help!! trojan/ lost use of all .exe files

From my previous post in this forum called "on a roll":

The trojan was using, powerpoint.ini, WMplayer.exe and others. I deleted all the reminents but did something wrong as I got into the registry. I used RegRun trojan process analyser and found the troojan was using a certain key,HKLM\System\CurrentControlSet\Control\CommAlias
and promptly deleted the COM2 part of it.

None of my exe's work now and I can't open any file that needs an exe. I cannot even get the original rundll32.exe off my original win98se disc.

What do I do now? thank you!!!

PS-I can't download a zip file becasue when I go to open it the same thing happens where the extension association will not work for any .exe.

I can't even run a exe file from the net as in "open" option instead of saving it to HD for same reason.

 

Hi Zappa,

I'm not going to be too much help, but did you mean that you accidently deleted a reg key with RegRen and that's when you lost the file association for .exe files?

I don't know RegRun (I should, but I dont') but doesn't it have a backup feature you could restore the registry key from?

Regards,

snap

 

Honestly, at this point the little man talking to me on my shoulder knows more than I do. This newest issue started last night and kept going for many hours, I had to stop to do real work today, then back at it now.

thanks though..

 

Ok, just so we can get more information that might help someone else that might be able to help you. Do you have a recent hijackthis log that you could post. I know you said you can't run hijackthis now, but if you should happen to have one from just before this started, we might be able to tell something from it as to what was going on. (I'm searching for ideas here).

snap

 

Well, this might be a real option at this point.

 

Ron, don't like that idea much. I would not have posted for that type of advice.


I figured out that RegRun has an optin to fix exe, pif, etc's. Did that but the problem has been that the little sucker keeps renaming itself and morphing.

So i am on line with my pc and regrun works and so does nod32, ie works, but nothing else.
thanks.

 

ahh...if you can then, boot into safe mode which hopefully the trojan won't be able to run then. Then try and do a TDS scan if you can, along with a NOD scan, and finally a Hijackthis scan. Alot at once, but at least a start.

snap

 

RegRun has a Clean Boot DOS feature for Windows 98. From the help file:

"Clean Boot allows you to load in really clean Windows.
Clean Boot works in two modes:
• DOS
• Windows

To use Clean Boot DOS you need to activate Secure Start DOS.
Clean Boot for DOS is available only for Windows 95/98.
Clean Boot DOS works during DOS mode (autoexec.bat)."

Might be worth trying just to see how your system behaves. Hopefully, from there you can run one of several DOS-based AVs available. Another option would be to create and boot from a bootdisk (http://www.bootdisk.com/bootdisk.htm) and then clean your system using DOS AVs. That won't help your registry though.

Nick

 

https://www.wilderssecurity.com/showthread.php?t=38705
This was your other thread.
If all this doesn't work, you can try from DOS a repair install for win98 over itself.
Was this all from deleting only one registry key?
And you say the trojan / virus / nasty is still not all removed and misbehaving?
Can you try to boot into safe mode and does anything work from there?
Like a TDS scan?
Do online scans work?
Does your Regrun not make backups if you change anything in the registry?
How did your system get that infected in the first place?
Any idea how the registry key should read and what possibly to add again?
As i don't know a HKEY\System, there should be something between that.
If we know exactly the name somebody could post maybe whet there should be and post it for you.
Very strange if RegRun has no backup for deleted keys via that!

If you registered for the DiamondCS forum you'll find this thread helpful on the scanreg.exe for win98 users
http://www.diamondcs.com.au/forum/showthread.php?t=1875&highlight=scanreg
Only hope your regrun didn't block that ability to get several restore versions back.

 

Without the benefit of a Hijack This log it's hard to advise...

Try this: download Exefix08.com from this site: http://home.earthlink.net/~rmbox/Reticulated/Only_IE.html

Doubleclick it, and it will restore the default Windows file associations for exefiles.

Now try launching Hijack This; will it run?

If no joy, rename the Hijackthis.exe file to Hijackthis.com and doubleclick that; that should work.

 

Got my exe files back.

I will upload my startup/text.

I will upload my IE log which appears Win Media player has been downloading things other than codecs.

I will upload the process trace I did that includes Win Media player opening up pstores.exe?

To answer your questions:
Was this all from deleting only one registry key?
I guess since that is all I deleted.

And you say the trojan / virus / nasty is still not all removed and misbehaving?
Yes, it still is. I found it in my win.ini file it always saves itself as something else before I shutdown.

Can you try to boot into safe mode and does anything work from there?
Like a TDS scan?

I finally got TDS to run and it found another (new to me) trojan, win32/trojandownloader.In.Service.D trojan. We deleted it.

Do online scans work?
Nod is working as it found two more separate versions or exe's of the trojan (prior to running TDS) I have now deleted 3 times called win32 dialer.A.1

Does your Regrun not make backups if you change anything in the registry?
Yes, it does but I think that I don't want to use a backup of an infected registry, right? I say that as it appears that my regisrty has been changed a whole bunch, but I know close to 0 so...

Nick S:
Since I am worried about any type of OS crash, I do not want to lose any data, I am hesitant to do anything in DOS due to my clueless factor of doing something wrong. Going into DOS to me is like a bad delete dream.

Tony K-
Thanks I went to the page that had the zip files and could not find the page you directed me to. Ther is a program there called DD delete..or something again a DOS issueor does it just run itself with me doing nothing, which is always safer.

 

bootlog.

 

Small part of the entire process tracer results from RegRun Gold.

 

In fact, the link I posted works, and takes you straight to the section in which Exefix08.com is available for download...

Also, instead of all that other stuff, would you please run Hijack This, and post a Hijack This log as requested?

You can find Hijack This here: http://s89223352.onlinehome.us/mirror/hjt/

Someone here will be happy to help you interpret the results.

 

Hijack this log attached. I added to the botton of the log a registry entry TDS found that is suspicious to me.

Logfile of HijackThis v1.97.7
Scan saved at 8:56:16 PM, on 7/3/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\ESET\NOD32KRN.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTUPMONITOR.EXE
C:\PROGRAM FILES\ESET\NOD32KUI.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\TDS3\TDS-3.EXE
C:\PROGRAM FILES\GREATIS\REGRUNSUITE\WATCHDOG.EXE
C:\WINDOWS\SYSTEM\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\MSAGENT\AGENTSVR.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
C:\WINDOWS\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.wilderssecurity.com/archive/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://start.earthlink.net/start"); (C:\Program Files\Netscape\Users\damiangrand\prefs.js)
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEINT.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {9A23B8A4-C6C9-4A68-8FA6-5F905DC8FF80} - C:\PROGRAM FILES\SYSSHIELD TOOLS\INTERNET ERASER\PKEXT.DLL
O2 - BHO: (no name) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\PROGRAM FILES\TECHSMITH\SNAGIT 6\SNAGITBHO.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {08442457-929D-4522-AE24-9D3E4664A0C1} - C:\PROGRAM FILES\IE URL SPOOFING PATCH\IEWORKAROUND3.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\PROGRAM FILES\XI\NETTRANSPORT 2\NTIEHELPER.DLL
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\PROGRAM FILES\TECHSMITH\SNAGIT 6\SNAGITIEADDIN.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\Scanregw.exe /autorun
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Amon] "C:\PROGRAM FILES\ESET\AMON.EXE"
O4 - HKLM\..\Run: [RegRun WinBait] C:\WINDOWS\winbait.exe
O4 - HKLM\..\Run: [TDS3] C:\PROGRAM FILES\TDS3\TDS-3.exe
O4 - HKLM\..\RunServices: [NOD32kernel] "C:\Program Files\Eset\nod32krn.exe"
O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
O4 - HKCU\..\Run: [Regrun2] C:\PROGRA~1\GREATIS\REGRUN~1\WatchDog.exe
O4 - Startup: TurboNote.lnk = C:\Program Files\TurboNote\tbnote.exe
O4 - Startup: MRU-Blaster Scheduler.lnk = C:\Program Files\MRU-Blaster\scheduler.exe
O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
O4 - Startup: AutoPlay Extender.lnk = C:\WINDOWS\SYSTEM\rundll32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Advanced Properties - http://www.advancedpropertiesie.com/advprops/advprop.php?rd=1024572924710
O8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\suppress.htm
O8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\maintain.htm
O8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\ADSHIELD\ADSHIELD\settings.htm
O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm
O8 - Extra context menu item: &Convert and Open - C:\PROGRAM FILES\CAMTECH\CONVERT & OPEN\ConvertIt.htm
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: &Check Spelling - res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLCHECK.HTM
O8 - Extra context menu item: &ieSpell Options - res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLOPTION.HTM
O8 - Extra context menu item: Sizer - C:\Program Files\IECrap\tsrSizer.htm
O8 - Extra context menu item: Zoom Frame - C:\Program Files\IECrap\ZoomFrame.htm
O8 - Extra context menu item: Debug Box - C:\Program Files\IECrap\DebugBox.htm
O8 - Extra context menu item: IEB: Frame: Open in &New Window - C:\Program Files\IE Booster\frame-open-in-new-window.html
O8 - Extra context menu item: IEB: Frame: Open in &This Window - C:\Program Files\IE Booster\frame-open-in-this-window.html
O8 - Extra context menu item: IEB: Image: Copy Path to Clipboard - C:\Program Files\IE Booster\image-copy-path-to-clipboard.html
O8 - Extra context menu item: IEB: Image: Show Image Data - C:\Program Files\IE Booster\image-view-image-data.html
O8 - Extra context menu item: IEB: Link: Copy as <A href="URL">caption</A> - C:\Program Files\IE Booster\link-copy.html
O8 - Extra context menu item: IEB: Page: Copy Title as <A href="URL">Title</a> - C:\Program Files\IE Booster\page-copy-title.html
O8 - Extra context menu item: IEB: Page: Show Forms and Applets - C:\Program Files\IE Booster\page-show-forms.html
O8 - Extra context menu item: IEB: Page: Show Hyperlinks - C:\Program Files\IE Booster\page-view-hyperlinks.html
O8 - Extra context menu item: IEB: Page: Show Source - C:\Program Files\IE Booster\page-view-source.html
O8 - Extra context menu item: IEB: Page: Show Stylesheets - C:\Program Files\IE Booster\page-view-stylesheets.html
O8 - Extra context menu item: IEB: Selection: Open in Browser - C:\Program Files\IE Booster\selection-open-in-browser.html
O8 - Extra context menu item: IEB: Page: Show Images - C:\Program Files\IE Booster\page-show-images.html
O8 - Extra context menu item: IEB: Selection: Show Partial Source - C:\Program Files\IE Booster\selection-show-source.html
O8 - Extra context menu item: IEB: Browser: Resize Window - C:\Program Files\IE Booster\window-size.html
O8 - Extra context menu item: IEB: Selection: Copy as plain text - C:\Program Files\IE Booster\selection-copy-plaintext.html
O8 - Extra context menu item: IEB: Link: Open in New Minimized Window - C:\Program Files\IE Booster\link-open-minimized.html
O8 - Extra context menu item: &Document Tree - C:\WINDOWS\web\tree.htm
O8 - Extra context menu item: View Partial So&urce - C:\WINDOWS\web\source.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O8 - Extra context menu item: Add to my&Favorites - C:\Program Files\myFavorites\myFavorites.hta
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Search &Google - C:\PROGRAM FILES\RIGHTCLIELECTEDURL\google.htm
O8 - Extra context menu item: Open Selected URL - C:\PROGRAM FILES\RIGHTCLIELECTEDURL\openselectedurl.htm
O8 - Extra context menu item: Download with Star Downloader - C:\PROGRAM FILES\STAR DOWNLOADER\sdie.htm
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Favorites Search (HKLM)
O9 - Extra button: Offline (HKLM)
O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone (HKLM)
O9 - Extra 'Tools' menuitem: Add to R&estricted Zone (HKLM)
O9 - Extra button: Wallpaper (HKLM)
O9 - Extra 'Tools' menuitem: &Toolbar Wallpaper (HKLM)
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
O9 - Extra 'Tools' menuitem: &Document Tree (HKLM)
O9 - Extra button: Maximizer (HKLM)
O9 - Extra 'Tools' menuitem: IE New Window Maximizer (HKLM)
O9 - Extra button: Files (HKLM)
O9 - Extra 'Tools' menuitem: &FileLocator (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AdShield (HKCU)
O9 - Extra button: AbsoluteShield Internet Eraser (HKCU)
O9 - Extra button: Cookies (HKCU)
O9 - Extra button: myFavorites (HKCU)
O9 - Extra 'Tools' menuitem: myFavorites (HKCU)
O10 - Broken Internet access because of LSP provider 'imon.dll' missing
O12 - Plugin for .avi: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npavi32.dll
O12 - Plugin for .wmv: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npdsplay.dll
O15 - Trusted Zone: http://www.delta.dfg.ca.gov
O15 - Trusted Zone: https://www.wilderssecurity.com
O15 - Trusted Zone: http://www.ebay.com
O15 - Trusted Zone: http://www.fullautofun.homestead.com
O15 - Trusted Zone: http://www.fullautofun2.com
O15 - Trusted Zone: http://www.diamondcs.com.au
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2002060602/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37897.1011111111
O16 - DPF: {10D1242B-6EFF-465D-B2F6-27AB9B310929} (WrapFrontend Control) - http://www.softwrap.com/wrapper.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/1553e15e20c14a947506/netzip/RdxIE601.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
O16 - DPF: {7DBFDA8E-D33B-11D4-9269-00600868E56E} (WWWInstall Class) - http://go.securelive.com/speed/uk/WebInstall.dll
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://www.seagate.com/support/disc/asp/tools/English/bin/npseatools.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {C87A3AD5-DE8E-4a2e-BF7B-D6BCD419DED1} (EnvivioTV MPEG-4 Source Filter) - http://www.envivio.tv/downloads/EnvivioTV/EnvivioTVSilentInstaller.exe
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - https://support.dell.com/us/en/systemprofiler/SysProfLCD.CAB
O16 - DPF: {230C
3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://www.photogize.com/saxfile.cab

LOG ends here
_______________


TDS found these two changes in registry which have never been there historically speaking:

HKEY CLASSES ROOT\CLSID\{9209B1A6-964A-11D0-9372-OOAOC9034910}\LOCAL SERVER32 (DEFAULT)
= C:\WINDOWS\SYSTEM\MDM.EXE

 

Normally the MDM has to do with debugging, if you used the TWEAK utility or allowed the browser to display errors on websites you have that thing in the autostart. That one is not a problem normally spoken.
The Local Server32 ? are you running some server or is that part of the infection?

I notice you have notepad in the startup. No need for that. Better drag a shortcut to it in the taskbar or on the desktop and you have it always at hand. Saves some bandwidth.

Other comemnts and the HJT log i leave to the experts.

 

Thanks Jooske-

I deleted the server from registry that TDS found.

I do not have notepad in startup, probably part of the infevtion too for editing .ini files? Something about the infection for sure but I will remove it from startup. I did not see it in startup, thanks.

I removed Win Media 9 from my system since wmplayer.exe was infected and changes values of other programs. Once I removed it I lost all my .inf associations!!! Unreal.

I wiil wait for further remarks about the hijack this log.

One last thing my netscape browser when open keeps trying to secretely contact a site named ...akami. Is that part of the infection?

thanks again.

 

Hi again Zappa,
as it is too complicated for my skills we moved your thread to the HJT forum for expert help.
Fingers crossed, you come out allright with their help to the best of options!