Mental Note: The "my documents explorer" which pops up on windows boot the identical window you would receive if your desktop/start menu had been visible and explorer was started from task manager. I believe part of the infection used explorer as a startup and since it has been removed code is laying around in regedit linking to the deleted file and causing this problem, but as of yet I have been unable to locate it.
-I am running Windows Vista Home with all updates at present
-Via msconfig "Load startup items" has been unchecked so startup is clean
-I have tried using system restore and going back ~week+ before the infection occurred and this has not fixed the problem
Any help would be appreciated. Attached are logfiles that should be helpful, please advise what other tools may be used to provide more effective logs to diagnose the issue.
Found this in DDS Log, file has been long since deleted (qiaap.exe) but something missed this registry item, going to delete and try reboot in a few minutes.
============== Pseudo HJT Report ===============
uStart Page = hxxp://google.com/
uWinlogon: Shell=explorer.exe "c:\users\username\qiaap.exe"
Removing highlighted entry was the solution! Yeay for DDS, however would be great if someone could look over logs and see if I missed anything.
Edited by MadStudent, 30 December 2009 - 03:42 AM.