Virus, adware, now no internet connection, please help!

Okay I guess you did not understand what I meant by "disconnect your network connection". I told you in the sentences before that bold print it meant to physically unplug your analog modem's telephone line (if you use dial-up) or unplug the ethernet cable into your PC from your ADSL or Cable modem or router if you have a permanent connection. This is critical to the FINDnFIX step. Also, I wanted you to run FINDnFIX after booting in normal mode. That got lost in the instructions because I had inserted the new link to the fullscan method for Ad-aware which was to be run in safe mode. I have to be sure that there are no super hidden bad files, so let's try again:

- boot normal mode
- physically disconnect your connection
- run the FINDnFIX !log!.bat files
- post the log.txt file back here as an attachment

Then do this. Open a command prompt window by clicking Start, Run, and in the Open box enter "cmd" without the quotes.
At the command prompt type "cd \windows\system32" without the quotes.
Now type "attrib -r -h -s qdvnmy.dll" without the quotes. Tell me if this gets an error message.
Now type "dir qdvnmy.dll" without the quotes" and tell me what you get.
Now type "del qdvnmy.dll" without the quotes and tell me what you get.
If the del command (which is short for delete) works, skip down to where I say post a new HijackThis log attachment
If the del command does not work, try a rename of the file:
type "ren qdvnmy.dll qdvnmy.bad" without the quotes and tell me what you get.
If the rename works, open up a Windows Explorer session and navigate your way to the c:\windows\system32 directory and right click on the qdvnmy.bad file and while holding down the right mouse key drag the file to your desktop. Let go of the mouse button and select Move here. Let me know if this works.

 

When you tried to delete or rename that DLL, did you have all Windows Explorer and Internet Explorer sessions closed (not minimized, totally stopped)?

Download ProcessExplorer from here: http://www.sysinternals.com/files/procexpnt.zip
and unzip it to a directory where you can find it easily.

Now run ProcessExplorer and click on File and then Save As. And save the process list. Post it back here as an attachment. Also, from now on if I say to kill a process, use ProcessExplorer instead of Task Manager. Sometimes ProcessExplorer can kill things that Task Manager cannot.

 

Below is another item I want you to do after getting me that ProcessExplorer list.

Download and install APM from: http://www.diamondcs.com.au/index.php?page=apm

Then start APM.
In the upper window select explorer.exe
In the lower window see if you can find C:\WINDOWS\System32\qdvnmy.dll
If you find it, rightclick on it and select Unload DLL and click OK on the prompts that follow.

If this works, goto to the c:\windows\system32 directory and now try to rename
the file to qdvnmy.bad
Let me know what happens.

 

I really want to know what this file is for. Can you see if you can put a copy of C:\WINDOWS\System32\qdvnmy.dll into a ZIP file and post it pack here as an attachment.

 

They most likely will not help. There could be other related files too that keep respawing them.

I cannot even extract from you ZIP file to look at them because my virus scanner (McAfee) immediately complains about the COREFLOOD.DLL Trojan . This is a real baddie. Are you absolutely positive you have the current Virus Definitions for your Norton Antivirus? Please double check the versions you have (not just the virus scanner's version but also the reference or virus definitions file version. If they are up to date, do the following:
1) disable system restore but when it asks for a reboot you must boot in safe mode
2) perform a full system scan with Norton (make sure it is set to scan the whole hard disk. See if it finds this file and maybe others.

Is there a coreflood.dll or coreflood.exe on your system anywhere?

For the education read the info in the links below from Symantec, McAfee, and TrendMicro:
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.coreflood.html
http://vil.nai.com/vil/content/v_100312.htm
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_AFCORE.M

I found some links that indicated McAfee could find this trojan but Norton did not (the link was a few months old. Hopefully a newer definitions list finds it.)

We are going to have to remove some stuff from the registry.

By the way, back a number of messages you indicated that Ad-aware found and cleaned: Win32.Backdoor.afcore ! Maybe it did not clean it all.

 

I also have a question! Do you know your Administrator password for your PC? I'm not asking you to tell me what it is. I want to verify that you can boot up with the user name as Administrator. This is leading towards my next steps but I need to know you can login as the Administrator.

 

Okay I just found this automatic cleaning tool from Sophos. Check out the link below and download that CORFCGUI disinfector and give it a try.

http://www.sophos.com/support/disinfection/corefloo.html

 

Gayla,

Yes, attach one more HJT log for me and yes it is about time to run Outlook Express. Becareful of what may be lurking in the email files since last being read. Be very careful on any email having attachments.

 

Log is clean but HijackThis is now on version 1.98.2. You should get the new version for future use:
http://www.majorgeeks.com/download3155.html