.

Please post the new Combofix log along with the log from my batch file.
As I mentioned, we are probably dealing with remnants and they ought not to cause any problems. But, I'd like to try to be as thorough as possible.

PP

[Tirhakah]

Here they are, i think combofix appears to have found wowfx somehow

[PhilliePhan]

Here they are, i think combofix appears to have found wowfx somehow

Yup! I'm surprised it didn't find it earlier....
I employed a different CFScript this time, but didn't think it would be necessary in the first place.

I think wowfx.dll may have been hidden due to some sort of rootkit/stealthing process, though we can't be sure without running a number of rootkit detection tools. That is up to you whether you'd like to continue along those lines.
The Gmer rootkit scan was clean, however, so my suspicion could very well be wrong.

If indeed the system has been compromised by a rootkit (which in essence hides programs from the Windows API), then the only way you can truly be certain a machine is clean is to wipe the hard drive and reinstall the OS.

At this point, the ComboFix log looks OK.
-- You can delete this folder: C:\Program Files\Kaspersky Lab

Also, I'd suggest visiting my linky below and getting AV and Firewall, installed and running. Also install Spyware Blaster, if you haven't already done so.

PP

[Tirhakah]

I still can't see the Kaspersky Lab folder; I tried creating another with the same name to see if it would ask me to overwrite the old one, but no luck. Given that it still seems to be hiding, and what you said about rootkits, I would perhaps like to try one of the detection tools you mentioned...
Also, I followed the link, and got ZoneAlarm and Spyware Blaster, but Kaspersky won't install alongside ZoneAlarm, so I suppose I'll try a different firewall.

[PhilliePhan]

Also, I followed the link, and got ZoneAlarm and Spyware Blaster, but Kaspersky won't install alongside ZoneAlarm, so I suppose I'll try a different firewall.

Sorry! My fault - It slipped my mind that Kaspersky AV does not play well with the new version of ZA Firewall. It does OK with older versions. The problem here, I think, is that the new ZoneAlarm Security Suite includes the Kaspersky AV engine. I believe a demo version is included in this version of ZA Free, causing the problem.

Frankly, I would suggest ---> http://usa.kaspersky.com/products_se...t-security.php
This suite includes a Firewall and Anti-malware protection.

I still can't see the Kaspersky Lab folder; I tried creating another with the same name to see if it would ask me to overwrite the old one, but no luck. Given that it still seems to be hiding, and what you said about rootkits, I would perhaps like to try one of the detection tools you mentioned...

Yeah - that doesn't make sense to me. It shows in the Combofix log (though looks empty). Don't know why you can't find it.
-- Some AV products have employed rootkit technology to hide certain components, but I doubt that is the case here. No sense stealthing the whole installation folder! LOL!

However, I am worried because the combofix logs showed that your AV had been compromised by one of the baddies (Vundo) and needed to be removed and reinstalled.
It may just be registry remnants remaining, though. Plus, if you are able to re-install Kaspersky with no problem, then I doubt we have anything to fret about....


Let's try the following:

-- Scan with Sophos Anti-Rootkit v1.3.1:
http://www.sophos.com/products/free-...i-rootkit.html

-There is an instruction manual on that page for your reference:
http://www.sophos.com/sophos/docs/en.../rk_13_men.pdf

Run the scan, but I think it might be best to hold off on having it clean anything at this point.

Rather, allow the scan to finish completely and then click Start --> Run and then type or copy & paste %TEMP%\sarscan.log in the box and hit Enter.
A log ought to open. Please save it to where you can find it easily and then submit it for me.
-- Do not use your computer while the scan is running.


ALSO:

Please run http://www.eset.com/onlinescan/

-- You will need to temporarily disable your current Anti-virus program.
-- Make sure that the option Remove found threats is Unchecked, and the option Scan unwanted applications is checked.

-- Remember to Re-enable your Resident Anti-virus program after the scan has finished.
-- A logfile ought to be found at C:\\Program Files\\EsetOnlineScanner\\log.txt.
Please post that for me.

Hopefully all will show clean!

PP