"Disk Doctor"

Hi there and welcome. I am currently reviewing your logs and will get back to you with a set of instructions in the next post I make to you.

 

Complete the below in NORMAL mode not safe mode.

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix exit HJT.

Download and run OTM.

Download OTM by Old Timer and save it to your Desktop.

• Right-click OTM.exe And select " Run as administrator " to run it.
• Paste the following code under the http://farm3.static.flickr.com/2455/4173556815_a721a91733_o.png area. Do not include the word Code.

Code:

:reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"saElAiSHfe.exe"=-

:files
C:\Users\Casey Jennings\Local Settings\TEMP\11871520.exe
C:\Users\Casey Jennings\Local Settings\TEMP\11871520
C:\Users\Casey Jennings\Local Settings\TEMP\11871520.bmp
C:\Users\Casey Jennings\Local Settings\TEMP\AgYYEJqpXv.dll
C:\Users\Casey Jennings\Local Settings\TEMP\dfrg
C:\Users\Casey Jennings\Local Settings\TEMP\dfrgr
C:\Users\Casey Jennings\Local Settings\TEMP\Low
C:\Users\Casey Jennings\Local Settings\TEMP\saElAiSHfe.exe
C:\Users\Casey Jennings\Local Settings\TEMP\tmp24D2.tmp.exe

:Commands
[emptytemp]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
• Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
• OTM may ask to reboot the machine. Please do so if asked.
• Copy everything in the Results window (under the green bar), and paste it into notepad, save it as something appropriate and attach it into your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

Tell me how things are running now.

 

Seems we are not entirely out of the woods yet. Let's continue.

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix exit HJT.

• Right-click OTM.exe And select " Run as administrator " to run it.
• Paste the following code under the http://farm3.static.flickr.com/2455/4173556815_a721a91733_o.png area. Do not include the word Code.

Code:

:reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"11871520"=-

:files
C:\Users\CASEYJ~1\AppData\Local\Temp\11871520.exe

:Commands
[emptytemp]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
• Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
• OTM may ask to reboot the machine. Please do so if asked.
• Copy everything in the Results window (under the green bar), and paste it into notepad, save it as something appropriate and attach it into your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

 

Is the desktop back to normal after using this below reg patch?

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

 

Delete file/folder
Press Start->Run, copy/paste the following command into the box and press OK:

A blank command window will open on your desktop, then close in a minute or two. This is normal.
A file called look.txt should appear on your Desktop. Please post the contents of this file.

Do they appear in safe mode?

Run this and attach the results.

Using ESET's Online Scanner

 

Do you have your Windows 7 CD? I am thinking that your explorer.exe file may be corrupted and might need replacing.

 

EDITED!!! Follow the below

First open an elevated command prompt like so:
Click Start and type cmd in Start Search.
When cmd.exe populates above, right click it and select Run as Administrator to open an elevated command prompt.

Highlight and Copy the contents of the code box below, then right click inside the command window and select Paste.

press <Enter>
type exit to close the command window.

Next.

SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  
  Code:

  :filefind
  explorer.exe.*

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt[/QUOTE]

 

I edited my above post.

 

We need to replace a file using the Windows 7 System Recovery Option.
Please follow these instructions carefully then give me an update on the redirects.

Restart your computer and begin tapping the F8 key to enable the Advanced Start menu > select Repair your computer
At the System Recovery options screen select Command prompt .

Type the following at the first prompt and hit Enter.

Then type the following and hit Enter

You should receive a message that "1 file" has been copied.

Finally type exit > hit Enter > click Restart at the main screen, and restart the pc normally.

Next...

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

How are things running now?

 

Try posting in the software forum about this then. It does not appear to be malware related.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Hey you are most welcome!

*Slaps head*!!! I feel awful too! I guess I was thinking too far out the box. I'm sorry that we went through uneccesary procedures to replace that file. But I am very glad you are rid of DiskDr