explorer.exe and wininit.exe infected by Win32:Patched-RP[trj]

[essexboy]

When you just search for the three items ? that is wierd

Could you type in the following to the custom scans and fixes area then run scan

/md5start
explorer.exe
winlogon.exe
wininit.exe   
/md5stop

[kricxjo]

Yes I've tried it. There is one difference from your instruction. After running the program it asks me to select windows folder. I choose c:\windows and after that it asks: "do you wish to load remote user profile(s) ommiting "remote registry". And one more difference. I cannot choose this file as you have told me but rather open it, copy and paste whole script.

[essexboy]

Could you copy and paste then please - I am still reading on the latest updates to the programme

[kricxjo]

O.K. I did the such procedure.
1. I double-clicked on OTLPE icon
2. In a pop-up window I selected c:\windows as a windows folder
3. In next window "Do you wish to load remote user profile(s)" I choose "yes"
4. I chose one profile from a list (it was impossible to choose more)
and left "Automatically Load All Remaining Users" checked is it was already.
5. OTL started.
6a. I tried to drag and drop scan.txt to the "Custom Scans/Fixes" box
7a. It says "Error! Not a valid fix file"
6b. I tried to double click on "Custom Scans/Fixes". And in new window, that has opened, I tried to change location to find my desktop where I previously saved scan.txt.
7b. It wrote: "Error! Access violation at address 7CA0936 in module 'SHELL32.dll'. Read of address 00000006" and crashed
8. I opened the file in notepad.exe and copied Ctrl+A, Ctrl+C and pasted Ctrl+V (or otherwise I simply rewrote it).
9. I pressed Run Scan button
10. It proceeded for some time and when it came to: "Manual File Scan - Getting folder structure..." it poped up: "Error! out of memory"

There is one more thing. It does detect my USB-disc (after sticking it into, there pops an icon in sys-tray "Safely Remove Hardware", but sometimes it don't show it in My computer). To copy scan.txt I use command-line:

copy e:\scan.txt b:\documents and settings\default user\desktop\

It has generally some problems with file system. Maybe you have previous version?

[essexboy]

Unfortunately old versions are not kept as they can be dangerous

Do you have a windows disc ? As it looks like we may need the repair option

[kricxjo]

With Vista? No, It is OEM version. And there was no CD-ROM attached. Instead there is a bootable hidden partition with Windows PE on it (labelled: HP_Recovery). I previously downloaded and burnt Windows Automated Installation Kit (AIK).

[essexboy]

OK there is a way to create a Vista recovery console

Go here and follow the instruction to create the cd http://www.vistax64.com/tutorials/141820-create-recovery-disc.html?ltr=C

This will enable you to access the Vista start up repair function

With WAIK you need a copy of the Vista CD to get it to work so not much use to you I am afraid

[essexboy]

Update Dch48 has hosted an ISO here which will negate the need for using a torrent http://www.adrive.com/public/09a07828c4a98ff6552455ec242eb6136a98730169be36b8650f85c231527a19.html

[kricxjo]

Thank you. I'd rather choose .iso file. I'm downloading it now. Will you be staying for a long time active today? I'm asking because in Poland it's 0:20 AM now and I need at least half an hour to download and burnt it. So maybe we will continue tomorrow, shall we. But of course I can make myself a cup of strong coffee unless you are tired.

[kricxjo]

Vista Recovery Disc is ready.

[essexboy]

OK boot from the CD then select start up repair and see if that cures the userinit/winlogon problem

If that fails then select System restore and select a restore point prior to the problem

[kricxjo]

I did "start up repair" and it found error "files system corrupted" then booted again but it didn't changed anything. System still have a problem with log on. And OTL still says: "out of memory" System restore is also usless in this case I'm affraid

And what about my erlier ask to run a TDSSKiller from safe mode/Win PE mode. I know we haven't got any scans so it would have to be done blindly. But overall is it a bad idea? What may go wrong? And what has left except from re-installation?

[kricxjo]

And one more question. What about running OTL.exe (in a stand-alone version) from a hard drive (the same trick )
Or maybe HDD can be taken out from that laptop and used as "a slave"?

[essexboy]

The problem with using other tools is that need to be run from the active drive and not a PE environment

In this case it might be a better option to remove everything that you want from the drive using reatogo and then going for a re-install

[kricxjo]

So, I did back-up earlier. Now I'm not much emotionally involved with repairing this system. And if there is no other option I can at least try and then prepare for re-installation. Thank you Essexboy for your time, help and patience and to all of you guys for reading and commenting too.

The last question. I assume if it was infection of system files. There is still small chance for having infected MBR section of a disc. Haw much propable it is? And does the virus can survive in that case?

That's it. Crusade is finished before it's been started.