Need some help, having a major problem here...

Welcome to Major Geeks!

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click and choose Run as Administrator

You only need to get one of them to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

1. Rkill.exe
2. Rkill.com
3. Rkill.scr
4. Rkill.pif

Once you've gotten one of them to run then try to immediately run the following.


Download and save the below to your PC (save it anywhere you can find it. The Desktop is fine). Then double click on it to run it.

AVPFind.bat

It should take a couple minutes to run. You will see a black command prompt window while it is running and it should close when it is finished. Once it finishes, attach the c:\avplog.txt file that is will hopefully create as long as the malware does not block the batch file from running. (See: HOW TO: Attach Items To Your Post )


Now download and Run exeHelper

• Please download exeHelper to your desktop.
• Double-click on exeHelper.com to run the fix.
• A black window should pop up, press any key to close once the fix is completed.
• A log file named log.txt will be created in the directory where you ran exeHelper.com
• Attach the log.txt file to your next message.

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


Also please try running the below online scan:

http://www.superantispyware.com/onlinescan.html

Reboot immediately after scanning if it finds and removes anything. Let me know if anything was found. See if you can save a log with it.


Then try running these instructions: Using MGtools


Attach the below logs when finished with all of the above:

• C:\avplog.txt - from AVPfind
• a log from online SAS scan if you could make one
• log.txt - from exeHelper
• C:\MGlogs.zip - from MGtools

The C:\ assumes that drive C is you Windows boot drive. If you boot from another drive, then use the correct drive letter above.

 

Try booting your PC into safe boot mode. Then do the below.


Run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\MGlogs.zip

 

Did you shutdown UAC and is it still shutdown?

What happens if you do the below?



Please click Start, All Program, Accessories and you will see ( among other things ) a Command Prompt entry.

• Right click the Command Prompt entry and select Run As Administrator.
  • It is critical that you run it this way.
• If you do this properly, a command prompt window will open with a title of Administrator Command Prompt.
• Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple/brown is merely informational.

cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
GRK64 <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
SN64 <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.

 

Sounds more like you have problems with your Windows installation that needs to be repaired. This may not be an issue for the Malware Forum to work on. What exactly happened when you tried to use one of the special boot CDs?

Do you have your Win 7 boot DVD?

 

If your PC was properly password protected and if she does not have her own login, then she could not do this. Was your PC password protected?

Exactly what we removed. This could be potentially be the cause of problems.

If you cannot run anything, then we cannot do anything. This would likely lead to suggestions of trying to do a System Restore and if that does not work a repair. And if that does not work, a reinstall.

 

Guest account is disabled by default on newer versions of Windows and if it exists and is not disabled, it should be disabled. It is a security risk.

Security risk and if you have problems with people using your PC and you don't want them to then have it revert to the welcome screen and be password protected after some number of minutes of inactivity.

That is all it said? No file names were listed? And was this folder right in the root folder of drive C or was it under Windows or somewhere else? May not matter too much now since we may not be able to do anything about it.

Then it still sounds like more than just malware. This is not typical of any infections we have seen. How are you checking to see if the partition is there if your PC is not running properly?


If you can boot up in normal mode and execute basic commands, what happens if you try what I suggested in message # 7 in normal boot mode?