Posts by PhilliePhan

ok... so explain to me why I shouldn't be worried about rootkits? Do we know there aren't any...or am I taking a chance here?

You should be worried and no we do not know for certain there aren't any.
All we can say with any certainty is that your scans are now clean.

There are people who will tell you that, once a rootkit has been on your machine, you can never trust it again - that is probably a decent assessment.
The only 100% solution to rootkits (and malware in general) is to wipe your hard disc and re-install Windows.

If you really want to dig further, you could try Root Repeal or F-secure's Blacklight. Those are good tools and I'm sure Judy has recommendations as well.
I would try Blacklight and/or Root Repeal....

PP :)

Thanks again -
Steph

You're Welcome! :)

You have been super awesome.:icon_cheesygrin:

Well . . . . That's what everybody keeps telling me . . . I hope it doesn't go to my head! LOL!

Cheers :)
PP

ok, so why is it bad to have combofix on there? Also, is my registry all fixed now? Will I have to do anything else, or just remove combofix?

Just remove combofix - You really don't want to run that version, say, a few weeks down the road. In the past, when run on systems with certain baddies, it has totally borked machines. When that happens, the author (sUBs) pulls it down so nobody can access it and addresses the issue. It is constantly being updated. So, if somebody tells you to run it, you always want the latest version, even if only a few days have passed....

Your Registry should be fine.

And lastly, my hardrive has a 20gb partition allocated to recovery. What is the difference between this and system restore? I'm assuming I should also copy this onto the hard drive I just bought...?

Do you have a copy of your windows disc? (I can't remember if I already asked...)
When used, the Recovery Partition will restore your compy to the way it was when you pulled it out of the box (or however you first received it, LOL!) - EVERYTHING you added to the machine since that time will be gone.
Essentially, it is an easy way to re-format... I believe it offers a few other, less destructive, options as well...

Often, newer computers do not come with Windows CD / DVD and the first thing you want to do is …

Great! :)

Things look good - a few rootkit remnants were removed and the log looks OK to me. Was going to suggest a run of Root Repeal for good measure, but the Panda scan was clean so I think we can forgo that unless you are in the mood for more scanning . . . LOL!

A few things:

-- You can DELETE:
C:\ILLA
C:\KILLBAD
C:\suckmydick
C:\PKBOO

ALSO:
Please navigate to the files in bold below and upload them here for analysis and let me know what you find ---> http://virusscan.jotti.org

c:\documents and settings\All Users\Application Data\icyw.dat
c:\windows\iun6002.exe

Lastly:

Let's remove Combofix and the files/folders it created:

• Click Start > Run
• Type or Copy&Paste Combofix /u into the Run box. (Be sure there is a space between the x and the / if you type it)
• Click OK

This will remove Combofix and it’s components from your machine.
It will also reset your clock, re-hide System and Hidden Files and hide File Extensions.
Last, but certainly not least, doing this will reset System Restore.

Now, I know you're blaming your husband, LOL! (heard that a million times + oh, it's my son home from school for spring break + all the others), so be sure to warn him of the dangers of P2P/Torrents and the like. Maybe threaten to …

Those logs look ok to me - I think you are good to go.

Let's remove Combofix and the files/folders it created:

• Click Start > Run
• Type or Copy&Paste Combofix /u into the Run box. (Be sure there is a space between the x and the / if you type it)
• Click OK

This will remove Combofix and it’s components from your machine.
It will also reset your clock, re-hide System and Hidden Files and hide File Extensions.
Last, but certainly not least, doing this will reset System Restore.

Be careful with the P2P/Torrent stuff - lots of nasties to be found.

Cheers :)
PP

I thought I had. Sorry. It's all yours.:)

Running MBA-M after combofix WILL clean malware - it is not a bad step.
The thing is, it will also alter the contents of any subsequent CFScript as I'll have to cross-check the two logs - I just don't want to have to look at two logs at once and try to figure what has been removed and what still needs to be . . .

Congrats on being a "featured poster, btw....!"

PP :)

EDIT: Sorry crunchie - didn't see you. Let me get a look at this log and then I'll get out of your way.
PP :)

@rexassassin
Have a try with my post below before doing what crunchie requested

Please download FindIt.zip and Extract the FindIt folder to your desktop.
-- Inside the folder, you'll see RunThis.bat - DoubleClick it and let it run. (10-20 seconds)
A log should pop up - please post that for me.

PP :)

What's the point of having 15 threads from people that are having the same problem?

This is pretty much SOP in every security forum.
The reason being, if I am interacting with multiple posters with multiple computers and am posting different instructions for each, and answering various questions from each poster, can you imagine the confusion? Heck, if one user has multiple computers to clean, I request a separate thread for each compy.

BTW - After getting combofix to run, the instructions for each user will be tailored to the results of their scanlogs.

Are you afraid you won't get "credit" for solving another thread? Pretty ghey if you ask me.

Don't really care - It's not as though volunteers get paid. . . .

I don't see major anti-virus companies writing different removal instructions based on different levels of installed software.
It's a generic Windows virus/malware issue. To think that it would behave any differently based on what pieces of software I have installed is ridiculous.

This is far off base - I certainly doubt you'll see and large AV company produce a solution . . . . that will run. LOL!
MBA-M will get it and combofix will get many of the rootkit components if they can be run.
You'll note that this malware has a rootkit component that prevents tools from being run......

BTW - I took down my links when I realized that the tool I wrote would not …

Hi travs1,

Since MBA-M was run after Combofix, I am going to need to see a fresh Combofix scanlog.
Please DELETE your current copy of Combofix and DL a fresh one before running it again.

Also, please download FindIt.zip and Extract the FindIt folder to your desktop.
-- Inside the folder, you'll see RunThis.bat - DoubleClick it and let it run. (10-20 seconds)
A log should pop up - please post that for me.

BTW - It doesn't hurt to install the recovery console. I usually recommend it if you do not have your Windows disc or other bootable option handy....

PP :)

I will have a look at the log in more detail tomorrow and post any necessary manual fixes then.

Hi Stephie,

Everything looks OK to me. I think you are good to go.

Let's remove Combofix and the files/folders it created:

• Click Start > Run
• Type or Copy&Paste Combofix /u into the Run box. (Be sure there is a space between the x and the / if you type it)
• Click OK

This will remove Combofix and it’s components from your machine.
It will also reset your clock, re-hide System and Hidden Files and hide File Extensions.
Last, but certainly not least, doing this will reset System Restore.

**You should be careful about the P2P stuff and File Sharing, etc . . . That's likely how you got infected.

That's the extent of my lecture......

Cheers :)
PP

crunchie is right - Once combofix has been run, only the volunteer who requested it be run should post until the matter has been resolved! Everybody else is just getting in the way. (no offense intended to anybody - just speaking the truth)

Please don't run any other tools until you hear from HIM. The fixes with combofix will be very specific to YOUR computer. Running other cleaners can cause difficulties with the fixes he will post for you. So if others suggest some other cleaner, please IGNORE them.

I wish you had listened to your own advice in this post, Judy, LOL!
http://www.daniweb.com/forums/post964794-24.html

I guess, when one is a FEATURED POSTER, one can get away with this . . . . . ;)

@ Sisaly - This is my fault, but I should have mentioned that I would need a Fresh combofix log after the MBA-M scan.

Delete your current combofix and download a fresh copy, run it and post me the log. We are pretty much done, but I want to clean up any "hangers on."

PP :)

Ah, I didn't see your latest post until after I ran Combofix - but I never had it installed before so it was a "fresh" copy. It ran without problems (no need to rename) and here is the log:

Great :)

I will have a look at the log in more detail tomorrow and post any necessary manual fixes then.

You can go ahead and delete C:\KILLBAD - it didn't have much effect, lol!

PP :)

Here's the MalwareBytes log.

LOL! You let that thing run for over an hour and then you didn't have it remove the baddies? ;) After all they put you through . . . .

Run it again and when the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.

I will check back Wednesday evening EST - there are still a bunch of fixes we need to do manually with combofix. I'll post them for you tomorrow.

-- Hey. . . . Don't rip any more hair out over that "Remove Selected" fail........:cool:

PP

Just got out of work, here is the log for the MBAM *full* scan:

Great :)

Let's do this now:
If you already have combofix on your machine, DELETE it.

Then follow the instructions in the link below to DL a fresh Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

What I want you to do, though, is this:
When you download it and it ask you to "Save File As," rename combofix to Bunnyfix.exe and then download it to your desktop as that and follow the instructions in the linky to run it and post the log.

I will check in tomorrow and have a look at the log and we'll go from there.

PP :)

Avenger did not work.
Again, thanks for your help

Happy to help :)

You need to copy ALL of the text in red, including "files to move:"

Try again.

Once it works, do the following:
If you already have combofix on your machine, DELETE it.

Then follow the instructions in the link below to DL a fresh Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

What I want you to do, though, is this:
When you download it and it ask you to "Save File As," rename combofix to Bunnyfix.exe and then download it to your desktop as that and follow the instructions in the linky to run it and post the log.

PP :)

not sure I know exactly what you meant but here is the new log

Hi Jon,

You need to download that attached CFScript.txt to your Desktop and then drag the CFScript.txt icon over the combofix.exe icon which will then start Combofix.

Like this

PP :)

All things considered, that is probably for the best because the rootkit on your machine is one of the nastier ones - I am not seeing it on the other machines with similar problems, so you very well may have picked that up some time ago.

Best Luck :)
PP

Running now.....

All right . . . Now we are cooking with gas . . . or something like that.

I am calling it a night - My eyes are killing me + have some actual paying work to do.

Post the combofix log for me and I'll have a look at it first chance I get.

Cheers :)
PP

Thanks :)

I am not sure that will be a viable option for most of the posters in this forum, though.
Plus, with all of the rootkit components of the more severe infections, that is not a practical solution for novices, which many of our posters are. . . .

PP :)

Hi Jon,

Download the attached CFScript.txt to your Desktop.
-- Drag the CFScript.txt into ComboFix.exe to start ComboFix again.

Post me that log and tell me how things are working....

PP :)

Ok - If you already have combofix on your machine, DELETE it.

Then follow the instructions in the link below to DL a fresh Combofix and run it:
http://www.malwarebytes.org/forums/index.php?showtopic=22723

What I want you to do, though, is this:
When you download it and it ask you to "Save File As," rename combofix to Bunnyfix.exe and then download it to your desktop as that and follow the instructions in the linky to run it and post the log.

PP :)

OK - onward and upward....

Please Download The Avenger v2 by Swandog46
http://swandog46.geekstogo.com/avenger.zip

-- Extract Avenger.exe from the ZIP to your Desktop
-- Highlight the complete text in Red below and copy it using Ctrl+C or RightClick > Copy:

Files to move:
C:\WINDOWS\SYSTEM32\logevent.dll | C:\WINDOWS\SYSTEM32\eventlog.dll

-- Now, DoubleClick avenger.exe on your desktop to run it
-- Read the Warning Prompt and press OK
-- Paste the script you just copied into the textbox , using Ctrl+V or RightClick > Paste
-- Press Execute
-- Answer YES to the confirmation prompts and allow your computer to reboot.
In some cases, The Avenger will reboot your machine a second time. No worries.
-- After reboot, The Avenger should open a log – please post that for me.

NEXT:

Click START > RUN and then Copy&Paste the following into the command field: "%userprofile%\desktop\win32kdiag.exe" -f –r

That should produce a log, as well. Please post it for me.

Let me know if you ran into any difficulties along the way with these instructions and we'll go from there.

-- Check and see if MBA-M will run now and, if it does, do a Full Scan and have it remove what it finds and post that log too...

Best Luck :)
PP

Phil I did exactly as stated and when I run Execute ( after copy/paste) on avenger I get this...

Invalid script Error: A valid script must begin with a command directive. Aborting execution!

Copy and paste the everything in red including "files to move."

Files to move:
C:\WINDOWS\SYSTEM32\logevent.dll | C:\WINDOWS\SYSTEM32\eventlog.dll

Try again and see if that works and then do the rest.

PP :)

Wow Phil you are a trooper.
I got KILLBAD and win32kdiag to run. Here are the logs.

The stuff that is hard to kill is more fun for us Forum volunteers :)

Please Download The Avenger v2 by Swandog46
http://swandog46.geekstogo.com/avenger.zip

-- Extract Avenger.exe from the ZIP to your Desktop
-- Highlight the complete text in bold below and copy it using Ctrl+C or RightClick > Copy :

Files to move:
C:\WINDOWS\SYSTEM32\logevent.dll | C:\WINDOWS\SYSTEM32\eventlog.dll

-- Now, DoubleClick avenger.exe on your desktop to run it
-- Read the Warning Prompt and press OK
-- Paste the script you just copied into the textbox , using Ctrl+V or RightClick > Paste
-- Press Execute
-- Answer YES to the confirmation prompts and allow your computer to reboot.
In some cases, The Avenger will reboot your machine a second time. No worries.
-- After reboot, The Avenger should open a log – please post that for me.

NEXT:

Click START > RUN and then Copy&Paste the following into the command field: "%userprofile%\desktop\win32kdiag.exe" -f –r

That should produce a log, as well. Please post it for me.

Let me know if you ran into any difficulties along the way with these instructions and we'll go from there.

-- Check and see if MBA-M will run now and, if it does, do a Full Scan and have …

I am not sure that you have the same infection as the others. Sounds like you have a bigger mess going on....

I think my initial suspicion was probably on target.

You could try running KILLBAD as per posts 4 & 5 and see if the log comes up. At the least, it'll show a key registry entry that we might need to fix to try to get Win32kDiag to run.

Other than that, I'm not sure I have any tricks up my sleeve.....

PP:)

Thanks a million - so much appreciated

Happy to try to help!

I'll keep my fingers crossed.

PP :)

Also, I was wondering if it would be ok to just copy the files in My Documents over to the new hard drive before i reformat. There shouldn't be any bad files in there right?

I couldn't tell you with any certainty - I can see how you'd think not, but a good deal of malware is crafty....

I don't think what we are dealing with is particularly crafty, just poorly written. Malware writers can't steal/extort any money from people if they turn their compys into boat anchors...... LOL!

Still, I'd like to get some tools to run - they'll show some infection locations.
Plus, we should also try a run of Root Repeal, if possible.

PP :)

I tried everything up to your last suggestion to no avail.
I downloaded win32diag but because it's an .exe I cannot run it.

Can your rename it to Win32kDiag.com and try that?

PP :)

I will try again to see if i can get it to work?

Yes - try that.

Delete your copy of Win32kDiag and then download a fresh copy and try it again.

PP :)

replie to philiephan:
yea I have the product key and installation disk, I reformated with it a few times already...

I dont thing toshiba is pirating windows though they are a very big corporation lol

Ok - that's not the problem.

And, no, I didn't think Toshiba was doing that. I think it is more a case of small, independent retailers looking to make an extra buck.

-- You should probably doublecheck Windows Genuine Validation software after crunchie has finished fixing you up.

Cheers :)
PP

I am going to let it reboot and then try the Full Scan...

OK, good.

When that's done, post the log for me and then see if you are able to run combofix as per the linky below:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

If it runs, post me that log too. If not, we'll have to try it a bit differently.

PP :)

You could try the hardware Forum here at Daniweb:

http://www.daniweb.com/forums/forum7.html

A lot of smart people - they might have some better ideas than what I can come up with.
Be sure to tell them that we ruled out malware.

Cheers :)
PP

Hi all and thanks for the info. I never mentioned that this pc is a laptop - how can i change the keyboard

At this point, you might be better off taking it to a shop and having them do it - at least you can point them in the right direction.....

With regard to the ctrl + n, nothing happens, but none of my shortcuts are working e.g. ctrl a to select all nor ctrl alt delete.

This would indicate to me that we are on the right track with our diagnosis.

Just for good measure though i reformatted again the other day. Same thing (getting anything up to 150 pages at a time.

So - Must indeed be a hardware issue.

Can you do a walk through the keyboard thing for me. Appreciate all your help and assitance, K

Happy to try to help, but I am not comfortable doing that as there are a lot of ways to damage your machine. I would recommend a repair shop as the safest and most effective way to solve the problem.

If you are keen to try it yourself, there are tons of tutorials on the web. For instance:
http://www.refurbished-laptop-guide.com/how-to-replace-laptop-keyboard.html

Best luck to you!
Sorry I could not be more help.

PP :)

I'm looking at either a western digital passport or maybe a maxtor...
Which brand would you suggest? !

WD, Seagate, Maxtor - those are all good

320GB for $80 . . . .hard to beat:
http://www.newegg.com/Product/Product.aspx?Item=N82E16822136237

.....and, with NewEgg it'll be on your doorstep by Friday....

Best :)
PP

Hey Phillie here is the Win32kdiag log you requested -

Great :)

Please Download The Avenger v2 by Swandog46
http://swandog46.geekstogo.com/avenger.zip

-- Extract Avenger.exe from the ZIP to your Desktop
-- Highlight the complete text in bold below and copy it using Ctrl+C or RightClick > Copy :

Files to move:
C:\WINDOWS\SYSTEM32\logevent.dll | C:\WINDOWS\SYSTEM32\eventlog.dll

-- Now, DoubleClick avenger.exe on your desktop to run it
-- Read the Warning Prompt and press OK
-- Paste the script you just copied into the textbox , using Ctrl+V or RightClick > Paste
-- Press Execute
-- Answer YES to the confirmation prompts and allow your computer to reboot.
In some cases, The Avenger will reboot your machine a second time. No worries.
-- After reboot, The Avenger should open a log – please post that for me.

NEXT:

Click START > RUN and then Copy&Paste the following into the command field: "%userprofile%\desktop\win32kdiag.exe" -f –r

That should produce a log, as well. Please post it for me.

Let me know if you ran into any difficulties along the way with these instructions and we'll go from there.

-- Check and see if MBA-M will run now and, if it does, do a Full Scan and have it remove what it finds and post that log too...

Best Luck :)
PP

Sorry, after hearing that there was "nothing I can do", i threw linux mint into the disk drive, backed up their photos, documents, videos, etc, and formatted/reinstalled Windows.

Sorry to hear that! There is a way to attack this malware, though when rootkits are involved, I usually recommend a format as the best option.

Due to the nature of this malware , I hope you didn't back up some bad along with the good.....

Cheers :)
PP

Thanks for ALL your help and advice! Gonna work on this FRIDAY and will let you know what happens!

OK :)

All you need to do at this point is get me that Win32kDiag log and we'll go from there.

PP:)

Good luck, greetings from Germany
Morganfield

Thanks, but that is not an option just yet - poster cannot get MBA-M to run.

Hopefull, after Sisaly gets me the Win32kDiag log, we can change that.

PP:)

Thanks alot for your help, and everyone else that helped too

Happy to help:)

I may have been a bit premature in calling for you to format - I am finding that these infections tend to have all sorts of rootkit components.

If you like, we can try to clean it. But I still stand by my last post and the severity of the infection shown.

Be very careful putting things on another compy - I'm not sure that is a good idea, given the nature of this baddie.

Are you able to get combofix to run as per the linky below?
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Try that and post a log, if possible.

PP :)

So what does rootkit mean?
At this point I would like to try to fix it just to learn more about windows...
I'll try to pick up a hard drive this evening and start backing up my files.

Be careful backing up your files!

-- Rootkits are not themselves evil. The simple definition is that they are used to hide programs, etc. from the Windows API.
-- Google Sony DRM Rootkit For an interesting read.
-- Some AV (Norton is one, I think) use rootkit technology and I believe DaemonTools also uses it.....

We had a great discussion at SpywareWarrior about rootkits some years ago, but I cannot find it. Here's a different linky:

http://www.spywarewarrior.com/viewtopic.php?t=17607&sid=79b9b56ba2bc72fe024e194da6f17e52

My general stance regarding rootkits is that, once they are on your machine, it is hard to ever trust that machine again, even if you think it is clean.... I always suggest a re-format as the best option, though we are able to clean these.

Post me that fresh log tonight and let's see what we can do...

PP :)

Okay . . . . I've managed to get somewhat up to speed, LOL!

Turns out that this particular baddie is extremely nasty, and I don't mean the obvious stuff. It has all sorts of rootkit components involved and is a real pain to clean.

Our best bet would be to get combofix to run. Generally, when I see baddies such as this, I advise a reformat because of the nature of the rootkit beast.
However, if you'd like to give cleaning this a shot, we can try to get combofix to run.

See if you can get this tool to run:

Please Download Win32kDiag and save it to your Desktop.

• http://ad13.geekstogo.com/Win32kDiag.exe
• http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe

-- DoubleClick on Win32kDiag.exe to run it. Let it run for as long as it needs to. If it doesn't run, try renaming it to Win32kDiag.com

-- When it says Finished – Press any key to exit, do that to exit the program.
-- You should now have a Win32kDiag.txt on your Desktop. Please post the entire log for me and we’ll go from there.

I will check back as soon as time permits.

Cheers :)
PP

Also, see if you are able to get this to run.

Looks like there are some serious rootkit components to this baddie and our best bet would be to get combofix to run. Generally, when I see baddies such as this, I advise a reformat because of the nature of the rootkit beast.

If you'd like to continue, please do the following:

Please Download Win32kDiag and save it to your Desktop.

• http://ad13.geekstogo.com/Win32kDiag.exe
• http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe

-- DoubleClick on Win32kDiag.exe to run it. Let it run for as long as it needs to.
-- When it says Finished – Press any key to exit, do that to exit the program.
-- You should now have a Win32kDiag.txt on your Desktop. Please post the entire log for me and we’ll go from there.

I will check back as soon as time permits.

Cheers :)
PP

See if you are able to get this to run.

Looks like there are some serious rootkit components to this and our best bet would be to get combofix to run. Generally, when I see baddies such as this, I advise a reformat because of the nature of the rootkit beast.

If you'd like to continue, please do the following:

Please Download Win32kDiag and save it to your Desktop.

• http://ad13.geekstogo.com/Win32kDiag.exe
• http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe

-- DoubleClick on Win32kDiag.exe to run it. Let it run for as long as it needs to.
-- When it says Finished – Press any key to exit, do that to exit the program.
-- You should now have a Win32kDiag.txt on your Desktop. Please post the entire log for me and we’ll go from there.

I will check back as soon as time permits.

Cheers :)
PP

Here's hoping you can get this to run....

As it turns out, this infection is major nasty! My simple little batch ain't gonna do it, lol!
Looks like there are some serious rootkit components to this and our best bet would be to get combofix to run. Generally, when I see baddies such as this, I advise a reformat because of the nature of the rootkit beast.
However, if you'd like to give cleaning this a shot, we can try to get combofix to run.
To do that, we'll need to take a different tack.

If you'd like to continue, please do the following:

Please Download Win32kDiag and save it to your Desktop.

• http://ad13.geekstogo.com/Win32kDiag.exe
• http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe

-- DoubleClick on Win32kDiag.exe to run it. Let it run for as long as it needs to.
-- When it says Finished – Press any key to exit, do that to exit the program.
-- You should now have a Win32kDiag.txt on your Desktop. Please post the entire log for me and we’ll go from there.

I will check back as soon as time permits.

Cheers :)
PP

As it turns out, this infection is a real pain in the ass! My simple little batch ain't gonna do it, lol!

Looks like there are some serious rootkit components to this.
Generally, when I see baddies such as this, I advise a reformat because of the nature of the rootkit beast.
However, if you'd like to give cleaning this a shot, we can try to get combofix to run.
To do that, we'll need to take a different tack.

If you'd like to continue, please do the following:

Please Download Win32kDiag and save it to your Desktop.

• http://ad13.geekstogo.com/Win32kDiag.exe
• http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe

-- DoubleClick on Win32kDiag.exe to run it. Let it run for as long as it needs to.
-- When it says Finished – Press any key to exit, do that to exit the program.
-- You should now have a Win32kDiag.txt on your Desktop. Please post the entire log for me and we’ll go from there.

I will check back as soon as time permits.

Cheers :)
PP

Hi Stephie,

Here is my canned spiel:

As it turns out, this infection is major nasty!

Looks like there are some serious rootkit components to this and our best bet would be to get combofix to run. Generally, when I see baddies such as this, I advise a reformat because of the nature of the rootkit beast.

However, if you'd like to give cleaning this a shot, we can try to get combofix to run.

If you'd like to continue, please do the following:

Please Download Win32kDiag and save it to your Desktop.

• http://ad13.geekstogo.com/Win32kDiag.exe
• http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe

-- DoubleClick on Win32kDiag.exe to run it. Let it run for as long as it needs to.
-- When it says Finished – Press any key to exit, do that to exit the program.
-- You should now have a Win32kDiag.txt on your Desktop. Please post the entire log for me and we’ll go from there.

I will check back as soon as time permits.

Cheers :)
PP

Thanks so much,
You don't have any idea how much we appreciate your help.

Happy to try to help :)

As it turns out, this infection is major nasty! My simple little batch ain't gonna do it, lol!
Looks like there are some serious rootkit components to this and our best bet would be to get combofix to run. Generally, when I see baddies such as this, I advise a reformat because of the nature of the rootkit beast.
However, if you'd like to give cleaning this a shot, we can try to get combofix to run.
To do that, we'll need to take a different tack.

If you'd like to continue, please do the following:

Please Download Win32kDiag and save it to your Desktop.

• http://ad13.geekstogo.com/Win32kDiag.exe
• http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe

-- DoubleClick on Win32kDiag.exe to run it. Let it run for as long as it needs to.
-- When it says Finished – Press any key to exit, do that to exit the program.
-- You should now have a Win32kDiag.txt on your Desktop. Please post the entire log for me and we’ll go from there.

I will check back as soon as time permits.

Cheers :)
PP

now that i think about it I think maybe that cespy might be the covenant eyes filter i use. i just viewed it as an internet filter and not "a commercial Key-logger or spyware" anyway, it showed up again.

That's what it is . . . . And that's why it's back. I saw the CE entry in HJT, but it didn't register. But, it's definitely in the Spyware family.
Didn't think nmnsp.dll was a component, though.

Nothing else really jumps out at me from your HJT log - you might try running ComboFix as per the linky below and posting the log for us.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

I'll try to check back on Tuesday, as time permits.

PP :)

A little light humor is always nice when dealing with malware... ;)

-- I've had literally hundreds of people use that tool over the years.