I trust that you have not rebooted that computer...regardless, I need to say,
PLEASE DO NOT REBOOT.
Let's first back up the Registry.
Copy the data below into a blank notepad and save it as
regbackup.bat
Code:
@echo off
:: variables
set drive=C:\Backup
set backupcmd=xcopy /s /c /d /e /h /i /r /y
echo ### Backing up the Registry...
if not exist "%drive%\Registry" mkdir "%drive%\Registry"
if exist "%drive%\Registry\regbackup.reg" del "%drive%\Registry\regbackup.reg"
regedit /e "%drive%\Registry\regbackup.reg"
echo Backup Complete!
@pause
Double-Click that .bat file and allow it to run.
PLEASE ONLY RUN THIS FILE ONE TIME FOR NOW...
Press any key when it completes.
This script copies the registry to the directory defined in the %drive% variable, or "C:\Backup". If the script is run multiple times, it will rewrite if the source files are newer. As it stands now though, we only want to run this batch file just this once...you can delete the file once it completes sucessfully. Navigate to C:\Backup\Registry where you should find the regbackup.reg file. If you find it then just close that folder and continue to delete the
regbackup.bat file we created and placed on the Desktop.
Next, click start-->run...then type or copy and paste the following in the run box and click "OK":
regedit
...when the Registry Editor opens, navigate to the following Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Secret
\"<System>\Secret.exe\" FormaT
To do that, click once on the ► next to the folder labeled
HKEY_LOCAL_MACHINE, scroll down to the
Software folder and do the same in succession until you reach the
Run folder. When you find it, click on the
Run folder and look to the right pane for the entry named
Secret. Click on that entry once to highlight it, then right-click and select
Delete... If prompted, click
OK and Close the Registry Editor.
Rebooting now should not cause the activation of what I suspected was the Troj/Delf-LW...Once infected with that trojan, when the computer is next rebooted and Troj/Delf-LW is launched on startup, it first disables the Task Manager, and tries to prevent a log-off or shutdown from occuring.
Troj/Delf-LW then proceeds to attempt to delete every file and folder on the entire system, while displaying a progress bar entitled
"Updating System Configuration".
Once Troj/Delf-LW has finished deleting files, it displays a message saying
"Yedinmi Yarraaa?". You shouldn't see that (not now, since we deleted the entry from the run key) but I've posted this information for the benefit of other forum readers.
Please download combofix from
This Webpage...and read through the instructions there for running the tool.
***Important Note***
Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.
The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments.
Once installed, a blue screen prompt should appear that reads as follows:
The Recovery Console was successfully installed.
When you see that screen, please continue as follows:
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please post back the following on your next reply:
C:\ComboFix.txt
New HijackThis log.