semaphore

I haven't been able to get HJT to run, thus have nothing to report. I am tired of screwing around with this POS. I found the missing OEM system restore disks so I now plan to transfer my essential files to a external HD, replace the corrupted HD with a new one, format, install the OS from scratch and give the corrupt HD to someone who can figure out what went/is wrong. Thanks for the help though.

RunAlyzer showed just two suspicious things that remained after using the "Hide Legit" button. When looking at "Advanced Startups" it flagged SCRNSAVE.EXE, under HKEY_USERS\PE_C_(MY NAME)\Control Panel\Desktop\ HKEY_USERS\PE_C_(MY NAME)\SOFTWARE\Policies\Microsoft\Windows\Control panel\Desktop\ HKEY_USERS\PE_C_ALL USERS\Control panel\Desktop\ HKEY_USERS\PE_C_ALL USERS\SOFTWARE\Policies\Microsoft\Windows\Control panel\Desktop\ HKEY_USERS\PE_C_ADMINISTRATOR\Control Panel\Desktop\ HKEY_USERS\PE_C_ADMINISTRATOR\SOFTWARE\Policies\Microsoft\Windows\Control panel\Desktop\ HKEY_USERS\PE_C_DEFAULT USER\Control Panel\Desktop\ HKEY_USERS\PE_C_DEFAULT USER\SOFTWARE\Policies\Microsoft\Windows\Control panel\Desktop\ HKEY_USERS\PE_C_LOCAL SERVICE\Control Panel\Desktop\ HKEY_USERS\PE_C_LOCAL SERVICE\SOFTWARE\Policies\Microsoft\Windows\Control panel\Desktop\ HKEY_USERS\PE_C_NETWORK SERVICE\Control Panel\Desktop\ HKEY_USERS\PE_C_NETWORK SERVICE\SOFTWARE\Policies\Microsoft\Windows\Control panel\Desktop\ HKEY_USERS\PE_C_S-1-5-18\Control Panel\Desktop\ HKEY_USERS\PE_C_S-1-5-18\SOFTWARE\Policies\Microsoft\Windows\Control panel\Desktop\ ThreatExpert flags this as 100% threat. When looking at "Explorer Plugins" RunAlyzer flagged TWEXT.DLL, listed with many entries described as "Restricted Sites Zones" under HKEY_USERS\Pe_C_(MY NAME)\SOFTWARE\Microsoft\Windows\Current Version\Internet Settings\ZoneMaps\Domains\ There are conflicting opinions in several online discussions as to whether TWEXT.DLL is/is not a threat. Suggestions?

I was able to get the RunAlyzer plugin to write to the BartPE disk plugin file. I was given a Ultimate Boot CD 4 Windows with MBAM on it. It ran but did not detect anything. Now we're going to try a .bat to rewrite some registry and services that appear to have been reset. After I run BartPE with RunAlyzer I will report back the results.

Thanks. I'll try to run this ASAP and report back what it finds.

The latest is that DrWeb found Backdoor.Zapinit.122 in C:/windows/system32/user32.dll then reported it as "cured". However, the system still will not initiate MBAM even after I reinstalled it.

Thank You. I would greatly appreciate that RunAlyzer plugin for BartPE. How would you like to send it? I tried to load a BartPE SpybotSD plugin and could not get pebuilder to include it on the BartPE disk. It was loaded into the correct plugin folder and enabled but on the burnt disk that folder was empty. I couldn't decipher how to get a MBAM plugin from the pages and pages of discussion on its development elsewhere on this forum, as I am a lowly user, not a coder. I also tried to run MBAM from a flashdrive via the BartPE file management program. It asked for a missing MSVBVM60.dll before it would run. When I tried to load this .dll via pebuilder it wouldn't place it anywhere but up front in the "BartPE" folder, even when instructed that the "output" was to "C:\Program Files\BartPE\pebuilder3110a\BartPE\I386\system32" This thing is so weird it has every IT geek I know stumped and scratching their heads (or other body parts) and waiting for a solution so they will know what it was.

I first posted my problem in the general forum and have been instructed to start again in this forum. I initially had an outbreak of PC Antispyware 2010 that I was eventually able to stop by manually removing almost all the files created on the day this rogue program overtook my system. I also removed those files I could find (2) from those listed in several different web instruction sets for manual removal of PCAV2010. I am now left with the problem of not being able to run any anti-malware like MBAM, Spybot S&D or AVG. HJT would not run. I tried all all of these in both in normal and safe mode with the same non-results. I also tried running them with different filenames, as suggested in several forums. I tried running them with Win2000 or xp compatibility also. Nothing worked. Whatever it is, it also locks out deleting or renaming the .exe files once they have been tried and failed. It seems to have disabled Google's Advanced Search feature also, though that could have been me mucking around in the registry. I was able to get Avira Antivir to run. It detected and quarantined a pile of crap, but did not solve the antimalware hangups. I have that report if you want to see it. I was able to get Avira Rootkit Tool to run. It detected nothing. I tried booting with a Avira Antivir Rescue System boot disk (from disks downloaded on two different machines) and all I got was a screen image of a weird fat little gremlin with a tail, sitting on his ass wearing a tied on fake beak/nose, flashing his feet at me (BTW WTF is up with that!?). I tried LSPFix, which ran but didn't help with the failure to launch problem. WinsockFix would not run. I tried, as instructed, all the fixes suggested in MBAM FAQ #5. No joy. procepxp.exe ran but returned no listings that appeared abnormal. Nothing identifiable as AV360, Fake Alert, TotalSecurity, SystemSecurity... RootRepeal was whacked just like MBAM, AVG, Spybot.... even when renamed. HJT: When newly loaded it seems to run for a few seconds more than the others, but is whacked as above. I read "I am Infected", as instructed, and got nowhere with anything from there. ComboFix reports: Access is denied. Access is denied. Access is denied. Please wait. ComboFix is preparing to run. Access is denied. Win32kDiag.exe finds Mount Points for a lot of stuff under C:\WINDOWS\... and reports their destinations as :\Device\_max++>\^ Win32kDiag reports it is denied access to: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe C:\WINDOWS\system32\attrib.exe C:\WINDOWS\system32\config\default.bak C:\WINDOWS\system32\config\sam.bak C:\WINDOWS\system32\config\security.bak C:\WINDOWS\system32\config\software.bak C:\WINDOWS\system32\config\system.bak C:\WINDOWS\system32\cscript.exe C:\WINDOWS\system32\eventlog.dll C:\WINDOWS\system32\findstr.exe C:\WINDOWS\system32\ping.exe C:\WINDOWS\system32\route.exe I booted Norton 360 from theCD-ROM and it found nothing. I made a BartPE bootable CD on my clean laptop and was able to get it to boot my infected machine from the CD-ROM, however, I don't know what I am looking for, where it might be hiding or which, if any, of the listed BartPE pluging might help. When I tried to run MBAM from within BartPE it failed to run, reporting "Unable to access MSVBVM60.dll". This .dll was not included in those burned while making the bootable CD. I tried to add it, but can't get BartPE's setup to put it in the system32 folder with the rest of the .dll's. I am now trying to figure out how to get BartPE to include it in the correct folder. I tried geting the BartPE setup to write to a separate HD folder, added the dll, then wrote that folder's content to a CD, but it doesn't want to boot from this CD. Looking at both the BartPE disks; the one that works and the one that doesn't, using Windows Explorer, they appear to be the same, except for the .dll I added. What next?

Thanks for your prompt reply! I tried all the suggestions in Fixes #5 to no avail. procepxp.exe ran but returned no listings that appeared abnormal. Nothing identifiable as AV360, Fake Alert, TotalSecurity, SystemSecurity... RootRepeal was whacked just like MBAM, AVG, Spybot.... even when renamed. HJT: When newly loaded it seems to run for a few seconds more than the others, but is whacked as above. I read "I read am Infected" and got nowhere with anything from there. ComboFix reports: Access is denied. Access is denied. Access is denied. Please wait. ComboFix is preparing to run. Access is denied. Win32kDiag.exe finds Mount Points for a lot of stuff under C:\WINDOWS\... and reports their destinations as :\Device\_max++>\^ Win32kDiag is denied access to: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe C:\WINDOWS\system32\attrib.exe C:\WINDOWS\system32\config\default.bak C:\WINDOWS\system32\config\sam.bak C:\WINDOWS\system32\config\security.bak C:\WINDOWS\system32\config\software.bak C:\WINDOWS\system32\config\system.bak C:\WINDOWS\system32\cscript.exe C:\WINDOWS\system32\eventlog.dll C:\WINDOWS\system32\findstr.exe C:\WINDOWS\system32\ping.exe C:\WINDOWS\system32\route.exe What next?

This is my first post to this forum. I had an outbreak of PC Antispyware 2010 that I was eventually able to stop by manually removing almost all the files created on the day this rogue program overtook my system, plus those files I could find (which weren't many) from those listed in several web instruction sets for manual removal of PCAV2010. I am now left with the problem of not being able to run any anti-malware like Spybot S&D, MBAM or AVG, neither would HJT run. I tried all all of these in both in normal and safe mode with the same non-result. I also tried running them with different filenames and with Win2000 or xp compatibility in all possible combinations, as suggested in several forums. Nothing worked. Whatever it is, it also locks me out of deleting or renaming the .exe files once they have been tried and failed. It also seems to have disabled Google's Advanced Searchfeature, though that could have been me mucking around in the registry. I was able to get Avira Antivir to run. It detected and quarantined a pile of crap, but did not solve the antimalware hangups. I have that report if you want to see it. I was able to get Avira Rootkit Tool to run. It detected nothing. I tried booting with a Avira Antivir Rescue System boot disk (from disks downloaded on two different machines) and all I got was a screen image of a weird fat little gremlin with a tail, sitting on his ass wearing a tied on fake beak/nose, flashing his feet at me (BTW WTF is up with that!?). I have been advised to run LSPfix and Winsockfix.I will try them next, without much confidence in the result. This is the most persistent bug I have ever encountered. What do you suggest I try next?