Hello Asezat and welcome to the thrills and spills that are WPP, unfortunetely I have been in this same position a couple weeks ago. I was able to get my system back to normal and im no computer specialist so don't panic.

The thing is though from the sound of things your system seems to be reacting differently after your malware removel attempts. You might have made things worse since it seems you have removed the anoying pop-ups but the system sounds like its pretty much locked up.

In order for the people here to help you, you will need to explain every step you took to remove the processes so far. The first step is to post logs so we know whats going on but if your unable to gain acces to those we will need to know how to get you back to that state.

Best of luck, -R1p

The computer itself has been slowed down by this to such a degree that it's essentially non-functional. It takes almost 10 minutes to boot up. More irritating, however, is that it's now completely unable to open any exe files, at all.. . . .

Are you able to access the internet and download files with the ill computer? I know you can'trun programs, but can you download them?

I have no flash drive, but I do have a USB HD that I use to back stuff up from time to time. In the event that I can't fix this, and have to reformat, would it be possible to connect that up and transfer some files onto it before I restart the machine over? Or would the virus just infect the external HD too? I don't even know if it will let me do that in it's current state, but it's worth a try, I guess.

There is a good chance that any re-writable media will get infected.
-- Are you able to burn tools onto a CD if I gave you a list of what we need?
-- Why not purchase a cheap flash drive?
-- If it came to it, we could back up your files to your external drive, but you do run the risk of infecting it.

Let me know where you stand.

If youare able to download to the ill machine, please download FindWPP.zip and RightClick on FindWPP.zip and Extract the FindWPP folder to your Desktop.
-- Inside the folder, you'll see RunThis.bat - DoubleClick it and let it run for as long as it takes.
A log should pop up - please post that for me.

-- I should note that, while we could probably make some progress with tools on a CD, a flash drive would allow us more flexibility. Yes, it runs the risk of getting infected, but we can run some tools from it.......

Cheers :)
PP

Hey, I'm glad you managed to sort your comp out..... After I'd done that, I rebooted to try and get into safe mode, and that was when the real problems hit me. Prior to the reboot, although the system had immediately slowed right down, I hadn't suffered any exe lockout.

This baddie comes in different flavors and different degrees of difficulty. Most often, there is a rootkit component that makes removal a bear.....What I can do, though, is burn files from here onto a CD and then try running them on the computer, though I don't know if it will let me. If you can give me a list of what to pick up, I'll get right on it. Great! We can try that - You'll need three CDs. I'll post the list at the bottom of this post.I'm not sure how to actually get you logs from my main PC onto here, unless one of the tools is an AV, though. That's where the Flash Drive comes into play. Allows give and take from the ill machine. Plus, we can run combofix from the flash drive...Regarding a flash drive, I've never needed one until now. If you think it's important I'll get a cheap one on monday (damn sunday trading laws!), but I'm kind of loath to risk infecting it and possibly spreading the infection, if there's a good chance of that. The same goes for my external HD, really. Having said that, I'll do what has to be done.
Well . . they are inexpensive for a few gigs which is all you'll need.
You'll have to do a little "cost/benefit analysis."

Truth be told, I generally recommend a reformat in these cases. 'Course that depends upon a number of factors, the biggest usually being whether a user has their Windows OS Disk. XXXXXXXXXXXXXXXXXXXXXXXXXXXXX

OK - Here are the tools you'll need - I'm assuming you'll pick up a Flash Drive:

FIRST: Download and Install ImgBurn if you do not already have it on your machine.

THEN: Download the Avira Rescue System.ISO and use ImgBurn to burn the ISO onto a CD.

NEXT: Download Trinity Rescue Kit.ISO and use ImgBurn to burn the ISO to a second CD

FOR THE THIRD CD:
• http://ad13.geekstogo.com/Win32kDiag.exe
• http://swandog46.geekstogo.com/avenger.zip
• http://www.bleepingcomputer.com/combofix/how-to-use-combofix
With combofix, what I want you to do, though, is this:
When you download it and it asks you to "Save File As," rename combofix to Combo-Fix and then download it to working compy and put it on the CD.
• FindWPP.zip
• DDS by sUBs and save it to your Desktop
• http://download.sysinternals.com/Files/Junction.zip
• http://www.raktor.net/exeHelper/exeHelper.com
• http://download.bleepingcomputer.com/sUBs/MiniFixes/Inherit.exe
• SysProt Anti-Rootkit

I know it seems like a lot, but I like to cover all bases..... :)

NEXT: Repeat the step for the third CD and put all those programs on your Flash Drive

Post back when you are all set (or if you have any questions).
I am usually around in the evenings (EST) working on other things but will keep an eye on this thread.

Cheers :)
PP

NEXT: Download Trinity Rescue Kit.ISO and use ImgBurn to burn the ISO to a second CD

In re-acquainting myslef with TRK, I realize that I should've added that ideally this should be on a Re-Writable CD, if possible.

PP :)

Ok, well, everything is downloaded, burnt, and I'm ready to go. I believe Trinity is on a re-writable CD/DVD, too.

Great! - Trinity offers 4 AV scanners, but only Clam is onboard. It needs to update and download and rewrite itself. This is a legit option that uses freeware as opposed to pirated software.
(I wish they would add an option for MBAM or combofix to be downloaded and run...)I do have one slight possible problem, though. I note that both Avira and Trinity say that I might have to go into the BIOS and change the boot order to allow me to boot from the CD. .....Will that be an issue?
I doubt it - that message is not referring to your "system BIOS" - probably looking for a drive controller. Not a big worry at this time.
-- With any luck your compy will detect the CD on startup and offer the option to boot from it. We'll cross that bridge when we come to it.
Those CDs are strictly a last option in the event that nothing else works - Hopefully we'll not have to use them. (they are good to have around, though - hold onto them)

Let's start with the CD with all the tools on it.
-- See if you are able to transferFindWPP to the ill computer.
RightClick on FindWPP.zip and Extract the FindWPP folder to your Desktop. Hopefully you won't be blocked from doing that.
-- Inside the folder, you'll see RunThis.bat - DoubleClick it and let it run for as long as it takes.

If the log pops up, save it to the Desktop and then copy it to Flash Drive and post it for me.

Even if that step does not work, go ahead and try this as well:

Move Win32kDiag.exe from the CD to the Desktop.
-- DoubleClick on Win32kDiag.exe to run it. Let it run for as long as it needs to.
-- When it says Finished – Press any key to exit, do that to exit the program.
-- You should now have a Win32kDiag.txt on your Desktop. Please copy to flash drive and post the entire log for me and we’ll go from there.
Be sure to let it run until is says "Finished" before posting the log!

-- Are you able to get a command prompt on ill computer?
Either START > Run >type cmd > OK
or
START > Run >type command.com > OK

-- I suspect we are in very different timezones which may slow us a bit. I am on Eastern Standard Time (GMT-4) and generally around in the evenings.

Anyhoo, let me know if those tools could be run and about command prompt.

Best Luck :)
PP

I had no joy with "cmd", but "command.com" does bring up the DOS prompt, which is encouraging.

That should come in handy.

-- Do this: Open a command prompt and typeexactly as I have here in red:
dir /s %windir%\eventlog.dll > "%userprofile%\desktop\logit.txt" & hit ENTER

Logit.txt will be on the desktop - I need to see that, however possible.
I just need the various paths to eventlog.dll and the exact size in bytes for each. You'll not need to copy everything.

-- One of the options I was keeping in reserve in the event that nothing else works (nothing could be transferred to the Desktop of ill compy an then run) is to run Combofix directly from the flash drive.

Perhaps we should go ahead and try that? What do you think?
You won't be able to update it, but it should run and make some progress. Let me know if you want to jump ahead and try that.

But before that, give me the eventlog.dll info.

PP :)

I'll try whatever you think will work.

We should probably try burning the tools onto a non-rewritable disk (not the ISOs, just the disk of tools). That way, we can use command line to copy them to desktop. Let me know if that is workable.

I am a little reluctant to try the flash drive just yet - I am fairly certain the malware has replaced the legit eventlog.dll and once we deal with that, we can make some headway with tools on the desktop. We just need to get them on there.

What happens when you type the following command at the prompt:dir /s %windir%\eventlog.dll

Note it is dir /s %windir%\eventlog.dll

If error there, try:
sc stop "eventlog" ENTER

What happens?

If error there, try:
sc config "eventlog" start= disabled ENTER

What happens?

PP :)

The third: "[SC] ChangeServiceConfig SUCCESS".

Good - that's what I thought. It can't be stopped, but it can be disabled.

At the prompt, typesc query "eventlog" and tell me what the State is.
If it is still running, we'll need to reboot and then repeat the query to make sure it is not running.
('course, I am assuming this is replaced file - usually it is, but there have been others)

Then, let's try to copy FindWPP and Win32kDiag.exe to the desktop again. If you can't copy and paste, try the copy command.

Assuming external drive is, say, G:\ the command would be:
copy G:\Win32kDiag.exe "%userprofile%\desktop"
copy G:\FindWPP.zip "%userprofile%\desktop"

Obviously, if not G:\ , you'll need to change accordingly.

Let's see how that works.

Sorry about the delay - doing 10 things at once here :)
PP

After that reboot, I tried to copy from the CD using the script, and it just says "Incorrect function."

Well . . . crap. It's not making things easy, is it?
-- You did change the source directory to the correct letter (probably D or E:\), right? (sorry - gotta check)

Try to copy them from the flash drive.If that does not work, let's go ahead and try to run combofix from the flash drive. You'll not be able to update it, but run it anyway - If it runs, post the log.

PP :)

I managed to get the files off the flash drive with no apparent problems, but it won't let me run Win32kDiag. Same error, not the required permissions. I haven't touched FindWPP, though.

-- Can you RightClick on it andRun as Administrator?

-- Did you try command prompt?
type %userprofile%\desktop\win32kdiag.exe ENTER

-- Can you RightClick and extract the FindWPP folder from the ZIP to the desktop?

PP :)

Yep, it let me extract FindWPP.

OK - RunRunThis.bat in the FindWPP folder and see if it runs. If the log pops up, save it to the desktop. Put it on the re-writable disc to transfer it, if possible.

PP :)