Flaunt

^^^ ooops, how presumptuous of me Hahaha, take care and thanks again for everything. ;)

Hi Schrauber. Yes, I posted there around the same time as here (wasn't aware you knew each other) but started to get advice real quick. My business has been suffering badly so time wasn't on my side, you see! Other than getting back into Windows from your help, I have used Kestrel's instructions only as it all came before your latest response today. As I mentioned to him, I was due to say my thanks to you later today and mention I would finish it up with him. Sorry for any confusion, it's been quite hectic these past few days! I want to thank you HUGELY and sincerely for all your initial help because I wouldn't have even got this far without it. And, as I promised before, I will be still making a donation to the forum and recommending you and the team highly to others. Thanks once again. I really appreciate it ;)

Right, update again: I downloaded 'Rkill' again and just hammered it trying to get it to run. Amazingly,it finally did it and bought me enough time to run MBAM. That found 69 infections which it removed. I then ran Combofix and that ran for a while and fixed and removed a load of stuff too. As of now, my PC is running great (and a whole lot quicker too) and no sign of the Malware infection anywhere. Do you think we've done enough now? It certainly appears ok now. :rolleyes: Well, I've attached the Combofix.txt file for you to review ;) ComboFix.txt

I can't run 'exehelper.com' :( I get a message saying "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item" :confused:

Also, I can't run 'Regedit, Command, Task Manager' etc etc or any .exe. And 'Folder Options' under 'tools' at the top of any window has vanished.....:confused:

Update: The virus is still lurking in parts. I have a couple of the 'fake' warnings on the toolbar right now. So I guess we need to get rid of the last traces of it now, right? It's also still blocking me from running any .EXE files, so I can't run my anti-virus software right now :(

My God! I'm back into Windows! Logged in successfully :) So, is that it? Or do we have more things to check first? Regardless, you are now my new favourite person! lol. You can certainly expect a donation to the forum. Outstanding stuff

OK, so here are the results of the 'Run Fix' log file: ========== OTL ========== Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\KService deleted successfully. Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell deleted successfully. Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit deleted successfully. Registry value HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session manager\\BootExecute:autocheck autochk * deleted successfully. HKEY_LOCAL_MACHINE\Software\Classes\.com\shell\open\command\\|"%1" %* /E : value set successfully! HKEY_LOCAL_MACHINE\Software\Classes\.com\\|comfile /E : value set successfully! C:\WINDOWS\system32\regedit.exe moved successfully. C:\WINDOWS\system32\drivers\sjaeilvj.sys moved successfully. C:\lsass.exe moved successfully. C:\WINDOWS\ozotequw.dll moved successfully. File C:\Windows\System32\**** not found. File C:\Windows\System32\****4 not found. C:\WINDOWS\system32\drivers\zgrhurxf5.sys moved successfully. C:\WINDOWS\ppi2.exe moved successfully. File C:\Windows\System32\****3 not found. File C:\Windows\System32\****2 not found. C:\WINDOWS\E88D4.exe moved successfully. File C:\lsass.exe not found. File C:\Windows\ozotequw.dll not found. File C:\Windows\System32\**** not found. File C:\Windows\System32\****4 not found. File C:\Windows\System32\drivers\sjaeilvj.sys not found. File C:\Windows\System32\****3 not found. File C:\Windows\System32\****2 not found. File C:\Windows\System32\drivers\zgrhurxf5.sys not found. File C:\Windows\ppi2.exe not found. File C:\Windows\E88D4.exe not found. ========== COMMANDS ========== [EMPTYTEMP] %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 19569 bytes %systemroot%\System32 .tmp files removed: 7125 bytes %systemroot%\System32\dllcache .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 657179 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 13499176 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 1826194 bytes Total Files Cleaned = 15.00 mb [EMPTYFLASH] Total Flash Files Cleaned = 0.00 mb C:\WINDOWS\System32\drivers\etc\Hosts moved successfully. HOSTS file reset successfully OTLPE by OldTimer - Version 3.1.39.0 log created on 05232010_185517 The next set of log file results for the second scan, I have had to upload it separately to the post. The file was far too long and it wouldn't let me post the full text or attach it as it is too big (you'll see why). I recall that 'flyfiudk.exe' (the one taking ALL the text in the log file!) was running loads of processes just before I got locked out of Windows and I couldn't stop it ;) The log file is here >> lastscan.Txt Thanks again.

^^^ Actually, those files I mentioned are the ones that are starred out (****) Also, the 20th May was the day I got infected and locked out. Just so you know the date of the bad files etc ;)

Hi, Tom Right, I have done what you asked. I don't know if it is important but a couple of things in your instructions were different when I did it. These were: you wish to load the remote registry", select Yes This option never came up. Just the one about 'load remote user profiles' OTL should now start. Change the following settings Change Drivers to Non-Microsoft There wasn't this option. Only one that said 'None' so I chose that. Please let me know if I need to do a scan again differently. ;) This is the text file I got after the scan: OTL logfile created on: 5/22/2010 5:58:53 PM - Run OTLPE by OldTimer - Version 3.1.39.0 Folder = X:\Programs\OTLPE (Version = .) - Type = Internet Explorer (Version = ) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 1,023.00 Mb Total Physical Memory | 856.00 Mb Available Physical Memory | 84.00% Memory free 906.00 Mb Paging File | 850.00 Mb Available in Paging File | 94.00% Paging File free Paging file location(s): C:\pagefile.sys 4096 4096 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 29.99 Gb Total Space | 6.88 Gb Free Space | 22.95% Space Free | Partition Type: NTFS D: Drive not present or media not loaded Drive E: | 148.50 Gb Total Space | 24.25 Gb Free Space | 16.33% Space Free | Partition Type: NTFS F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Drive X: | 280.77 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS Computer Name: REATOGO Current User Name: SYSTEM Logged in as Administrator. Current Boot Mode: Normal Scan Mode: All users Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Standard Using ControlSet: ControlSet001 ========== Win32 Services (SafeList) ========== SRV - File not found [On_Demand] -- -- (WLSetupSvc) SRV - File not found [On_Demand] -- -- (ServiceLayer) SRV - File not found [Disabled] -- -- (LXCECustomerConnect) SRV - File not found [Disabled] -- -- (KService) SRV - [2009/12/27 06:15:49 | 000,030,192 | ---- | M] (Google) [On_Demand] -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe -- (GoogleDesktopManager-110309-193829) SRV - [2009/12/01 15:43:02 | 000,051,384 | ---- | M] (NOS Microsystems Ltd.) [On_Demand] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus® SRV - [2009/02/15 20:10:22 | 002,402,184 | ---- | M] (Check Point Software Technologies LTD) [Auto] -- C:\Windows\System32\ZoneLabs\vsmon.exe -- (vsmon) SRV - [2009/02/02 16:14:20 | 000,903,960 | ---- | M] (AVG Technologies CZ, s.r.o.) [Disabled] -- C:\Program Files\AVG\AVG8\avgemc.exe -- (avg8emc) SRV - [2009/02/02 16:14:15 | 000,298,264 | ---- | M] (AVG Technologies CZ, s.r.o.) [Disabled] -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd) SRV - [2007/10/18 07:31:54 | 000,098,328 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Program Files\Windows Live\Messenger\usnsvc.exe -- (usnjsvc) SRV - [2006/12/14 13:00:00 | 000,544,768 | ---- | M] (Magix AG) [On_Demand] -- C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe -- (UPnPService) SRV - [2006/03/03 17:03:10 | 000,069,632 | ---- | M] (HP) [Auto] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12) SRV - [2005/11/17 11:18:52 | 001,527,900 | ---- | M] (MAGIX®) [Disabled] -- C:\MAGIX\Common\Database\bin\fbserver.exe -- (FirebirdServerMAGIXInstance) SRV - [2005/11/13 20:06:04 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand] -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT) SRV - [2003/07/02 13:40:08 | 000,045,056 | ---- | M] ( ) [Auto] -- C:\Windows\System32\slserv.exe -- (SLService) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 [2010/05/19 13:37:14 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions [2010/04/26 04:03:46 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [2010/04/26 04:03:25 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll [2007/03/09 19:16:44 | 000,189,496 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npyaxmpb.dll [2010/03/13 20:08:56 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml [2010/03/13 20:08:56 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml [2010/03/13 20:08:56 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml [2010/03/13 20:08:56 | 000,001,135 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml O1 HOSTS File: ([2010/05/20 11:31:18 | 000,000,752 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 virustotal.com O1 - Hosts: 127.0.0.1 VirusTotal - Free Online Virus and Malware Scan O1 - Hosts: 127.0.0.1 virustotal O1 - Hosts: 127.0.0.1 virscan.com O1 - Hosts: 127.0.0.1 virscan.com O1 - Hosts: 127.0.0.1 virscan O1 - Hosts: 127.0.0.1 virscan.com O1 - Hosts: 127.0.0.1 virustotal O1 - Hosts: 127.0.0.1 virscan O1 - Hosts: 127.0.0.1 Jotti's malware scan O1 - Hosts: 127.0.0.1 virusscan.jotti.org/ O1 - Hosts: 127.0.0.1 Jotti's malware scan O1 - Hosts: 127.0.0.1 scanner.novirusthanks.org/ O1 - Hosts: 127.0.0.1 Multi-Engine Antivirus Scanner - Services - NoVirusThanks.org O1 - Hosts: 127.0.0.1 http://www.scanner.novirusthanks.org/ O4 - HKU\.DEFAULT..\RunOnce: [RunNarrator] C:\Windows\System32\narrator.exe (Microsoft Corporation) O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 91 00 00 00 [binary data] O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.) O13 - ftp Prefix: missing O13 - gopher Prefix: missing O13 - home Prefix: missing O13 - mosaic Prefix: missing O13 - www Prefix: missing O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1 O20 - HKLM Winlogon: Shell - ( ) - (Registry key not found) O20 - HKLM Winlogon: UserInit - ( ) - (Registry key not found) O24 - Desktop WallPaper: B:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O24 - Desktop BackupWallPaper: B:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2009/06/10 11:23:45 | 000,000,156 | ---- | M] () - C:\Autorun.inf -- [ NTFS ] O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ] O34 - HKLM BootExecute: (autocheck autochk *) - File not found O37 - HKLM\...com [@ = Reg Error: Key error.] -- Reg Error: Key error. File not found O37 - HKLM\...exe [@ = Reg Error: Key error.] -- Reg Error: Key error. File not found ========== Files/Folders - Created Within 30 Days ========== [2010/05/20 09:25:43 | 000,000,000 | ---D | C] -- C:\!KillBox [2010/05/20 07:55:48 | 000,169,472 | ---- | C] (Ryddcf) -- C:\Windows\System32\regedit.exe [2010/04/27 06:03:00 | 000,000,000 | ---D | C] -- C:\Program Files\Unlocker [2010/04/26 04:03:43 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\deployJava1.dll [2010/04/26 04:03:43 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe [2010/04/26 04:03:43 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe [2010/04/26 04:03:43 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe [2006/02/18 23:28:56 | 000,012,288 | ---- | C] (Hewlett-Packard Development Company, L.P.) -- C:\WINDOWS\Fonts\RandFont.dll [2005/11/26 00:37:17 | 000,014,976 | ---- | C] ( ) -- C:\Windows\System32\drivers\winddx.sys [2003/08/20 13:34:50 | 000,548,952 | ---- | C] ( ) -- C:\Windows\System32\drivers\slntamr.sys [2003/07/16 08:30:26 | 000,221,736 | ---- | C] ( ) -- C:\Windows\System32\drivers\mtlmnt5.sys [2003/07/02 12:26:36 | 001,301,128 | ---- | C] ( ) -- C:\Windows\System32\drivers\mtlstrm.sys [2003/07/02 12:24:36 | 000,086,128 | ---- | C] ( ) -- C:\Windows\System32\drivers\slnthal.sys [2003/07/02 11:57:10 | 000,167,384 | ---- | C] ( ) -- C:\Windows\System32\drivers\ntmtlfax.sys [2 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ] [2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2010/05/20 16:04:42 | 000,823,808 | ---- | M] () -- C:\Windows\System32\drivers\sjaeilvj.sys [2010/05/20 16:04:40 | 000,002,048 | --S- | M] () -- C:\Windows\bootstat.dat [2010/05/20 16:04:38 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT [2010/05/20 15:46:00 | 000,000,902 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job [2010/05/20 13:53:48 | 000,350,193 | ---- | M] () -- C:\Windows\System32\vsconfig.xml [2010/05/20 13:53:09 | 000,000,898 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job [2010/05/20 13:52:40 | 1072,484,352 | -HS- | M] () -- C:\hiberfil.sys [2010/05/20 11:32:07 | 001,087,356 | ---- | M] () -- C:\Windows\System32\tmp.reg [2010/05/20 10:54:44 | 000,023,040 | ---- | M] () -- C:\lsass.exe [2010/05/20 09:45:08 | 000,000,879 | ---- | M] () -- C:\Windows\win.ini [2010/05/20 09:45:08 | 000,000,279 | -HS- | M] () -- C:\BOOT.INI [2010/05/20 09:45:08 | 000,000,227 | ---- | M] () -- C:\Windows\system.ini [2010/05/20 09:11:49 | 000,521,766 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI [2010/05/20 09:09:42 | 000,216,132 | ---- | M] () -- C:\Windows\System32\nvapps.xml [2010/05/20 07:59:35 | 000,002,544 | ---- | M] () -- C:\Windows\ozotequw.dll [2010/05/20 07:57:46 | 000,057,344 | ---- | M] () -- C:\Windows\System32\**** [2010/05/20 07:57:37 | 000,030,000 | ---- | M] () -- C:\Windows\System32\****4 [2010/05/20 07:57:18 | 000,081,408 | ---- | M] () -- C:\Windows\System32\drivers\zgrhurxf5.sys [2010/05/20 07:56:45 | 000,006,789 | ---- | M] () -- C:\Windows\ppi2.exe [2010/05/20 07:56:02 | 000,030,000 | ---- | M] () -- C:\Windows\System32\****3 [2010/05/20 07:56:00 | 000,042,496 | ---- | M] () -- C:\Windows\System32\****2 [2010/05/20 07:55:59 | 000,006,771 | -HS- | M] () -- C:\Windows\E88D4.exe [2010/05/20 07:55:55 | 000,210,816 | ---- | M] () -- C:\Windows\System32\drivers\ndis.sys [2010/05/20 07:55:55 | 000,210,816 | ---- | M] () -- C:\Windows\System32\dllcache\ndis.sys [2010/05/20 07:55:34 | 000,169,472 | ---- | M] (Ryddcf) -- C:\Windows\System32\regedit.exe [2010/05/19 15:40:05 | 000,000,069 | ---- | M] () -- C:\Windows\NeroDigital.ini [2010/05/19 13:16:36 | 002,688,120 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT [2010/05/19 13:15:32 | 000,001,158 | ---- | M] () -- C:\Windows\System32\wpa.dbl [2010/05/15 12:29:16 | 000,000,284 | ---- | M] () -- C:\Windows\tasks\AppleSoftwareUpdate.job [2010/04/26 04:03:25 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\deployJava1.dll [2010/04/26 04:03:25 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe [2010/04/26 04:03:25 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe [2010/04/26 04:03:25 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe [2010/04/26 04:03:25 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javacpl.cpl [2 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ] [2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ] ========== Files Created - No Company Name ========== [2010/05/20 12:40:31 | 1072,484,352 | -HS- | C] () -- C:\hiberfil.sys [2010/05/20 11:32:07 | 001,087,356 | ---- | C] () -- C:\Windows\System32\tmp.reg [2010/05/20 09:08:36 | 000,023,040 | ---- | C] () -- C:\lsass.exe [2010/05/20 07:59:35 | 000,002,544 | ---- | C] () -- C:\Windows\ozotequw.dll [2010/05/20 07:57:45 | 000,057,344 | ---- | C] () -- C:\Windows\System32\**** [2010/05/20 07:57:37 | 000,030,000 | ---- | C] () -- C:\Windows\System32\****4 [2010/05/20 07:56:18 | 000,823,808 | ---- | C] () -- C:\Windows\System32\drivers\sjaeilvj.sys [2010/05/20 07:56:02 | 000,030,000 | ---- | C] () -- C:\Windows\System32\****3 [2010/05/20 07:56:00 | 000,042,496 | ---- | C] () -- C:\Windows\System32\****2 [2010/05/20 07:55:55 | 000,210,816 | ---- | C] () -- C:\Windows\System32\dllcache\ndis.sys [2010/05/20 07:55:53 | 000,081,408 | ---- | C] () -- C:\Windows\System32\drivers\zgrhurxf5.sys [2010/05/20 07:55:45 | 000,006,789 | ---- | C] () -- C:\Windows\ppi2.exe [2010/05/20 07:55:20 | 000,006,771 | -HS- | C] () -- C:\Windows\E88D4.exe [2010/05/14 09:41:21 | 000,000,902 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job [2010/05/14 09:41:20 | 000,000,898 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job [2010/01/28 05:31:37 | 000,001,441 | ---- | C] () -- C:\Windows\cctcsq48.ini [2010/01/18 18:28:12 | 000,000,168 | ---- | C] () -- C:\Windows\System32\xpysys.dll [2009/11/05 18:59:49 | 000,000,066 | ---- | C] () -- C:\Windows\Cmicnfg3.ini.cfl [2009/11/05 18:15:55 | 000,000,021 | ---- | C] () -- C:\Windows\CMAURACK.INI [2009/11/05 18:15:38 | 000,000,414 | ---- | C] () -- C:\Windows\CMMPLAY.INI [2009/11/05 18:15:37 | 000,000,061 | ---- | C] () -- C:\Windows\CMCDPLAY.INI [2009/11/05 17:42:12 | 000,004,333 | ---- | C] () -- C:\Windows\mixerdef.ini [2009/11/05 17:41:53 | 000,000,051 | ---- | C] () -- C:\Windows\CMISETUP.INI [2009/11/05 17:41:31 | 000,001,360 | ---- | C] () -- C:\Windows\_delis32.ini [2009/11/05 16:16:20 | 000,001,480 | ---- | C] () -- C:\Windows\Cmicnfg3.ini.cfg [2009/11/05 16:15:10 | 000,002,532 | ---- | C] () -- C:\Windows\cmudax3.ini [2009/09/21 10:44:50 | 000,000,038 | ---- | C] () -- C:\Windows\AviSplitter.INI [2009/09/12 10:14:09 | 000,000,065 | ---- | C] () -- C:\Windows\GeneralEffect.INI [2009/06/10 11:24:02 | 000,000,113 | ---- | C] () -- C:\Windows\mgfolder_reg.ini [2009/03/27 04:03:00 | 001,724,416 | ---- | C] () -- C:\Windows\System32\nvwdmcpl.dll [2009/03/27 04:03:00 | 001,503,232 | ---- | C] () -- C:\Windows\System32\nview.dll [2009/03/27 04:03:00 | 001,101,824 | ---- | C] () -- C:\Windows\System32\nvwimg.dll [2009/03/27 04:03:00 | 000,466,944 | ---- | C] () -- C:\Windows\System32\nvshell.dll [2009/03/05 18:39:03 | 000,059,392 | R--- | C] () -- C:\Windows\System32\streamhlp.dll [2009/02/16 18:45:00 | 000,162,304 | ---- | C] () -- C:\Windows\System32\ztvunrar36.dll [2009/02/16 18:45:00 | 000,153,088 | ---- | C] () -- C:\Windows\System32\UNRAR3.dll [2009/02/16 18:45:00 | 000,077,312 | ---- | C] () -- C:\Windows\System32\ztvunace26.dll [2009/02/16 18:45:00 | 000,075,264 | ---- | C] () -- C:\Windows\System32\unacev2.dll [2009/02/15 08:38:21 | 000,000,069 | ---- | C] () -- C:\Windows\NeroDigital.ini [2009/02/08 18:33:51 | 000,000,043 | ---- | C] () -- C:\Windows\ESReg.ini [2009/01/14 09:40:43 | 000,001,295 | ---- | C] () -- C:\Windows\TVEpaDrv.ini [2009/01/13 20:18:01 | 000,025,600 | ---- | C] () -- C:\Windows\System32\mss.dll.vir [2008/12/31 20:22:24 | 000,139,264 | ---- | C] () -- C:\Windows\System32\IDEproperty.dll [2008/12/14 16:22:20 | 000,000,335 | ---- | C] () -- C:\Windows\IfoEdit.INI [2008/12/09 12:51:20 | 000,000,067 | ---- | C] () -- C:\Windows\321 Video Converter.INI [2008/11/24 18:28:52 | 000,000,031 | ---- | C] () -- C:\Windows\System32\Days5.ini [2008/09/08 14:59:06 | 000,000,602 | ---- | C] () -- C:\Windows\MusicEditor.INI [2008/09/03 05:05:18 | 000,000,097 | ---- | C] () -- C:\Windows\System32\PICSDK.ini [2008/07/30 17:15:06 | 000,000,045 | ---- | C] () -- C:\Windows\System32\RPVersion.ini [2008/06/05 09:26:22 | 000,000,000 | ---- | C] () -- C:\Windows\CleaningLab.INI [2008/06/05 09:24:17 | 000,019,968 | ---- | C] () -- C:\Windows\System32\cpuinf32.dll [2008/06/05 09:20:39 | 000,120,200 | ---- | C] () -- C:\Windows\System32\DLLDEV32i.dll [2008/05/14 09:36:04 | 000,000,454 | ---- | C] () -- C:\Windows\cdplayer.ini [2008/05/02 07:43:50 | 000,000,000 | ---- | C] () -- C:\Windows\AoADVDRipper.INI [2008/05/02 07:41:34 | 000,135,168 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll [2008/05/02 04:57:01 | 000,408,576 | ---- | C] () -- C:\Windows\System32\Smab.dll [2008/05/02 04:56:59 | 000,027,648 | ---- | C] () -- C:\Windows\System32\AVSredirect.dll [2008/05/01 15:52:23 | 000,761,856 | ---- | C] () -- C:\Windows\System32\xvidcore.dll [2008/05/01 15:52:22 | 000,383,238 | ---- | C] () -- C:\Windows\System32\libmp3lame-0.dll [2008/04/28 17:24:27 | 000,147,456 | ---- | C] () -- C:\Windows\System32\VegaShEx.dll [2008/04/28 17:24:16 | 000,091,136 | ---- | C] () -- C:\Windows\System32\Lfkodak.dll [2008/04/28 17:24:14 | 000,308,224 | ---- | C] () -- C:\Windows\System32\Lffpx7.dll [2008/04/12 13:34:41 | 000,066,048 | ---- | C] () -- C:\Windows\System32\cygz.dll [2008/01/29 17:00:33 | 000,048,640 | ---- | C] () -- C:\Windows\grwprocs.dll [2008/01/29 17:00:33 | 000,000,838 | ---- | C] () -- C:\Windows\Club_Spaced settings.ini [2007/11/06 18:37:47 | 000,000,283 | ---- | C] () -- C:\Windows\MusicMaker.INI [2007/11/06 18:25:29 | 000,049,152 | ---- | C] () -- C:\Windows\System32\mgxasio2.dll [2007/11/05 16:55:39 | 000,000,050 | ---- | C] () -- C:\Windows\MegaManager.INI [2007/11/04 05:35:53 | 000,000,067 | ---- | C] () -- C:\Windows\Easy Video to DVD.INI [2007/10/17 18:09:47 | 000,040,960 | --S- | C] () -- C:\Windows\System32\ProcessKiller.dll [2007/10/15 15:47:35 | 000,796,048 | ---- | C] () -- C:\Windows\System32\libeay32_0.9.6l.dll [2007/08/24 14:46:47 | 000,000,659 | ---- | C] () -- C:\Windows\AudStu.INI [2007/08/24 14:31:06 | 000,038,912 | ---- | C] () -- C:\Windows\System32\mgxasio.dll [2007/06/12 18:53:58 | 001,277,952 | ---- | C] () -- C:\Windows\System32\libfishsound.dll [2007/03/18 08:10:06 | 000,000,177 | ---- | C] () -- C:\Windows\disney.ini [2007/01/31 14:43:07 | 000,030,688 | ---- | C] () -- C:\Windows\Irremote.ini [2007/01/31 14:42:14 | 000,065,536 | ---- | C] () -- C:\Windows\System32\dmcrypto.dll [2007/01/31 14:41:39 | 000,159,744 | ---- | C] () -- C:\Windows\System32\hcwChDB.dll [2007/01/31 14:40:27 | 000,006,236 | ---- | C] () -- C:\Windows\HCWPNP.INI [2007/01/09 12:03:54 | 000,000,247 | ---- | C] () -- C:\Windows\ODBC.INI [2006/12/07 16:12:40 | 000,077,824 | R--- | C] () -- C:\Windows\System32\HPZIDS01.dll [2006/11/18 19:26:28 | 000,000,029 | ---- | C] () -- C:\Windows\AlphaPlayer.INI [2006/10/25 08:19:24 | 000,440,320 | ---- | C] () -- C:\Windows\System32\x264vfw.dll [2006/10/15 13:00:44 | 000,000,067 | ---- | C] () -- C:\Windows\#1 DVD Ripper.INI [2006/08/27 15:36:07 | 000,000,002 | ---- | C] () -- C:\Windows\msoffice.ini [2006/05/31 17:58:15 | 000,000,279 | ---- | C] () -- C:\Windows\technomaker.INI [2006/05/31 16:58:46 | 000,000,343 | ---- | C] () -- C:\Windows\BeatBox.INI [2006/05/31 16:29:23 | 000,006,360 | ---- | C] () -- C:\Windows\mgxoschk.ini [2006/05/25 16:20:02 | 000,069,632 | ---- | C] () -- C:\Windows\System32\xmltok.dll [2006/05/25 16:20:02 | 000,036,864 | ---- | C] () -- C:\Windows\System32\xmlparse.dll [2006/05/20 13:20:52 | 000,286,720 | ---- | C] () -- C:\Windows\System32\WSBar.dll [2006/05/14 08:04:17 | 000,000,169 | ---- | C] () -- C:\Windows\RtlRack.ini [2006/05/13 15:29:13 | 000,000,082 | ---- | C] () -- C:\Windows\mafosav.INI [2006/05/07 14:26:58 | 000,154,112 | ---- | C] () -- C:\Windows\System32\dxr.dll [2006/05/07 14:24:54 | 000,099,840 | ---- | C] () -- C:\Windows\System32\mkx.dll [2006/05/07 14:24:42 | 000,051,200 | ---- | C] () -- C:\Windows\System32\avi.dll [2006/05/07 14:24:30 | 000,061,440 | ---- | C] () -- C:\Windows\System32\mmfinfo.dll [2006/05/07 14:24:16 | 000,065,536 | ---- | C] () -- C:\Windows\System32\mp4.dll [2006/05/07 14:24:04 | 000,057,856 | ---- | C] () -- C:\Windows\System32\ogm.dll [2006/05/07 14:23:46 | 000,045,568 | ---- | C] () -- C:\Windows\System32\mkzlib.dll [2006/05/07 14:23:42 | 000,023,552 | ---- | C] () -- C:\Windows\System32\mkunicode.dll [2006/05/03 10:30:07 | 000,000,030 | ---- | C] () -- C:\Windows\Iedit.INI [2006/04/24 14:32:41 | 000,000,026 | ---- | C] () -- C:\Windows\NeoSetup.INI [2006/04/23 10:50:52 | 000,006,812 | R--- | C] () -- C:\Windows\System32\lvcoinst.ini [2006/04/23 09:49:40 | 000,104,593 | ---- | C] () -- C:\Windows\System32\drivers\MPIXVID.SYS [2006/04/23 08:35:35 | 000,065,536 | ---- | C] () -- C:\Windows\System32\YCRWin32.dll [2006/04/11 09:26:38 | 000,077,696 | ---- | C] () -- C:\Windows\System32\drivers\WudfPf.sys [2005/11/29 16:17:16 | 000,007,680 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll [2005/11/29 16:14:42 | 002,255,360 | ---- | C] () -- C:\Windows\System32\libavcodec.dll [2005/11/29 16:11:30 | 000,395,776 | ---- | C] () -- C:\Windows\System32\libmplayer.dll [2005/11/29 16:10:46 | 000,217,088 | ---- | C] () -- C:\Windows\System32\ff_kernelDeint.dll [2005/11/29 16:10:10 | 000,112,640 | ---- | C] () -- C:\Windows\System32\libmpeg2_ff.dll [2005/11/29 16:10:06 | 000,512,000 | ---- | C] () -- C:\Windows\System32\ff_x264.dll [2005/11/29 16:09:54 | 000,143,360 | ---- | C] () -- C:\Windows\System32\ff_realaac.dll [2005/11/29 16:09:50 | 000,262,144 | ---- | C] () -- C:\Windows\System32\TomsMoComp_ff.dll [2005/11/29 16:09:30 | 000,036,864 | ---- | C] () -- C:\Windows\System32\ff_wmv9.dll [2005/11/29 16:09:24 | 000,056,320 | ---- | C] () -- C:\Windows\System32\ff_unrar.dll [2005/11/29 16:09:14 | 000,200,704 | ---- | C] () -- C:\Windows\System32\ff_theora.dll [2005/11/29 16:09:06 | 000,131,072 | ---- | C] () -- C:\Windows\System32\ff_samplerate.dll [2005/11/29 16:09:04 | 000,155,648 | ---- | C] () -- C:\Windows\System32\ff_libmad.dll [2005/11/29 16:09:00 | 000,167,936 | ---- | C] () -- C:\Windows\System32\ff_libdts.dll [2005/11/29 16:09:00 | 000,053,248 | ---- | C] () -- C:\Windows\System32\ff_liba52.dll [2005/11/26 01:19:18 | 000,000,061 | ---- | C] () -- C:\Windows\smscfg.ini [2005/11/26 01:02:11 | 000,000,514 | ---- | C] () -- C:\Windows\System32\SETUPPC.INI [2005/11/26 00:56:10 | 000,007,584 | ---- | C] () -- C:\Windows\HDReg.ini [2005/11/26 00:48:21 | 000,000,000 | ---- | C] () -- C:\Windows\System32\VGAunistlog.ini [2005/11/26 00:47:59 | 000,147,456 | ---- | C] () -- C:\Windows\System32\RtlCPAPI.dll [2005/11/26 00:44:52 | 000,003,072 | ---- | C] () -- C:\Windows\System32\34CoInstaller.dll [2005/11/26 00:37:17 | 000,475,136 | ---- | C] () -- C:\Windows\System32\SLLights.dll [2005/11/26 00:37:17 | 000,155,648 | ---- | C] () -- C:\Windows\System32\amr_cpl.dll [2005/11/26 00:37:17 | 000,135,168 | ---- | C] () -- C:\Windows\System32\SLMOHServ.dll [2005/11/05 09:31:14 | 000,000,547 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll.manifest [2005/10/21 11:28:56 | 000,005,968 | ---- | C] () -- C:\Windows\System32\OEMINFO.INI [2005/08/05 10:01:54 | 000,235,008 | ---- | C] () -- C:\Windows\System32\psisdecd.dll [2005/02/02 21:50:28 | 000,004,224 | ---- | C] () -- C:\Windows\System32\StarOpen.sys [2004/09/10 11:50:43 | 000,000,831 | ---- | C] () -- C:\Windows\orun32.ini [2004/09/10 10:57:18 | 000,210,816 | ---- | C] () -- C:\Windows\System32\drivers\ndis.sys [2004/08/04 05:30:08 | 000,000,000 | ---- | C] () -- C:\Windows\System32\px.ini [2003/07/02 14:05:46 | 000,188,416 | ---- | C] () -- C:\Windows\System32\slextspk.dll [2003/07/02 14:04:32 | 000,049,152 | ---- | C] () -- C:\Windows\System32\coinst.dll [2003/07/02 13:35:48 | 000,159,744 | ---- | C] () -- C:\Windows\System32\SLGen.dll [2003/01/25 07:52:14 | 000,131,072 | ---- | C] () -- C:\Windows\System32\libFLAC.dll [2002/03/16 20:00:00 | 000,007,420 | ---- | C] () -- C:\Windows\UA000071.DLL [2001/07/06 23:00:00 | 000,003,399 | ---- | C] () -- C:\Windows\System32\hptcpmon.ini [1999/01/27 08:39:06 | 000,065,024 | ---- | C] () -- C:\Windows\System32\indounin.dll [1997/06/13 02:56:08 | 000,056,832 | ---- | C] () -- C:\Windows\System32\Iyvu9_32.dll [1996/04/03 15:33:26 | 000,005,248 | ---- | C] () -- C:\Windows\System32\giveio.sys [1979/12/31 20:00:00 | 000,135,168 | ---- | C] () -- C:\Windows\System32\property.dll ========== LOP Check ========== ========== Purity Check ========== ========== Alternate Data Streams ========== @Alternate Data Stream - 72 bytes -> C:\WINDOWS:400C42D50A6EA64F < End of report > By the way, those new files called 't w a t, t w a t2' (excuse the bad language but it may be important!) etc were part of the virus ones that I renamed when I was trying to remove them :rolleyes::p Hope you can help from all this info. Many thanks Jay

Right, so I'm guessing this is the first step before you know what help to give? I'll try this in the morning and post the results. Thank you for now, Tom :)

Hi, This morning my PC got infected with the rather nasty 'Essential Security 2010' fake anti-virus trojan. Having had some experience of removing things like this I started to do what was needed. At the point when I had to make the registry changes, I discovered I wasn't able to open 'Regedit' as the virus was blocking it. Then for a number of reasons I had to re-boot the PC. This was when I discovered that I am now no longer able to log into Windows. It just logs me out immediately, looping over and over. I'm aware that the virus can make changes to userinit.exe etc so I'm guessing it's something to do with that. I've searched various forums and tried many, many different things but nothing has worked yet. Can anyone PLEASE help me get back into windows?? I run my business at home and I have to get this working again! Just to be clear, these are things I've tried or can't do: - I can't get in as another user. - I can't get in in Safe Mode - The c;\windows\system32 "copy userinit.exe to wsaupdater.exe" trick I've seen (using Recovery Console) did not work. - copying a fresh copy of winlogon.exe from the updates folder did not work - I don't have the original install disc or boot disc because my XP was a pre-installed copy already on the PC when bought from the store. (so I'm stuck with those boot disc options which allow you to remotely edit the registry) - I don't have remote access to the PC either There must be a way into Windows but everyting I've tried doesn't work! Any help would be much aprreciated Jay