One Nasty Virus/Trojan - Kills all virus scanners

[Lynn210]

Yes .. I love to execute those viruses!!

[Lynn210]

Does that IE file go in a subfolder or the main folder

I moved it back to the main folder and can now get GOOGLE
but when I try to access other pages I get

red circle with white X  The requested lookup key was not found
in any active activation content

[Lynn210]

I used Firefox to download IE8 but the installation will not complete
because an update is missing ..

Kind of a catch 10 .. cant use the update site unless I use IE
and IE will not work..

Firefox is my usual browser .. it is running but very slow and "jerky"

[Lynn210]

Waiting to hear what to do next to get this thing running right.

Also.. I have been battling this lsdelete screen on start up

I read how to remove the file at a forum.. and it worked on my other computers
but not on this one... it keeps coming back..

If you are not familiar with it .. it is a leftover file from uninstalling
AdAware ..

Have you heard of this problem.. it usually hangs your startup at least 20-30 seconds

[edifyguy]

The lsdelete is being triggered by the BootExecute key in the registry....I saw it there in the ComboFix log. You can remove it with Start > Run... > "regedit" [enter] then search for it and delete it. It should be under a heading called BootExecute IIRC.

I think FF is probably running goofy due to odd settings from the virus. I think there's a way to clear them out, but I usually use Opera, so I'm not sure right off the top of my head.

If you go to the Control Panel, then System, then the Automatic Updates tab, if you set it to "notify me but don't automatically download or install" you should almost immediately get the yellow shield in the system tray ready to serve updates.

Out of curiosity, which update was it looking for? I don't think IE8 requires much more than XP SP2......

I think the red circle/white x is leftovers from malware. Go to "Internet Options" (hopefully from the Control Panel, can also be accessed from within IE) and go to the tab most to the right. There should be a button to set everything back to defaults. Ya might wanta do that.....

According to MBAM, we're dealing with Vundo here. Realize that Vundo is a highly destructive virus, and getting everything "exactly right" again may take some doing. That is, of course, one of the reasons why a lot of people just go straight for the "nuclear option" whenever something like this happens. I think that's a bit of a wimpy approach, myself.......it's much more interesting to break its back with Linux, kill it outright with ComboFix, and then clean up after it with half-a-dozen other tools. 

[Lynn210]

The registry is where I have deleted this file 2-3 times before and it keeps coming back somehow.. I will try again..

I already turned on updates .. no yellow shield

IE install did not specify which update .. just said an update was missing.

I think before all this happened I was running SP3

I set IE to defaults still get that warning.

[Lynn210]

I know that .NET framework messes up alot of things..
Maybe I should fix that next..

If I remember right.. I go into add remove and remove all the versions
that are in there.. there are usually 5-6 of them

Then download the latest cumulative update which is 3.5 something

Correct?

[Lynn210]

Should I still run that bat file?

[edifyguy]

Theoretically, yes, but they aren't always all installed, and sometimes a program wants a specific version, so you really need all 3-4 of them to be there for everything possible to work correctly. I'd consider just removing them all and then replacing only the ones that your programs ask for.

Also, there's a program that might help--it's designed to clean up after Vundo. http://vundofix.atribune.org/

As for the updates, be sure that wuauclt.exe is running by checking the Task Manager under Processes. (Ctrl+Alt+Del) If it's not, check that the services are running, as well as their dependencies. Start > Run... > "services.msc" [enter] Check Automatic Updates, and Background Intelligent Transfer Service. If they aren't running and won't start, that's another issue. Be sure you DIDN'T set it to "Automatic" in the control panel, as that makes it time-triggered. "Notify me......." will act immediately.

[edifyguy]

Should I still run that bat file?

Be a good idea. MBAM nuked most of what I had in there already, but it can't hurt to be sure. Just remove the line about scheduler so you keep it.

[edifyguy]

You know, running SpyBot Search and Destroy and maybe Ad-Aware would be a really good idea. It would likely help with some of the stupidity with the registry that mr. Vundo created for us.

I need to go to bed, as I do work for a living, but look forward to an update in the morning.

I think we've beat the virus, and now it's just a matter of fixing all the stuff it broke. 

[BRANDONN2008]

And all this trouble from looking for a tv guide? Yikes...

[Lynn210]

wuauclt.exe not found

the two services are listed as "started"

[Lynn210]

The .NET framework update carries the earlier versions within it I believe

" Microsoft .NET Framework 3.5
Brief Description
Microsoft .NET Framework 3.5 contains many new features building incrementally upon .NET Framework 2.0 and 3.0, and includes .NET Framework 2.0 service pack 1 and .NET Framework 3.0 service pack 1. "

[Lynn210]

Spybot is running... found lots of stuff.. is now doing a boot scan

Adaware is next