Greetings from Beverly Hills, California.
I have followed your instructions carefully, (after a full 60 hours of many other attempts, so I'll be brief but there are factors you'll want to know), and have attached the three log files requested.
Facts not included in the logs:
I mention all this because a week before, I'd installed SP3 and used 1-Click Fix It (before or after, can't recall, sorry), and my system started having two distinct problems:
- At 1 pm on Thurs 4/15, I was online using GoToMeeting (citrix.com) a reputable service for letting my writing client see my computer screen; I used the latest Firefox, had trusted site fluentself.com open and was typing the address to open my favorite ittybiz.com, when a different, unknown domain suddenly showed in the address field (scaner32.org) and two warning screens instantly popped up --
- Because I'd just scanned with McAfee that morning, and had not typed in the domain, and 1 screen said I had a Virus and to download a software I'd never heard of, and the other looked like a fake MS Security warning about 4 trojans (listed below), I thought it was a phishing scam and took a screenshot of it, discussed it with my client who could see it via the GoToMeeting portal before I ended that session, and tried to close out of the browser.
- My screen was frozen, none of the YES/NO buttons on the two warning pop-ups would work, I had to unplug my (secure) USB-wireless connection (to a router in the next room for a cable connection) and shut down the CPU.
1) many browser failures with error 0xc0000005 -- the protected memory error (I read up on DEP) -- and:
2) my right-click stopped working for 90% of my usual tasks, like emptying the trash, or opening a file, etc. It would give me the same error box for 0xc0000005 and close out whatever, including the desktop, often losing my desktop and requiring an "active desktop" series of confirming settings.
So before 4/15 happened, I'd been trying to solve those issues:
I got an account at openDNS.com;
I changed the DEP settings to include an exception for explorer.exe;
I changed the open port settings so only the http port 80 was open;
I confirmed that no one was on my network -- I have always had remote access OFF and all the other vulnerabilities listed in #8 of the avz log are things I do not allow, like net meeting, IM, that junk, I had disabled that access all along.
A few others things like that -- anything I could find on the net about private memory and Data Execution Prevention and what might have gone wrong.
I ran several free scanners, like malwareBytes, TuneUp Utilities 09, 4 others I can tell you... and my McAfee said all was fine...
And this was BEFORE the Virus/Trojan attack/warnings on 4/15.
I have the screenshot (jpg) of the warning screens, but I couldn't find any site called scaner32.org, so that worried me. That's the domain that popped a warning saying I had Virus.Win32.Sality.aa.
The MS Security Center, which I confirmed later did look real, warned of these 4 problems:
(I'd had a few email worms back in '98, 2000, like Ethan, but they'd been archived years ago -- still, they got found in the big scan.)
- Trojan.JS.Popupper.f -- in -- regedit.exe
- Trojan.Win32.Agent.ae --in-- cryptsvc.dll
- TrojanJS.Redirector --in-- dpnaddr.dll
- Email-worm.Win.32.Merond.a --in-- idndl.dll
So Friday night I downloaded and ran the latest Kaspersky Virus Removal Tool autoscan -- but it ran (in safe mode) from 1 am until 9 am and was only 57% finished (and over 500,000 or 5,000,000 objects -- I only glanced) but I tried to minimize the screen and accidentally shut it down ~ ! OH NO! Still, I have that log file of the vulnerabilities (patched by MS today per securelist.com), and of the disinfected old emails, plus some that were untreated as "could not be written" (?), and so on.
But in that long 8+ hour scan, Kaspersky did not find any of the Trojans or the Virus I was warned of.
I DO have access to safe boot (but both McAfee and MS Security System says my firewall and scanning are off and can't be started due to "error" when in safe mode -- in regular mode they look fine, but that's a symptom of Sality.aa...
I DID see the Registry keys for "security center" saying 'disabled" but I don't know what the ones and zeros stand for, which is yes, and which is no, so I didn't try to edit the Registry, although I can access it, and I could delete the leftovers of a program, Bonjour, that I don't remember and uninstalled just in case it was allowing access.
But having the AV programs funky, and getting the Data Execution Prevention error 0xc0000005 almost every time I right-click, try to open, start, rename or delete a file/icon/anything, and those warning screens... I'm a mess!
I did disable System Restore before any scans;
I did re-enable the DEP for its default with no exceptions;
I did remove my Outlook Express and a few other programs from Start-Up because I was worried about a virus getting into my email address book and haven't opened it; and,
I have disabled access for anything I thought might auto-start and didn't want the bad guys to access -- I hate just being online right now (although most of my job needs to be connected and I'm losing work!) because I don't trust these AV/firewalls that say they're fine...
OH MAN! Sorry I've gone into such detail! But these things are not in the log and ARE a big part of the context...
So I followed the instructions on the Kaspersky Tool to do the Manual Removal because I thought it would just be a cut and paste! They are not clear that when I clicked their "submit file" link, I'd find you guys and needs to sign up, download scanners, upload logs, etc... So I still have their log too -- but I'll let you ask if you need it, per your instructions.
Many thanks for your help -- I hope this is intriguing enough that you can help me soon... my business is just me and my computer and my screenwriting clients online... ("scripts" are screenplays in my world, not strings of java or whatever -- ha!)
Let me know if you need anything else, like the quarantined file (it's 10 years old and hasn't been touch, and only suspicious...), and I'll be much, much shorter -- !
Thanks -- from the middle of the night (yikes! I'm exhausted!) --
PS: sorry, one last thing: I saw a log that said things were done "by user" or something like that, and they didn't sound familiar, but because my I keep losing my net connection -- even though I have a strong and constant wireless connection per my status bar signal -- every time it shuts down when I'm in the middle of something, I worry what it's doing to it all.
Thanks for listening... gotta go get some beauty sleep ~ with the stress of this last week with the computer, I need all the help I can get ~ ha!