Logs Posted

Please go here and download and run the AVG Removal Tool.

Then run ComboFix and attach that log to your next reply.

 

Do you have your windows cd? We may need it to replace your infected explorer.exe.

Let's do this first:

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix, exit HJT.

Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

File::
C:\Windows\System32\^-'pctlsp.log
C:\Windows\System32\(O.pctlsp.log
C:\Windows\System32\Er6pctlsp.log
C:\Windows\System32\d,Lwpctlsp.log
C:\Windows\System32\I®§špctlsp.log
C:\Windows\System32\R™lSpctlsp.log
C:\Windows\System32\R™lSŽ¡pctlsp.log
C:\Windows\System32\R™lSO•ªpctlsp.log
C:\Windows\System32\R™lS…Œ«pctlsp.log
C:\Windows\System32\AUyv˜˜pctlsp.log
C:\Windows\System32\XN?pctlsp.log
C:\Windows\System32\X•Opctlsp.log
C:\Windows\System32\ú6pctlsp.log
C:\Windows\System32\¡;pctlsp.log
C:\Users\Chris\AppData\Local\Bxeqehihevurij.dat
C:\Users\Chris\AppData\Local\Ovigevoyox.bin

Folder::
C:\Users\Chris\AppData\Roaming\PC Tools
C:\ProgramData\PC Tools
C:\Program Files\PC Tools Security

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the previous file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Please also download MBRCheck to your desktop

• Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  
  • Done! Press ENTER to exit...
  
  
• Or you will see more information like below if a problem is found:
  
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  
  
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:
* MBRCheck log
* C:\ComboFix.txt
* C:\MGlogs.zip

 

Re-run Combo and get me the new log. Also, you did not run MBRCheck. I would like to see that log as well since you did have a TDL infection.

 

Control + Alt + Del to open task manager then type in explorer to start the process. That should get your desktop back. I thought you said that:

What happens if you try starting in safe mode?

 

Ok., so Combo reports that it found and fixed both explorer.exe as well as the Wininit.exe. So where do we stand? Do you have your desktop back? Your MBR is fine. Tell me what is happening now. And if you still have a blank screen, how did you run COmbo?

 

Since you do not have your Vista disc, we will try having you make a boot disc where you should be able to do a system restore:

 

Is there anyone from whom you can borrow a Vista disc? It needs to be the same version as what you have. Friends, neighbors or family?

If you can, we need to do this:

We need you to boot into the bios and change your boot order to CD drive as the first boot device. Insert the disc and reboot. Then enter the Recovery Environment. Once there you would type this:
Once you are back to the C:\Windows> prompt of the Recovery Console, input the below commands one at a time each followed by the enter key. Read the notes further down which comment on these commands.
copy D:\i386\explorer.ex_ explorer.exe
cd system32
copy D:\i386\winlogon.ex_ winlogon.exe
exit

NOTES:

* the first command should cause the prompt to change to C:\windows\system32>
* the second command should copy the compressed winlogon.ex_ file ( yes the underscore is the correct file name ) from the i386 folder of your CD into the system32 folder and rename it to winlogon.exe, the file will automatically be uncompressed. Notice the space after the copy and after the ex_
* the third command should reboot your PC. Remove the CD and see if Windows will boot.

 

Without being able to get your desktop to run, we have no way that I can think of to copy those files. Let's me consult with Chaslang as to how we might make this work. Hang in there for a while.

 

Question: Did you Mother-in-law make a restore cd? That's one of the first things that should have been done. Since they are the exact same make and models, you should be able to use it to restore your computer. It will of course remove anything you have done to personalize yours.

 

My thinking is that if she creates the restore disc ( actually a recovery disc ) it will have everything on it at the time she/you make it. And yes, you would need to backup all your email and personal files including pictures, etc. Programs that you have that she doesn't will be lost. It will recover your system to an image of her system.

But without an OS cd, I can't think of any other way to fix yours!

 

Next question: Can you boot into safe mode with Command prompt?

 

Good to know you are back up and running!!

You should read this if you haven't already:
How to Protect yourself from malware!



Malware removal from a National Chain = $149
Malware removal from MajorGeeks = $0

Help Support MajorGeeks
Buy Discounted Software @ Majorgeeks Store. Giveaways Too!

Majorgeeks Geek Wear. Hats, T-Shirts, Hoodies

MajorGeeks on FaceBook