Posts by PhilliePhan

NEXT: Download Trinity Rescue Kit.ISO and use ImgBurn to burn the ISO to a second CD

In re-acquainting myslef with TRK, I realize that I should've added that ideally this should be on a Re-Writable CD, if possible.

PP :)

Back on original computer - windows must have redid the key registry.
I will post the log, note: I will be gone for 3+hours I have to catch the bus home, but I'll let you take a look for now.

Great - Now we are cooking with gas! Or . . . however the saying goes.

I didn't think it would be too bad given all that you did prior to combofix. Looks like it replaced the infected file - hopefully you can run programs now.

I'll have a closer look and get back to you.

PP :)

Windows vista,
You think it's that bad huh?
I'm going to restart... I don't think that will make it worse. I will look for the recovery.

Tap F8 on reboot and see if Recovery Console is option. If so, choose it and let me know.
If not, do Safe Mode with Command Prompt.

Let me know.

Might not be that bad - rather err on the side of caution.

It really does - and yes I apparently had it previously - it didn't ask to download it. ... Do you think I should restart?

-- What OS?
-- Do you have your Windows OS disk?

-- You should know if recovery console is installed because it will give you that option on reboot. Have you seen that option?

Well . . . That puts a wrinkle in things.

-- Did you install the recovery console?

Let's try this:

If you already have Combofix on your machine, DELETE it.

Then follow the instructions in the link below to download a fresh copy of Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

What I want you to do, though, is this:
When you download it and it asks you to "Save File As," rename combofix to Combo-Fix and then download it to your Desktop as that and follow the instructions in the linky very carefully to run it and then post the combofix log for me.
Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!

Let us know how you fare.

PP :)

Of course I think System Restore itself is so mis-understood anyway. So many seem to think it is the "end all and be all" of fixing, when in reality many times it does more harm than good. . . .

I don't know that it does more harm than good, but I'll agree with the misunderstood part.

I liken this argument to users who have disabled malware via msconfig.
A lot of volunteers will ask those users to remove those items and restore normal startup . . .. Why? Why do this?
Why allow malware that has previously been stopped from running to start and potentially "phone home" for reinforcements??

That, to me, is a dumb practice (and yes, I used to do that back before I really considered the consequences). I think in the past when we were all too dependent upon HJT, you needed to do this to get a good look at things.
But with DDS / RSIT et al, that is no longer necessary. We can see what has been stopped and deal accordingly.....

PP :)

I know there ARE forums which tell people to turn it off.....

I think those are few and far between these days.
When I was volunteering at Majorgeeks in 2004, it was policy to have users turn off System Restore before cleaning.
I was doing this at other forums as well until Blender set me straight. She was the one who first suggested (to me) that an infected point is better than none at all.
I then took that argument to chaslang at MGs and he changed the policy there.

A similar process took place in the forums regarding the whole "don't force Safe Mode" idea.

PP :)

Hey, I'm glad you managed to sort your comp out..... After I'd done that, I rebooted to try and get into safe mode, and that was when the real problems hit me. Prior to the reboot, although the system had immediately slowed right down, I hadn't suffered any exe lockout.

This baddie comes in different flavors and different degrees of difficulty. Most often, there is a rootkit component that makes removal a bear.....

What I can do, though, is burn files from here onto a CD and then try running them on the computer, though I don't know if it will let me. If you can give me a list of what to pick up, I'll get right on it.

Great! We can try that - You'll need three CDs. I'll post the list at the bottom of this post.

I'm not sure how to actually get you logs from my main PC onto here, unless one of the tools is an AV, though.

That's where the Flash Drive comes into play. Allows give and take from the ill machine. Plus, we can run combofix from the flash drive...

Regarding a flash drive, I've never needed one until now. If you think it's important I'll get a cheap one on monday (damn sunday trading laws!), but I'm kind of loath to risk infecting it and possibly spreading the infection, if there's a good chance of that. The same goes for my external HD, really. Having said that, …

When dealing with an infection System Restore should be left alone until the computer is deemed clean. THEN, and only then, you should set a new and clean restore point by turning off System Restore and turning it back on. But until the computer is clean, leave it alone.

Actually, that is not entirely true, Judy. :)

Many forums will have users set a fresh restore point directly before beginning the cleaning process - that goes along with the "infected point better than none at all" argument.... Likewise, some fix tools will also set points before their runs.
So, if a user normally operates with System Restore OFF, I would ask them to turn it on prior to cleaning.....

-- I was going to write some stickies addressing this and other practices, but currently awaiting OK from Daniweb leadership....

Cheers :)
PP

The computer itself has been slowed down by this to such a degree that it's essentially non-functional. It takes almost 10 minutes to boot up. More irritating, however, is that it's now completely unable to open any exe files, at all.. . . .

Are you able to access the internet and download files with the ill computer? I know you can't run programs, but can you download them?

I have no flash drive, but I do have a USB HD that I use to back stuff up from time to time. In the event that I can't fix this, and have to reformat, would it be possible to connect that up and transfer some files onto it before I restart the machine over? Or would the virus just infect the external HD too? I don't even know if it will let me do that in it's current state, but it's worth a try, I guess.

There is a good chance that any re-writable media will get infected.
-- Are you able to burn tools onto a CD if I gave you a list of what we need?
-- Why not purchase a cheap flash drive?
-- If it came to it, we could back up your files to your external drive, but you do run the risk of infecting it.

Let me know where you stand.

If you are able to download to the ill machine, please download FindWPP.zip and RightClick on …

Ok, here's the sysprot log. Thanks guys for all your help so far.

That log looks OK.

Judy might want to doublecheck with a gmer scan, but that's her call.

Are you still having problems?

PP :)

Should I unblock and run it anyway?

Yes - we wouldn't have you download malware.... :)

-- A lot of legitimate tools these days tend to get flagged by AV.
You are right to be vigilant. I guess it all depends on whether you can trust the advisor and the source of the file.
The guys at majorgeeks do a good job making sure their downloads are clean.

PP :)

PP the only one that came up with malware was the svhkapw. I did delete it. The last one, the mlfcache I could not find in my system32 folder. Why would that be?

My bad - that's a hidden file. You'll need to enable the viewing of hidden files to find that one.

-- Let me know what you find. I am curious about that one.....

How are things working now?

PP :)

Let's check these out:

c:\windows\yhipi.com
c:\windows\system32\efiqap.dat
c:\windows\system32\serutok.com
C:\svhkapw.exe
c:\windows\system32\mlfcache.dat

Go here ---> and use the Browse Button at the top of the page to navigate to each of those items and and Submit them for analysis.
If any come back as malware - and I imagine a few will - just Delete them.

Let me know how that shakes out.

PP :)

I tried that, but I can't boot in safe mode and when I plugged in the usb stick with malware's on it, Windows Police Pro attached itself to it and it wouldn't open. Any other ideas? I can't seem to bypass it.

-- What is your OS?
-- What are you able to do on the ill computer?

PP :)

I am running XP and as far as I can tell, other programs work perfectly.

-- When did the problem start to occur? Anything noteworthy happen before issue started? (new software install or malware infection, for instance)

Off the top of my head, it sounds like a registry issue.
-- Is System Restore an option? Do you have a viable restore point? That might be easiest - Go back to a point before the problems started....

Also, please do this:

-- Download DDS by sUBs and save it to your Desktop
-- If your AV has a script blocker, please disable it
-- DoubleClick on dds.scr to run the tool

* A command box will open, displaying added information for your reading pleasure while DDS completes its scan.
* Upon completion, a Dialog Box should open instructing you to save and post the TWO resulting logs (DDS.txt & Attach.txt).

- Copy&Paste the DDS.txt into your next post.
- Please post Attach.txt as an attachment to your post - there is no need to Zip it. If you don’t know how to post an attachment, please Copy&Paste it along with the DDS.txt scanlog.

Cheers :)
PP

Any help would be great!

-- What is your OS?

-- Do other programs work OK or do they shut down too?

PP :)

Hmm, no responses.

Sorry - It happens.
We are all volunteers with real lives to worry about + most support forums are overwhelmed with requests for help these days.....

Let's just cut to the quick and do this:
If you already have Combofix on your machine, DELETE it.

Then follow the instructions in the link below to download a fresh copy of Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

What I want you to do, though, is this:
When you download it and it asks you to "Save File As," rename combofix to Combo-Fix and then download it to your Desktop as that and follow the instructions in the linky very carefully to run it and then post the combofix log for me.
Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!

Post me the log and we'll see where it leads us.

Cheers :)
PP

Can some one please help!!

Let's have a quick look to see what we are dealing with:

Please download FindWPP.zip and RightClick on FindWPP.zip and Extract the FindWPP folder to your Desktop.
-- Inside the folder, you'll see RunThis.bat - DoubleClick it and let it run for as long as it takes.
A log should pop up - please post that for me.

Cheers :)
PP

I was able to download and run Vundo, but it said it did not find anything

Well . . . That's not good.

-- Try this:
Get a command prompt (start > run > type cmd > OK\
Type or Copy&Paste ipconfig /flushdns at the prompt and hit ENTER.
See if that helps at all.

-- You will probably need to purchase a flash drive and use a friend's computer or a compy at your local library or coffeeshop to download some more comprehensive cleaning tools such as MBAM and Combofix.
That would be the easiest course of action.

PP :)

How can I remove or detect the virus from different drives...?
I have attached the Hijackthis log for your reference.Let me know if aany more info is needed.Please help me..

Do steps #8 & #9 in the linky below and post the logs:
http://www.daniweb.com/forums/thread134865.html

Do the Full Scan with MBAM - It will allow you to choose any and all drives you want to scan.

I am a bit overextended at the moment, but if you post the logs I'm sure somebody will be able to advise you further.

Best Luck :)
PP

I cannot even start in safe mode with command prompt. it auto-resets aswell.

You ought to try Trinity Rescue Kit.
Similar to recovery console, only with a boatload more options.

Best Luck :)
PP

trie all this and nothing worked

It is unlikely that you would have the same malware as a poster from 5 years ago.
Please start a new thread for your problem and give us more information as to what is wrong and what you have tried so far to remedy the problem.

Cheers :)
PP

Thank you for researching that for me.
I tried to delete the file and got this error message: "Cannot delete zrqabm: access is denied

I do not have access to a clean computer where I can download those programs unfortunately.

What about the link for VundoFix?
If you cannot get that link to work, please do this:

Download the attached VundoFix.zip and extract Vundofix.exe to your Desktop. Do not run it from the ZIP!

* Double-click VundoFix.exe to run it.
* When VundoFix opens, click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK

*****Note: It is possible that VundoFix encountered a file it could not remove.*****
In this case, VundoFix will attempt run on reboot, simply follow the above instructions starting from "Click
the Scan for Vundo button." when VundoFix appears at reboot.

Please post the Vundofix log for me. ---> C:\VundoFix.txt

PP :)

My computer is completely locked up. I can't even get in Safe Mode. What can I do to bypass this, so I can delete it?

If nothing works and you are completely locked out, try Trinity Rescue Kit

Best Luck :)
pp

Here is the attachment you requested, and I am currently testing out Mozilla. Will let you know if it lets me access that website. Thanks!

Yep - that's a baddie.
http://virusscan.jotti.org/en/scanresult/09720eaf5c44c34795dc5068ac91f0bb70aa5e8b

Go ahead and DELETE zrqabm.dll

-- See if you are able to access and run VundoFix as per the linky below:
http://vundofix.atribune.org/

--- Do you have a flash drive you can download tools to from a clean computer. Or, perhaps burn them to cd?

PP:)

So I ran HiJack this and found zrqabm.dll and fixed it.
I then ran the scan and found the file.

-- Are you able to ZIP zrqabm.dll and attach it to your next reply? Please try that for me.

-- Download and Install Firefox browser (linky below) and tell us if you have the same problems as with IE.
http://www.mozilla.com/en-US/

PP :)

Sounds good. Yeah I uninstalled combofix. Thanks a lot for all the help.

You're Welcome :)

What do you advise when tracking cookies get installed?

:D

I attached the files.
Oh, what should I do with hijackthis?

You can delete HijackThis. It is a diagnostic tool, rather than a "fixer" tool. You won't be needing it.

-- Those folders check out OK. They are M$ Multilingual User Interfaces. No worries there!

If you were able to uninstall Combofix with no problems, I think you are good to go!

Cheers :)
PP

I couldn't delete
c:\windows\system32\ca-ES
c:\windows\system32\eu-ES
c:\windows\system32\vi-VN
for some reason. It wouldn't allow me.

Now . . . That bothers me a bit.
-- What's in those folders?
-- Can you ZIP them and post them as attachments for me?

Also what am I suppose to do with Hijackthis, Combo-fix, and the other programs I downloaded? Should I use it to check the computer from time to time?

Save the MBAM and every few weeks (or whenever you feel it necessary) update it and run the Quick Scan.

You should not keep Combofix, so let's do this:
-- First, change the name of Combofix back to Combofix.exe

• Click Start > Run
• Type or Copy&Paste Combofix /u into the Run box. (Be sure there is a space between the x and the / if you type it)
• Click OK

This will remove Combofix and it’s components from your machine.
It will also reset your clock, re-hide System and Hidden Files and hide File Extensions.
Last, but certainly not least, doing this will reset System Restore.

Let me know about those folders.

PP :)

Also I have no ideas what those files are.

Neither do I . . . you could probably safely delete those if you want to do so.

Here are some observations:

-- If you installed and use Oovoo, you'll need to open MBAM and click the "Quarantine" tab and restore those three items that were removed.

You should probably create a permanent folder of its own for HijackThis, rather than running it from Downloads folder.

-- The Shield Deluxe 2009 is a formerly Rogue product - It does not have a reputation for quality in the Anti-malware community.
If you are now using Microsoft Security Essentials (which I believe comprises both AV and Anti-malware), then you should probably uninstall/remove all traces of Shield Deluxe so it doesn't come into conflict with MSE.

-- There are those who consider AskBar and Viewpoint to be minor malware. You can uninstall them if you wish. I generally don't harp on those - there are worse things to worry about.

All told, I really don't see much that worries me. How are things running now? I know you mentioned some possibly non-malware related issues...

Cheers :)
PP

Thanks for the quick reply! Here you go.

Hi Nancy,

Wow - You were extremely lucky that we were able to get to this quickly! It pays to be vigilant......
This baddie did not yet have a chance to call for reinforcements.

-- If you do a lot of P2P / Torrent stuff, consider yourself lucky.

Let's do this:

-- Please update your MBA-M and run the Quick Scan and have it REMOVE all it finds and then post the log for me.

-- Do you know what these are?

c:\windows\system32\ca-ES
c:\windows\system32\eu-ES
c:\windows\system32\vi-VN
c:\windows\system32\bdod.bin

-- Please post a fresh HijackThis Scanlog after running MBA-M

Cheers :)
PP

So help me! :)
-Nancy V

Hi Nancy,

It sounds as though you have a variant of a particularly nasty piece of malware that has been making the rounds lately.
You should keep this computer offline as much as possible until it is clean - once this malware gets a firm foothold, it can be a bear to remove. I don't think it is quite there yet - let's try to keep it that way.

Let's do this first:
If you already have Combofix on your machine, DELETE it.

Then follow the instructions in the link below to download a fresh copy of Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

What I want you to do, though, is this:
When you download it and it asks you to "Save File As," rename combofix to Combo-Fix and then download it to your Desktop as that and follow the instructions in the linky very carefully to run it and then post the combofix log for me. Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!

Let me know how you fare.

Best Luck :)
PP

I tried to download, but when I clicked on the link you provided, the page loaded like what it does when I try to go to AVG's website (internet explorer cannot display the page)

--- Are you able to RightClick on the DDS link I posted and select "Save As" and then save it?

--- Run a scan with HijackThis and Check the Box next to this line and then Click "Fix Checked."
O20 - AppInit_DLLs: ,avgrsstx.dll zrqabm.dll

--- Please do a search of your machine for this file: zrqabm.dll
It will likely be in the System32 Folder - Be sure to enable the viewing of hidden files.

Then, once you find the file's location see if you can do this:

Go here ---> and use the Browse Button at the top of the page to navigate to zrqabm.dll and and Submit it for analysis. Let us know what you find.

Best Luck :)
PP

I'm so confused and I don't know what to do..

Are you able to run MBAM as per step 8 in the linky below?
http://www.daniweb.com/forums/thread134865.html

If you can, do that and post the log.

THEN:
-- Download DDS by sUBs and save it to your Desktop
-- If your AV has a script blocker, please disable it
-- DoubleClick on dds.scr to run the tool

* A command box will open, displaying added information for your reading pleasure while DDS completes its scan.
* Upon completion, a Dialog Box should open instructing you to save and post the TWO resulting logs (DDS.txt & Attach.txt).

- Copy&Paste the DDS.txt into your next post.
- Please post Attach.txt as an attachment to your post - there is no need to Zip it. If you don’t know how to post an attachment, please Copy&Paste it along with the DDS.txt scanlog.

Even if MBAM won't run, you should be able to get the DDS log.

Let us know how you fare.

PP :)

Well, if so, you should be a happy camper right now with the win today.

Oh, yeah - The first game in a best-of-five is always important! Plus, it goes a long way to erasing memories of the Rockies sweeping them in '07.....

I will look into each one and try to get some protection so this thing hopefully won't happening again...

The sooner the better!

I suggest downloading Comodo (linked before) and Spyware Blaster:
http://www.javacoolsoftware.com/spywareblaster.html

Uninstall ALL your other AV / Anti-spy apps except for Spyware Doctor and MBAM.

Your ideal setup should look like this:
Comodo -- For AV and Firewall
Spyware Doctor -- For "Real-Time" protection
MBAM -- For "On Demand" scanning, as necessary
Spyware Blaster -- For added protection from "Drive-by" downloads. Works similarly to SpyBotSD's "immunize" feature.

Keep all of these UP TO DATE with builds and definitions - Very important!

Uninstall all other unneeded protection so they do not come into conflict with the ones listed above.

Also, keep your Windows up to date with patches, etc... via Windows Updates - This is your first line of protection!

I think I'm in good shape. I'll wait for you to give me the thumbs up before getting too confident. But if you have any further suggestions, please let me know.

Definitely look into an external hard drive to back up your data!

As I mentioned, infections such as the one you …

Hi Katrina,

See if you can do this:

-- Download DDS by sUBs and save it to your Desktop
-- If your AV has a script blocker, please disable it
-- DoubleClick on dds.scr to run the tool

* A command box will open, displaying added information for your reading pleasure while DDS completes its scan.
* Upon completion, a Dialog Box should open instructing you to save and post the TWO resulting logs (DDS.txt & Attach.txt).

- Copy&Paste the DDS.txt into your next post.
- Please post Attach.txt as an attachment to your post - there is no need to Zip it. If you don’t know how to post an attachment, please Copy&Paste it along with the DDS.txt scanlog.

Cheers :)
PP

As far as other anti spyware programs.... I did pay and sign up for spyware doctor, and I did buy a spy sweeper disk from walmart. Those are the only two I've actually paid for.

Keep the Spyware Doctor - It is a good program and will offer you decent "real time" protection.

If you want a good "all in one" solution and you don't mind spending a bit of cash, Kaspersky offers an excellent security suite:
http://www.kaspersky.com/kaspersky_internet_security

If you want to go the free route, install the AV / Firewall combo from Comodo. This would probably be the best free option.

-- You'll need to go into Add/Remove Programs and uninstall all other current Anti-Virus & Anti-Spyware tools. You might want to keep MBAM on hand for "on-demand" scanning. Just update it every three weeks or so and run the Quick Scan. Or, do this whenever you feel it necessary....

-- I also suggest purchasing and external hard drive such as this one to back up your important data, music, pictures, etc....
A very good thing to do in the event of an un-recoverable malware infestation.....

Let's Reset the Winlogon Shell value back to explorer.exe:
Please download FixMe.reg to a convenient location and DoubleClick on it to run it. Allow it to merge into the registry.
Reboot and see if all is running as it should be.

Let me …

I hope all is well. I'm sorry for not responding last night but I was ridiculously tired and the win32diag seemed like it took forever to run.

No Worries - We all have "real lives" to deal with... :)

I said no, but it appeared my old correct explorer mysteriously reappeared.

That is normal - Windows will replace explorer.exe almost immediately if you delete or rename it. I just was not sure it would do this for you since you were/are now running Kenney.exe

Frankly, I'd be most comfortable if you Renamed C:\Windows\Kenney.exe to C:\Windows\explorer.exe. That way we know it is for sure good.....

Then, I'll need to give you another registry patch to change the Winlogon value back to explorer.

By the way, I will delete MP4 as soon as I figure out how.

Go into Add/Remove Programs and uninstall it. Should be listed as "MP4 player"

Ok, don't forget I would love to hear your suggestions on how to keep this computer safe. When I log on currently it says my firewall is turned off and my computer may be at risk.

Once we get the explorer thing sorted, we'll work on that. A couple questions:
Are you paying for Anti-Virus?
Are you paying for Spyware Doctor or any other anti-spy tools?
The reason I ask is that you might want to keep those.

I can also suggest some good FREE and maybe better alternatives, if you want to …

Is Yahoo! mail is infected?

This could very well be a False Positive . . . . Or a new malware threat.

Since this is a "heuristic" detection, your AV is flagging it because it demonstrates similarities and characteristics common to malware.

I suggest you have your AV block or quarantine this.

Better yet, I suggest you post your concerns in the Kaspersky Forum - They could help you much more directly:

http://forum.kaspersky.com/

Cheers :)
PP

My computer hardly responds.

Are you able to run your MBAM?

If so, update it and run the Quick Scan and have it remove what it finds and post the log.

Cheers :)
PP

Hi Kenney,

Heading out for a bit, so I wanted to post this in the event that the steps in post #44 did not work.

First, please do this again and post me the log - do this regardless of whether you had success deleting the bad explorer.exe:

-- Please Download a fresh Win32kDiag from a linky below and save it to your Desktop.
• http://ad13.geekstogo.com/Win32kDiag.exe
• http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe
-- DoubleClick on Win32kDiag.exe to run it. Let it run for as long as it needs to.
-- When it says Finished – Press any key to exit, do that to exit the program.
-- You should now have a Win32kDiag.txt on your Desktop. Please post the entire log for me.
Be sure to let it run until is says "Finished" before posting the log!

-- If the step in Post #44 Failed, please do this:

Please download FixIt.zip and RightClick on FixIt.zip and Extract the FixIt folder to your Desktop.
-- Inside the folder, you'll see RunThis.bat - DoubleClick it and let it run for as long as it takes.
A log should pop up - please post that for me.

Cheers :)
PP

I wasn't able to delete the explorer.exe from the
C:\Windows\explorer.exe. I got the error message of not being able to delete explorer: Access denied. Make sure disk is not fill or write-protected. Interesting...

Interesting indeed.....

--- See if you can delete it with Unlocker and let me know.
http://ccollomb.free.fr/unlocker/

If that doesn't work, we'll try a couple other options...

---You may also want to uninstall C:\Program Files\MP4 Player
I don't see why you'd need this with the codecs on your compy. Anyhoo, the choice is yours, of course.
See below:
http://www.bleepingcomputer.com/startups/mp4Player.exe-21448.html

Happy Monday :)
PP

Hi PP,

I wasn't able to find the logit (log) for the junction program. I followed your instructions and something popped up but disappeared relatively quickly. I'll try again tomorrow...I may be getting a little tired here.

=============== Created Last 30 ================

2009-10-04 23:27 1,033,728 a------- C:\explorer.exe

Hi Kenney,

A few things:
-- Are you getting any errors when you try to run programs?
-- It looks like you were indeed able to copy explorer.exe to the C:\ drive.
See if you can now DELETE the bad copy of explorer.exe in the Windows folder. ( C:\Windows\explorer.exe )
If you are able to do that, then Copy&Paste C:\explorer.exe into the C:\Windows folder.
Let me know if you are able to do that.

PP :)

Now, what are you recommendations for keeping this from happening again, i.e. virus protection programs, and/or firewall type stuff?

Glad to see a return to some semblance of normal :)

This, however, is just a workaround and may not last and certainly should not be permanent. What we have done is changed the Winlogon Shell value to "Kenney.exe" - we still need to address the root problems remaining from the malware.

This particular malware tends to leave the system fairly unstable. Plus, you may get a bunch more of those error messages when trying to run programs...

If you don't mind running more logs . . . . . :)

This is what I'd like to see:

-- Download DDS by sUBs and save it to your Desktop
-- If your AV has a script blocker, please disable it
-- DoubleClick on dds.scr to run the tool

* A command box will open, displaying added information for your reading pleasure while DDS completes its scan.
* Upon completion, a Dialog Box should open instructing you to save and post the TWO resulting logs (DDS.txt & Attach.txt).

- Copy&Paste the DDS.txt into your next post.
- Please post Attach.txt as an attachment to your post - there is no need to Zip it.

-- Please Download:
http://download.sysinternals.com/Files/Junction.zip
Extract junction.exe from the Junction.zip you downloaded and place junction.exe in your C:\Windows …

Should I run it? (probably a stupid question, but I have to ask).

Actually, no . . . . :)

Please download Fixit.reg to a convenient location.
DoubleClick on it and Allow it to merge into the registry.
It it allows you to merge, then Reboot and let me know how things look.
If you get another error message, let me know.

PP :)

Also, I did attempt to fix my problem via some other forums recommendations. Do you think this is part of the problem?

Probably not - Just wanted to check because it looked like some fixing had taken place.
No worries.

Please download This File and place it in your C:\Windows folder.

Let me know if you were able to do that.

PP :)

This is odd - the logs all look normal to me - perhaps I am missing something. Let's see if we can get that explorer.exe copied and then I can try to rule some things out.....

I think I see what I missed - I feel stupid......

In addition to the above, do this:
Use task manager to open a command prompt (cmd or command.com)

Type or Copy&Paste:

copy C:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\explorer.exe C:\ /y
& hit ENTER

THEN:
I am not sure if you still have Avenger available, so I'll copy & paste the whole thing....

Please Download The Avenger v2 by Swandog46
http://swandog46.geekstogo.com/avenger.zip

-- Extract Avenger.exe from the ZIP to your Desktop
-- Highlight the complete text in Red below and copy it using Ctrl+C or RightClick > Copy:

Files to move:
C:\explorer.exe | C:\WINDOWS\explorer.exe

-- Now, DoubleClick avenger.exe on your desktop to run it
-- Read the Warning Prompt and press OK
-- Paste the script you just copied into the textbox, using Ctrl+V or RightClick > Paste
-- Press Execute
-- Answer YES to the confirmation prompts and allow your computer to reboot.
In some cases, The Avenger will reboot your machine a second time. No worries.
-- After reboot, The Avenger should open a log – please post that for me.

Hopefully this will do the trick.... I'll be …