Winlogon.exe, explorer.exe and more

Could you please attach the log from running it then, as requested in the R&R?

Can I also have the log from running SAS?

I also need to see the log from running Combofix.

You shouldn't bump... you'r thread would have been dealt with slightly quicker had you not added an extra un-neccesary post like you did. Please see the below for what I'm talking about:

Don't Bump! It Only Hurts You!!!

So I shall take a look thru your Mglogs.zip but I would also like to see the other logs mentioned above too.

Thanks
Kestrel13!

 

Mcafee most certainly is installed on this laptop. I can see it in your uninstall list from the newfiles.log

1. If you wish to get rid of Mcafee then you will need to run this removal tool.

Please download the McAfee Consumer Product Removal Tool

Run this > Reboot your machine > and Run it again to get rid of remnants of McAfee.

2. Please go to Add/Remove Programs and uninstall the following softwares:

• J2SE Runtime Environment 5.0 Update 4
• Freeze.com Toolbar
• Viewpoint Media Player <--- as requested in step 1 of the R&R

3. Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix exit HJT


4. Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it

(make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

File::
c:\windows\system32\vfq.dll 
C:\WINDOWS\dirsaver.ini

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"pPjgipitQcp"=-

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


5. Also delete all files in the below bold folder except ones from the current date (Windows will not let you delete the files from the current day).

• C:\Documents and Settings\Leanna PLatt\Local Settings\Temp

6. Now reboot your machine and install the most current and up to date version of Java available here at the below link:

Java Runtime 6


7. Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combofix

8. Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

After reviewing your logs closer, your logs show that your Windows Operating system files have become infected and there is no known reliable fix for this. In addition there are many many other infected files. We could spend a lot of time trying to remove this infection, but odds are that it will not work because the nature of the infection has so many executable system files infected that as soon as we fix one file, other files that are infected will almost immediately or upon the next reboot, just reinfect the files. In addition, your PC would still basically be unreliable/untrustworthy even if we manage to fix the infected files that we can see since there could be many more that we are not seeing.

The safest thing for you to do is backup your personal data immediately since your PC could possible become unbootable at any point in time. Do not back up any executable files. This includes programs that you have downloaded since any of them could be infected.

Once you backup, you need to perform a total reinstall of Windows and all other necessary software. DO NOT reinstall from any executable files you backed up because they are most likely infected.

 

I suggest that you run a full system scan with your antivirus program and also I suggest that you attach a new log from MGtools. Quite frequently this infection will look like it is fixed and not be. It could come back in a short time frame unless ALL infected files were found and replaced. Depending on how far the infection had spread, you may have been lucky or it may just look like it. These infections also can infect the sfc program itself or just hook into it to make it not work properly and thus can wreak havoc on a PC.