Viruses in system32 folder

[mauserme]

You're right Polonus.  If C:\WINDOWS\system32\clcl3.exe is still present it can be added to the user section of the chest and emailed to avast! before deletion.



EDIT:  BTW, just thought I should mention that clcl3.exe has not been shown as a start up in HijackThis since very early in this thread - it's 04 entry is gone as of page 2.  So even if the file is still present I don't think its been a factor in this for some time now.  That's why, if it is found, I think its removal need not be more complicated than simple deletion.

[polonus]

Hi mauserme,

Just came up in the line of thought, just watching this evolve. These kind of threads are instructive, as you will understand. Following what is happening in here is brushing up my anti malware lore. And hopefully I am not the only one... Just like to see another HJT file to see what we are at now with dd3.exe.

Thanx,

polonus

[Steven6767]

Oh wait sorry it didn't say exactly as I said it, It says "Are you sure you want to delete all but most recent to the Restore Point?" So what does that mean exactly, like would it delete some of my programs or what?

[Steven6767]

Oh wait, im not using a program for clean up, im using Disk Cleanup in the system tools. I didn't get cleanup yet. I'm downloading now.

[mauserme]

Oh wait sorry it didn't say exactly as I said it, It says "Are you sure you want to delete all but most recent to the Restore Point?" So what does that mean exactly, like would it delete some of my programs or what?

Lot's to keep track of ...

Yes, you do want to delete all but the most recent restore point but make sure you first create a new, clean restore point as I outlined earlier.

This will not affect your programs at all.  The restore points are a collection of settings, drivers, etc that Windows creates from time to time (or you can create manually) so that you can roll back to a good configuration if you need to.  The problem is, the restore points sometimes include malware as did several of yours (look at your AVG AS log - they are the lines that start C:\System Volume Information\_restore ...).  By creating a new, clean point and deleting all the old ones we remove the possibility that you will roll back to a bad point at some time in the future.

[Steven6767]

Ok, I did everything you asked, made a restore point, did cleanup and downloaded both of those porgrams, and clcl3.exe is still not present. Am I clean now?

[Lisandro]

Am I clean now?

Most probably.
Do you have some time for full computer on-line scanning?

Kaspersky
Trendmicro housecall
Ewido
F-Secure
Panda ActiveScan
BitDefender (free removal of the malware)
HitmanPro (new online scanner)

I suggest the first one...

[mauserme]

Ok, I did everything you asked ...

But have you updated your Service Pack?

You were deeply infected and we just spent 4 days of dedicted work to get you to this point.  You really don't want to do this all again ...

Here's a link to SP1a

http://www.microsoft.com/windowsxp/downloads/updates/sp1/default.mspx

and SP2

http://www.microsoft.com/windowsxp/downloads/updates/sp1/default.mspx

Update the Service Pack and get all the security patches or we'll be spending a lot more time together   


And Tech's suggestion is a good verification.

[Steven6767]

Haha yea, the sp's are free to update right?

[Steven6767]

I went to install the service pack 1a and it says my product key is invalid? I don't want to get to technical with this like call them up and everything to get a new product key. Is there any way to get a quick fix, without a valid key?

[mauserme]

Yep - they're free.

But before you do that, will you do me one favor?  I would like to check one more thing.

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
When VundoFix re-opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
 

 Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.

A log will be produced which you can post in your next response.

[mauserme]

I went to install the service pack 1a and it says my product key is invalid? I don't want to get to technical with this like call them up and everything to get a new product key. Is there any way to get a quick fix, without a valid key?

I don't know of a way around this.  If the key is valid contacting them shouldn't be a problem.  If not, well ....

[Lisandro]

Haha yea, the sp's are free to update right?

If your Windows copy is legit... yes you can apply them... without it, you won't be able...

[Steven6767]

Ok, i'll do the vundofix in a second. I guess I could try to e-mail them, or I could just get SP2 from one of my friends.

[Steven6767]

Ill run VFix now and i'll be back on in a minute