Winlogon.exe

Okay those are good!

Now download and extract all files from the newest FixAutex.zip.

Double click on the fixautex2.reg patch. Did it add it okay???

If it adds in successfully, get a new log from FixAutex.bat and attach it.
Any change to status?

 

Darn it! Working on too many things at the same time. It's in the previous message now! Sorry about that.

 

Can you do the below or is this blocked due to your problem? If you cannot do it, I will added to the FixAutex.zip file collection.

Now Copy the bold text below to notepad. Save it as EXEfix.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

 

Okay here are our alternatives!

• reboot and see what happens! I'm not sure what will happen since you say you cannot run anything.
• run Erunt and restore the registry to what it was before we started making changes. This will not put back the files that we deleted related to the malware but we don't want them anyway. However it is possible that by restoring the registry that the items added back in can phone home to the malware source and get them added back in again. Also since these registry keys being restored will point to malware files that no longer exist, there could still be problems with getting things running properly.
• slowly and selective do manual restore of individual registry keys back to what they were in your very first log from running the first version of FixAutex.bat. Based on what is in that original file I should be able to restore the keys back to what they were but in a slower selective fashion. I'm not sure that this will fix anything either. We always have a quick way to repair (remove the malware) registry keys by quickly running the fixautex2.reg patch.

Do you have a preference?

 

I have a question though! Can you now run EXE files by clicking on them? This did not work before ...is that correct? Does it work now?

What time is it in Finland? About 7am?

 

We can give it a go and see where it takes us!

No! We are 7 hours behind you. It is currently 1:08 am!

 

How are you able to double click on .reg files? Do you have a Windows Explorer session open? How did you get it to run?

 

Let's try something! When you ran Erunt it should have created a backup folder. I'm not sure what or where you saved it. I think a default may be something like:

C:\Windows\ERDNT\ and then it inserts the date.

Can you locate the folder with the backups?

 

If you click on ERDNT.exe, do you get the same message as for other programs?

What happens if you double click on the icon for it on your Desktop?

 

Do you see a file named ERDNT.INF ? If so right click on it and select install! Did this run?

 

This is strange! We have not changed anything in a number of messages.

 

Can you right click Start and locate My Computer and right click on it and select Properties? Does this open up the System Properties window?

If you do not have My Computer showing in the Start Menu, is it on your Desktop where you can right click on it?

 

Also tell me if you are able to do the below:

Now Download the Registry Search Tool

Unzip to your Desktop and double click on regsrch.vbs
(if you have script protection in your antuvirus program, please allow this to run)

In the dialog that opens enter the following:

finder.com

Press 'OK'

The search will run for a while then alert you when it is finished. Press 'OK' and copy the contents of the WordPad window and attach it to this thread.

If the above worked, repeat the above for each of the below
explorer.com
ExERoute.exe
dxdiag.com
iexplore.com
msconfig.com
rundll32.com
regedit.com

 

It may not be finding anything! Try searching for majorgeeks just as a test. There should be entries for this.

Are you sure about the numbers! Explorer will use a lot more then 20 or 30 K. It will use typically in the 20,000 K to 30,000 K range which is really 20 M to 30 M.
Do you guys use periods where we (in the US) use commas to separate thousands? So when you said 9.240K perhaps you meant 9,240 K (in my language) or in reality 9.240 M.

 

I'm not sure why but it could be just due to the fact that many things are not running right now.

Download the attached Command.zip file and extract the contents (which is command.pif ) into the C:\windows\system32 folder.

Any change to status?

 

It is strange that you cannot run things like EXEs but you can run .bat files. Also the EXE files can be run from inside the .bat files. We are doing that with FixAutex.bat
In fact download the current attached FixAutex.zip and extract ALL files into the same location as in the past and run the new version of fixautex.bat and attach a new log.

Also run ShowNew and GetRunKey and attach new logs!

 

Do you mean you just want to open a command prompt?

What programs are you going to try to run from a command prompt? You will need to access them via the full path or you will have to change to their directories. Also we don't know (at least not yet) if you can run anything like an EXE from the command prompt.

What are the below newly installed programs that I see!

Code:

"C:\Program Files\"
@LASTS~1      25 Nov 2006              "@Last Software"
AMBIEN~1      25 Nov 2006              "Ambient Design"

And what are the below too!

Code:

"C:\Documents and Settings\Mariana Ara£jo\Local Settings\Temp\"
kcao7lca.zip  25 Nov 2006        2481  "kcao7lca.zip"
xqxmuiyt.zip  25 Nov 2006        2481  "xqxmuiyt.zip"

 

I would empty that folder or at a minimum delete those files.

What about my question about what you need to do from a command prompt? But anyway since, I modified fixautex.bat again, I also added a file named OpenCP.bat and put it in the ZIP. Download and extract ALL. Then run OpenCP.bat But the question is can you do what you want from this command prompt.

 

You never answered whether you tried running Erunt from the Desktop icon! That's assuming you allowed it to add a Desktop icon.

 

It is attached in message # 86. Just extract all files and run the OpenCP.bat file. This will open a command prompt window.

Yes you can run a new FixAutex.bat and attach the log so I can see the results of what I added. There was another registry key that was infected so I added detection of it.

 

You will need to tell me the full path to the Autocad 2007 process (exe file) that you want to run and I could put it in a .bat to see if it will work.

Pretty soon! I'm just about ready to crash.

I would really like to reboot your PC but I'm afraid to do that since you need to get some work done and who knows what will happen after boot. It may work perfectly or you may not even be able to get back to where we are right now. We could added a few commands to your autoexec.bat file which runs at startup. We could have it automatically open an IE session and maybe a couple other things. But with what is going on, I don't know if it will get that far. I can still restore the registry keys back to what they were before we started and we can also restore many of the files from the infection because they are backed up in the !Killbox folder. I'm not sure if that would be better or worse and I'm not sure if it will solve the problem with not being able to run things.

 

Run this registry patch if you can. LNK (Shortcut) File Association Fix

Does it make it so you can click on the shortcut for Erunt on your Desktop and get it to run?

 

From your command prompt window (did it open when you ran OpenCP.bat), type in C:\Program Files\AutoCAD 2007\acad.exe

What happens?

 

I don't know if your PC will boot okay! It may work fine or you may have problems getting things to run. Do you want to try it right now? Do you have any other way to get back on line if you run into problems?

DO YOU HAVE A C:\Autoexec.bat file ? If so can you put it into a Zip and attach it here?

Download the attached newest FixAutex.zip and extract ALL files.

I added a RunAcad.bat see if it calls Autocad 2007 for you.

I also added Reinfect.bat which will attempt reinfection. It will restore the bad files from C:\!Killbox and it will restore the registry keys by automatically merging in the reinfect.reg patch. DO you want to do this?????

I don't know what will happen

 

It's empty! Extract the attached one to your c:\ folder

I have it open AutoCad, Internet Explorer and Windows Explorer sessions when it is run. These should all open when you boot up. I'm assuming this would hopefully get you to a condition like you are in right now as long as nothing else goes wrong!

Do you want to try it right now before I go to sleep? Or would you prefer to keep the PC running as is so you can access AutoCad?

Did you try the RunAcad.bat file? Did it work?