seriouscode,

Alright. This should take care of it.

Restart and do the F8 thing but this time instead of safe mode or Last Known Good Configuration, I want you to select Return to OS system choices

Then select Recovery Console

It will take a minute for Recovery Console to start up. It will finally ask you Which Windows installation. There should only be one choice. 1:C:\Windows. So type 1 then hit enter.

You will get a page that looks like an old DOS page. Please type in Copy C:\Qoobox\Quarantine\C\WINDOWS\system32\win32k.sys.vir c:\windows\system32\win32k.sys and then hit Enter.

When you get the prompt back, type in Copy C:\Qoobox\Quarantine\C\WINDOWS\system32\rpcrt4.dll.vir c:\windows\system32\rpcrt4.dll and hit Enter.

This time when you get the prompt back, type Exit.

Your computer should now reboot into windows.

Let me know how it goes.

Tomk,
this is what i see when i get into the recovery console dos prompts:



Which windows installation would you like to log onto: To cancel, press ENTER)? !
C:\Windows>1
The command is not rocognized Type HELP for a list of supported commands.

C:Windows> Copy C:\Qoobox\Quarantine\C\WINDOWS\system32\win32k.sys.vir c:\window
s\system32\win32k.sys
Access is denied.

C:\WINDOWS> Copy C:\Qoobox\Quarantine\C\WINDOWS\system32\rpcrt4.dll.vir c:\window
s\system32\rpcrt4.dll
Access is Denied.

C:\WINDOWS>



Tomk, what do i do next? am i doing this right? i'm sorry i've gone scardy cat on you but i'm just scared i might of missed a step or something and now my Desktop computer is fried!

seriouscode,

I don't blame you a bit for being scared. I would be to. Stick with me because your computer is not fried. Absolute worse case is a repair install but I don't believe that to be necessary.

I found another copy of those two files so hopefully that will solve the permissions problem.

I don't know what this means:You should have been given a choice right before the question and then you type 1 which will bring up the dos prompt C:\Windows>. Once you get that, you should not have to type 1 anymore. It appears that you in fact did get the dos prompt so you did the correct things.

now I'd like you to get to the Dos prompt again but the commands are slightly different.

Copy c:\windows\ServicePackFiles\i386\win32k.sys c:\windows\system32\win32k.sys
Copy c:\windows\ServicePackFiles\i386\rpcrt4.dll c:\windows\system32\rpcrt4.dll

Please try again and let me know how it goes.

The files copy ok... But when i go back and try to type the first part you told me to type it still says access denied. lol now i don't know what to do lol. It turns out that i did not know that you had to UPPER CASE the COPY part lol. still i did do it all but still no go... the new line of code did copy... old line of code... still access denied lol

seriouscode,

You didn't know to capitalize COPY because I didn't tell you. Sorry. It's been years since I've used DOS commands and I forgot.

Now I'm confused. Did the files copy? What we are trying to do is copy a file to c:\windows\system32\win32k.sys and c:\windows\system32\rpcrt4.dll. After these two files are successfully copied. You should type exit and then your computer should reboot.

they did copy lol. And don't worry i don't know a thing about DOS so if you forgot to mention something its okay lol, if you look at my profile you'll notice that i learn best by doing, even if that means i messed up. Tomk i gotta hand it to you again thu, the system did reboot properly. I will log in but i am not going to do anything unless you tell me to. What comes next now that I am no longer in the "Oh my gawd, i think i just sharded in my pants, cause i just broke my desktop" mode? What do i do now that i am back on the desktop?

seriouscode,

Good morning. Glad to hear you're back on.

I abandoned you for a few hours and got some sleep.

I'd like you to run an mbam scan for me please.

Tomk,

Ok i logged via the admin log in in normal mode and started booting up normally, but then i we hit another snag. for some reason, the desktop screen seems to refresh and refresh and refresh. The background stays the same, but the toolbar where the start button and tray icons are, along with the desktop icons on that align against the left side of the screen all blink and disappear temporarily. Then the Toolbar at the bottom changes from a smooth and rounded and blue to something that looks like the 95 square and gray bar. Again here I am in the "Oh my gawd, I think i just sharded in my pants" mode. lol yet again Tomk, please explain

seriouscode,

That sounds like it may be related to all of those scrambled files we deleted. Do you have your Windows disk? I'd like to do a scan for contaminated systems files but if the scan finds a problem, we would need your windows disk for the file to be repaired.

And there is that other snag... We're about to tear this shirt off with all these snags lol. I lost the disk in the last move somewhere, and that I was mostly afraid of. What now?

seriouscode,

Please start the computer in safe mode at tell me what happens.

safe mode is good to go.

seriouscode,

Ah. That means it's probably a driver problem. Let me think on this and ask some techs.

I'll be back.

seriouscode,

Please run DDS and post me the log again.

If you need to be in safe mode to run it, then please transfer the information to your other computer to post. If you connect to the internet in safe mode (using safemode with networking) your security systems will be offline and therefore not protecting you.

Tomk,

You are quickly becoming a really good friend lol. How do you know all of this? really? I would really like to know so I can be as informed as you, i really do find this all kind of fascinating. Here is the DDS.txt log:


DDS (Ver_09-05-14.01) - NTFSx86 MINIMAL
Run by Administrator at 20:17:42.26 on Thu 06/25/2009
Internet Explorer: 8.0.6001.18702

============== Running Processes ===============


============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.0\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.0\CoIEPlg.dll
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton internet security\osCheck.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
mPolicies-system: HideShutdownScripts = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - hxxp://i.dell.com/images/global/js/scanner/SysProExe.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-06-25 20:16 <DIR> --dsh--- c:\documents and settings\administrator\IETldCache
2009-06-25 17:38 <DIR> --d----- c:\documents and settings\Administrator
2009-06-24 21:56 6,736 a------- c:\windows\system32\drivers\PROCEXP90.SYS
2009-06-24 21:51 <DIR> --ds---- C:\ComboFix
2009-06-24 21:51 389,120 a------- c:\windows\system32\CF27326.exe
2009-06-24 14:52 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-06-24 14:28 <DIR> a-dshr-- C:\cmdcons
2009-06-24 14:26 161,792 a------- c:\windows\SWREG.exe
2009-06-24 14:26 155,136 a------- c:\windows\PEV.exe
2009-06-24 14:26 98,816 a------- c:\windows\sed.exe
2009-06-23 21:16 <DIR> --d-h--- c:\windows\PIF
2009-06-22 23:57 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-22 23:56 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-22 23:56 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-22 23:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-22 23:56 <DIR> --d----- c:\program files\Trend Micro
2009-06-22 09:47 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-06-22 09:47 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-06-18 15:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-06-18 15:20 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-06-18 15:19 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-06-06 22:17 <DIR> --d----- c:\program files\TomTom International B.V
2009-05-26 22:18 15,688 a------- c:\windows\system32\lsdelete.exe

==================== Find3M ====================

2009-06-24 21:55 1,847,168 a------- c:\windows\system32\win32k.sys.tmp
2009-06-24 21:55 585,216 a------- c:\windows\system32\rpcrt4.dll.tmp
2009-06-22 08:26 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-06-22 08:12 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-08 22:23 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2008-08-23 18:59 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082320080824\index.dat

============= FINISH: 20:18:04.21 ===============


And the Attach.txt is, well, attached