Aftermath of the chod.j worm

I was hit by the chod.j worm last week, but I managed to purge it from my system. I followed Trend Micro's repair directions, reran my scans, no more chod.j

Unfortunately, it looks like a lot of the damage it's done to my internet settings remains. I'm experiencing a couple of different problems that I'm fairly certain stem from the worm:

1. Firefox no longer works at all - getting "connection refused" messages. Bizarrely, IE works just fine. This problem only emerged after I reinstalled Firefox.

2. I cannot access GMail or my Hotmail mail account, even when I'm using AOL's browser or IE.

3. MSN Messenger has problems with key ports that it can't fix.

4. Norton Internet Security cannot activate Auto-Protect (when I click enable nothing happens), and none of my anti-spyware or anti-virus programs can update themselves.

5. Can't play online computer games.

I'm using McAfee's firewall, but these problems remain if I disable it or not. I've ran a bunch of antivirus scans and it looks like everything is in order on that front.

Any ideas? Thanks in advance, guys.

 

could you post some spec's OS etc

 

Doh, forgot about that

Sony Vaio laptop, Windows XP SP2.

 

Some insite on your problem caused by MSN Messenger

Alias: Win32.Chod.j,WORM_CHOD.J Platforms: Win 95,Win 98,Win ME,Win NT,Win 2K,Win XP
Updated on: 16 November, 2005
Arrival Form: MSN Messenger
Type: Win32,Worm,Trojan
Damage: Create files,Prevent normal OS operation,Send Message,Remote control,Lowers security
Analysis
Win32.Chod.j is an MSN Messenger worm that can also open a backdoor on the infected system, lower security settings and prevent the user from accessing security related websites.

Malicious activity
When the worm is executed, it does the following:

1. It drops a copy of itself into a random directory in the default Windows System folder as csrss.exe. It also drops the files csrss.ini and smss.exe into the same location. The file netstop.com is dropped into the default Windows System folder.

2. To run on every startup on systems running Windows NT, 2000 and XP, it will modify the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"csrss" = ""

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
"load" = "sysdir\[random dir]\csrss.exe"
"run" = "sysdir\[random dir]\csrss.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"csrss" = ""

On Windows 9x and ME, the worm adds the following lines to the WIN.ini file:

[windows]
load = sysdir\[random dir]\csrss.exe
run = sysdir\[random dir]\csrss.exe

3. It will modify additional registry entries, some of which will disable several key Windows' components.

4. It will then connect to an IRC server, connect to a pre-determined channel and listen for remote commands. A hacker operating from a remote location can take over infected systems in this manner.

5. The worm will also attempt to terminate security related applications found on the system.

6. The worm will modify the infected system's HOSTS file and disrupt the user's ability to access many security related websites.

7. Finally, the worm will send a URL to all of the user's MSN Messenger contacts. Clicking this URL will download the worm from the specified location.

What other programs do you have for virus and trojan and malware scans