Computer cleaned (?) but Control Panel still inaccessible

[PhilliePhan]

Ok, here they are:
the combofix was done in safe mode, and the hjt after the computer was back in normal mode.

Great! Almost done - For some reason the fix scripts are only partially taking.

Let's do this by hand:

-- Completely Uninstall Kaspersky (via Add/Remove Programs, if possible) and then DELETE this folder if it remains: C:\Program Files\Kaspersky Lab

-- Download the attached Zip. Please extract Fixit.reg to the desktop and DoubleClick on it and allow it to merge into the registry. Let me know if there are any problems with that.

-- Boot to Safe Mode with the Viewing of Hidden Files Enabled and see if you can locate C:\WINDOWS\system32\wowfx.dll
RightClick on it and Rename it to wowfx.BAD
Then, please upload it here for analysis and let me know what you find ---> http://virusscan.jotti.org/


If the above goes well, reinstall or re-enable your Resident Anti-virus program. Also, I would suggest installing Zone Alarm Firewall from my linky below as well.

Best luck
PP

[Tirhakah]

Sorry, I haven't been home for a couple of days.
Anyway, I removed kaspersky, and the online filescanner portion, but when I tried to merge fixit with the registry editor, I got an error saying "Cannot import C:\Documents and Settings\User\Desktop\Fixit.reg: The specified file is not a registry script.
You can only import binary registry files from within the registry editor."
Assuming that this stage was required, I therefore haven't done anything about wowfx.dll.

[PhilliePhan]

Sorry, I haven't been home for a couple of days.
Anyway, I removed kaspersky, and the online filescanner portion, but when I tried to merge fixit with the registry editor, I got an error saying "Cannot import C:\Documents and Settings\User\Desktop\Fixit.reg: The specified file is not a registry script.
You can only import binary registry files from within the registry editor."
Assuming that this stage was required, I therefore haven't done anything about wowfx.dll.

No worries!

Let's try that again - I need to get on of our admins to allow the uploading of .reg extensions so I don't need to zip them. Always causes headaches.

Anyhoo, please download the attached FIXME.txt to the Desktop.
--- You will need to change the extension to FIXME.reg and allow that change.
Then, DoubleClick on FIXME.reg and allow it to merge into the registry.
Also, please finish the rest of the previous steps concerning wowfx.dll.

And, how about a fresh ComboFix log as well, please.

Cheers
PP

[Tirhakah]

I still get the same error when trying to allow it to merge.
Also, even on safe mode with hidden files enabled, I can't find wowfx.dll
There's a wowfax.dll, though...
And the combofix log is attached:

[PhilliePhan]

I still get the same error when trying to allow it to merge.

Well . . .crap! I have attached a tiny batch file to have a look at the registry policy.
-- Please download the attached Looky.bat and DoubleClick it to run it.
A log will pop up in Notepad - please post the contents for me.

Also, even on safe mode with hidden files enabled, I can't find wowfx.dll
There's a wowfax.dll, though...

wowfax.dll is legit. Often malware will have similarly named .exes.

I think most of the actual malware files have been cleaned along the way and we are just dealing with remnants. But, just to be certain, I have attached a fresh CFScript.txt.
-- Please DL the latest version of ComboFix.exe and delete any older versions and then drag and drop this new CFScript over ComboFix.exe to run it.
--Also, since you have StartupCPL onboard, I am going to remove most of those MSConfig keys.

Please post the new Combofix log along with the log from my batch file.
As I mentioned, we are probably dealing with remnants and they ought not to cause any problems. But, I'd like to try to be as thorough as possible.

PP

[Tirhakah]

Here they are, i think combofix appears to have found wowfx somehow

[PhilliePhan]

Here they are, i think combofix appears to have found wowfx somehow

Yup! I'm surprised it didn't find it earlier....
I employed a different CFScript this time, but didn't think it would be necessary in the first place.

I think wowfx.dll may have been hidden due to some sort of rootkit/stealthing process, though we can't be sure without running a number of rootkit detection tools. That is up to you whether you'd like to continue along those lines.
The Gmer rootkit scan was clean, however, so my suspicion could very well be wrong.

If indeed the system has been compromised by a rootkit (which in essence hides programs from the Windows API), then the only way you can truly be certain a machine is clean is to wipe the hard drive and reinstall the OS.

At this point, the ComboFix log looks OK.
-- You can delete this folder: C:\Program Files\Kaspersky Lab

Also, I'd suggest visiting my linky below and getting AV and Firewall, installed and running. Also install Spyware Blaster, if you haven't already done so.

PP