Let me know about the Restore point, but before attempting anything try this first:

Download to your desktop. Do not run it: http://www.atribune.org/ccount/click.php?id=1

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.

Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox browser click Firefox at the top and choose: Select All
Click the Empty Selected button.

If you use Opera browser click Opera at the top and choose: Select All
Click the Empty Selected button.

Click Exit on the Main menu to close the program.

Re-boot.

OK Yrag, i attempted a system restore three times.  Tried three different restore points.  Each time, windows made a comment about changes to disk E will be excluded.  No disk in e anyway.  PC shut down,m restarted, restore did its thuing, and message came up.  No changes made.  Guess this bug can mess with system restore?

 

downloaded atf claner. going to do as you just wrote, safe mode boot, etc.  be back soon.

OK, is it sure that the oldest restore point was from a time before the"bug"?

Some malwares can mess even with system restore.

The question is,is it still alive? it looks like Avira did kill it as far as I understand.

If it's not alive and you just want to try to repair the broken Windows, you can do a Repair using the Windows CD.

 

Yrag;  f8 method does not have safemode as option.  cant figure out how delete key got safemode before.

 

zigroom:  if alvira killed it, then my word files should be ok, but they all still act up, even newly created 'empty' ones.."

Why do you keep mentioning Alvira? Don't you have AVG installed?

If Office is your only problem, maybe you should just try reinstalling that?  I've had problems in the past with system restore and installed programs.  I'm not sure if has something to do with the registry or registered dlls, but programs sometimes don't run properly afterwards.

 

I had a virus recently (something to do with Microsoft ThinkPoint) and I ended up just reinstalled windows.  But I know how much of a pain in the ass that is. You need to install windows, all your drivers, re-download all the Microsoft updates, and then re-install all your software.  You can kiss a weekend goodbye.  But in the end, perhaps it would be quicker than the pain and suffering your going through now?

OK, cmd   sfc/scannow <enter> gets message to insert windows serv pak 3 disc.  The only disc i have is a windows xp home edition, ver 2002.  i put that in, and it wanted me to do things with dll files.

 

now i will boot from that disc and see.  maybe  just reinstall windows?

when  win xp was in, option was to upgrade windows, but not reinstall windows.  what am I doing wrong with this disk?

Let it.

A re-install is probable if for no other reason then time.

Failing the scannow option, try one more thing http://www.prevx.com/filenames/X408128796900076174-X1/TTUX.QQO.html Try to install it and if it finds the malware, it"s up to you as to buying it for a month for $15. Alternatively, you can install  http://www.misec.net/trojanhunter/ . The trial is fully funchional.

Either one not installing or not finding 'anything' is a re-install. Let me know and I'll PM instructions.

i went to site, downlaoed trojan hunter (30 free trial).  went to desktop, attempt to install it, windows said, no another program was using it.  closed opera, and attempt install, now the file is 'corrupted.'  repeated three times, dsame result.  IS this trojan blocking again?

 

BTW, re the timing, some of it was yesterday, some today, i telescoped it into one blurb.

This is your trojan:

[1] Troj/Oficla-BC [sophos.com]
http://origin-www.sophos.com/security/analyses/viruses-and-spyware/trojoficlabc.html

Your antivirus missed it because it's less than a week old (more about this later):

[2] Email with new password from Facebook Support contains trojan [mxlab.eu]
http://blog.mxlab.eu/tag/sasfis/

It is started along with the Windows shell. The shell is the program that makes Windows look and behave like Win7 and not like Leopard or Konqueror. That registry entry reported by your AV stores the command that will start the default shell. The trojan is apparently started with the incantation "rundll32.exe someMalware.dll someArgumentToIt" which it appends to the original "start shell" command, "Explorer.exe" (see [1]), creating a little two-command script.

[3] Different Shells for Different Users [microsoft.com]
http://msdn.microsoft.com/en-us/library/ms838576%28WinEmbedded.5%29.aspx

That's why you didn't spot it in the list of startup apps. That's also why you didn't recognize it in the list of running processes - if it was still running, it would appear as "rundll32.exe" in Task Manager. More likely, though, it started other processes with "svchost.exe" or "dllhost.exe" and then terminated. If so, those processes won't be visible individually from Task Manager. You'll want to use SysInternals' "Process Explorer" instead (right-click a process > Properties... > Services).

[4] Process Explorer v14 [microsoft.com]
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

The trojan seems to have installed a rootkit. Avira failed to delete ttux.qqo because it (or one of the processes it started) was already intercepting filesystem calls. That would also explain why System Restore failed. Since Avira reported that it had (successfully) edited the registry, and had scheduled ttux.qqo for deletion (but was the computer restarted before you ran System Restore so that this could happen?), the trojan also seems to proofread registry entries before the OS is restarted so that it isn't deleted and continues to start with the shell.

However, you may be able to outsmart it by specifying a "custom" shell for your user account. Run "regedit.exe" and navigate to the key "HKEY_Current_User\Software\Microsoft\Windows NT\CurrentVersion\Winlogon". Is there a string value "Shell" defined for that key? If not, create a new string value "Shell" (Edit > New > String Value) and give it the value "explorer.exe", then restart Windows and log into that same account. Windows will start the "custom" shell for the account, explorer.exe, by running the command in the string value you just created, instead of starting the default shell and the trojan by running the infected command.[3] Now run Avira again - without the rootkit running, it should have unfettered access to the filesystem.

If Avira is again unable to delete "ttux.qqo", or if this registry value already exists and has the same problem as the default shell start command, you'll have to edit the registry while Windows is stopped. Find a friend with bandwidth and a CD burner and download the AVG rescue disk:

[5] AVG Rescue CD [avg.com]
http://www.avg.com/us-en/226386

This is a Linux LiveCD with AVG antivirus and some Windows tools, including a registry editor. Boot your computer with the AVG CD and scan the drives on your computer. (Find that portable E: drive and scan it, too.) Then run the registry editor on the CD and fix the registry keys that start the shell, if necessary:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\system.ini\boot
  "Shell" = "SYS:Microsoft\Windows NT\CurrentVersion\Winlogon"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
  "Shell" = "Explorer.exe"
 
and delete the key
HKEY_Users\*\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

in every account *. (Unless of course you really ARE using a custom shell.)

PFK2  thank you.  I don't fully understand the details of what you wrote, but I have a general idea.  And yes, I did receive a bogus email from "facebook" NOT about a week ago.  So this all makes sense.  I don't use windows explorer, but it is on my pc.  Was the dormant IE the vehicle the bug used to initially stay in my PC?  I stopped using IE because it seems to attract bugs.

Would I get rid of this if I reinstalled, or repaired windows from my XP home edition CD?

 

One final question, please, before I pull my hair out, and cry...

 

Is there a way to boot up in this linux live cd (or similar)  for times when I am accessing the web?  My thought is that if so many of there bugs target Window, and IE, then I should use an OS that the bug can't make its changes in?  

 

All of you have been wonderful, and i thank you....

 

 

 

 

Please don't cry. I know that this must be very frustrating for you, but your computer will recover if you're patient.

Explorer.exe is the program that provides the graphical user interface in Windows. It is the desktop, the start menu, the tooltips, and of course the file browser. It is a different program entirely than the Internet Explorer web browser (iexplore.exe). It is the "look and feel" of Windows. You can load a different look and feel (Stardock's "Object Desktop" for example), though few people do. IE almost surely wasn't the source of the trouble. My guess is, you inadvertently ran a little program attached to that bogus Facebook email which added the command to launch the trojan to the (existing) command in the Windows registry that starts the shell. Dr Guy is right, though - the HTML rendering engine that IE is built on is also used by the file browser (aka Windows Explorer) and most 3d-party apps that use HTML to draw their user interfaces, so you can't get rid of it.


Sure. I don't think the AVG LiveCD will be very convenient for everyday use, but there are lots of alternatives. You can download a small distribution like Puppy (130MB; http://puppylinux.org/) or DSL (50MB; http://www.damnsmalllinux.org/) to get you back to work until you can sort out your Windows issues, or Ubuntu (700MB; http://www.ubuntu.com/) if the size of the download doesn't deter you.

I know that much of that must have sounded very confusing. (Because it IS very confusing.) I was hoping that yrag will continue to help you and can fill in the details; s/he seemed to understand what had happened, and my purpose was just to delay you from doing something perfectly awful like completely erasing your HDD before yrag or someone at bleepingcomputer could get you sorted out. The problem yrag was having was that s/he couldn't figure out how the Trojan was starting, and s/he couldn't find the process it was running in and so couldn't try to stop it. (At which point Avira would probably be able to clean up the mess - don't you just love its little umbrella?)

Malware as "noisy" as this one isn't likely to be very sophisticated, so I suggested twiddling a registry entry that the trojan might not be monitoring as a way to start Windows without starting the trojan, too. You should understand clearly what changes you're going to make to the registry before you do it, because you'll bork the OS if it can't find the shell. (Reversibly, though, once you've got your AVG rescue CD in hand.)

Using the lingo of document [3], the trojan has edited key2 so that the trojan is started immediately after the shell (desktop et al.) has started. Instead of one command: the OS runs two commands
The first command starts the shell, the second command starts the trojan. Avira tried to delete that second command for you but evidently the trojan replaced it again. Key2 is the default command to start the shell. If there is a Key3 for a particular user, the OS will use the command in Key3 to start the shell instead of the (infected) command in Key2. Usually there IS no Key3, so there's a chance that the trojan isn't monitoring it. If you create Key3 for a user account and set it to run explorer.exe, the OS will skip Key2 and use Key3 instead - the shell will start when that user logs in, but the trojan won't. Now when you run Avira, what Avira wants to delete will get deleted.

If it turns out that the trojan is monitoring the default Key3 location, you could change Key1 to point to a different location for Key3, set that non-standard Key3 location to "explorer.exe", and hope that the trojan wasn't smart enough to follow Key1 to the new Key3 location. Let's see what happens with Key3 first, though.

If you can run regedit (start > Run > regedit.exe), look for these three keys and report back if there is something fishy about Key2 or Key3. (Like, Key3 is defined and exactly like infected Key2, or maybe Key2 doesn't appear to have a hitchhiker anymore.) When you feel brave enough, add Key3, restart your computer, and run regedit again to see if the trojan changed Key3. If not, run Avira again and celebrate. (Just a little though - there could be other nasties under the hood yet.)

Visual aids: http://s1006.photobucket.com/albums/af184/expertwitness/Windows%20shell%20keys/