Have a Virus - Need Help Troubleshooting

[~*Blak*~]

REMOVED>>DON'T Let it happen again
Your interference is NOT appreciated
<guestolo>

[guestolo]

If you saved export.bat on desktop
LOOK CAREFULLY on your desktop for a file called
export.txt

It will be a Notepad looking icon, do you not see it??
If not, we'll manually look for that registry entry

[bluestar]

Unfortunately, I think that's what I will have to do, is manually. For whatever reason, when I doubleclick on .bat, it does not create a .txt file, at least not on the desktop that I can see. I have checked and rechecked this several times to make sure it isn't my own error. The only .txt files I have on the desktop are the Combofix, uninstall and Ewido report scan files. I know we aren't done with this yet, but I appreciate all the help so far.

[guestolo]

Let's manually check a registry setting
First, let's make a backup
Go to START>>RUN
Copy and paste to the open field the following command below in bold to the open field
Then hit OK

regedit /e c:\registrybackup.reg

This will take a few seconds to finish
Afterwards
Go to START>>RUN
type in regedit
Hit OK

In the registry, we're looking for this key
HKEY_CLASSES_ROOT\CLSID\{352EC2B7-8B9A-11D1-B8AE-006008059382}
 click on the following
Expand(+) the following
(+)HKEY_CLASSES_ROOT
Scroll down, expand
(+)CLSID

Look for the key {352EC2B7-8B9A-11D1-B8AE-006008059382}
Look closely, there are many that look the same
RIGHT CLICK on it and choose EXPORT

Choose to save on the desktop and give it a name, such as bluestar
Then click SAVE
Exit the registry

RIGHT CLICK on bluestar.reg on the desktop and select EDIT
Copy>>paste back here the whole contents of it please

[bluestar]

When I go under CLSID, {352EC2B7-8B9A-11D1-B8AE-006008059382} is not there.

[guestolo]

When I go under CLSID, {352EC2B7-8B9A-11D1-B8AE-006008059382} is not there.

That may explain a lot

Can you do the following
I need you to make a .reg file for me

Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box directly below, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop
We'll need it in a bit
Ensure to copy from REGEDIT4 and down in the code box
You will know if you saved it properly as the icon should look cubed like

 

Code: [Select]

REGEDIT4

[HKEY_CLASSES_ROOT\CLSID\{352EC2B7-8B9A-11D1-B8AE-006008059382}]
@="Shell Application Manager"

[HKEY_CLASSES_ROOT\CLSID\{352EC2B7-8B9A-11D1-B8AE-006008059382}\InProcServer32]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,0
0,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,61,00,70,00,70,00,77,00,
6
9,00,7a,00,2e,00,63,00,70,00,6c,00,00,00
"ThreadingModel"="Apartment"

As mentioned, we'll need fix.reg in a bit
But first, do the following

Open the folder that you extracted dial-a-fix too and double click on Dial-a-Fix-.exe
In the main program put a check next to all 6 entries under Registration Center
CLOSE down all open browser windows and any other open program except for Dial-a-Fix

1. Double click on fix.reg on the desktop and allow to add/merge to the registry at the prompt
2. Hit the Go button in Dial-a-fix and let it run
Let this finish
When done
Reboot the computer

Back in Windows , does the add/remove programs populate???

[bluestar]

No, there still is nothing showing under remove programs. However, it did enable the export.txt file to finally be saved. It says:

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{352EC2B7-8B9A-11D1-B8AE-006008059382}]
@="Shell Application Manager"

[HKEY_CLASSES_ROOT\CLSID\{352EC2B7-8B9A-11D1-B8AE-006008059382}\InProcServer32]
@=hex(2):25,00,00,00,53,00,00,00,79,00,00,00,73,00,00,00,74,00,00,00,65,00,00,\
  00,6d,00,00,00,52,00,00,00,6f,00,00,00,6f,00,00,00,74,00,00,00,25,00,00,00,\
  5c,00,00,00
"ThreadingModel"="Apartment"

[guestolo]

Are you give add/remove programs time to populate?
It may not come up instantly
Do you see a message in add/remove of what it's doing?

Just a double check, in add/remove, is the Whole thing blank
Or can you scroll down, because of a big blank space?

Have you seen this link
http://support.microsoft.com/kb/266668

Are you comfortable in the registry?

[bluestar]

I'm somewhat new to registry under Windows. I have more familiarity with Linux at the command line ironically. Nothing comes up under Add/Remove, not even a scroll bar on the right. However, the dialog box sets up and I can use other functions, like adding programs and setting Windows defaults.

Strangely, the HKEY_CLASSES_ROOT\CLSID\{352EC2B7-8B9A-11D1-B8AE-006008059382}\InProcServer32 is there, and so is HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall and
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache, so I'm not sure where to look next.

[bluestar]

Do you think I'm looking at a reinstall of windows or have I tried all the options you know of?

[guestolo]

We can go thru and try all registry fixes, or you can run a Repair on your system
Would you like to try this route?
If so, you shouldn't lose any files, but just in case backup
After the repair, immediately go to Windows Updates and get all High Priorities

See the following link
http://www.michaelstevenstech.com/XPrepairinstall.htm#RI