Yes - that did not work but command.com did, so we checked the shell/open/ .exe key and it was set to 'secfile'. Changed to 'exefile' and exe's now open/run ok. 'cmd' works in 'run'. He has an entry in classes/root for 'secfile' which I do not - is this part of the infection? (He has no connection with PGP).

Running a very slow sfc /scannow right now.

regsvr brings up the familiar 'entry point' error??