AV Security Suite + can't run programs

[ecksemmess]

Hi there,

My problem is the standard AV Security Suite infection with an inability to run just about any program, including task manager, system restore, and so on.  I'm running Win7 Home and Norton Internet Security 2009.  Norton is one of the few programs that at least appears to run, and it says protection is fully enabled but I'm skeptical; its scans claim the system is clean.  The infection came on quite suddenly in the midst of browsing the web with FireFox v3.5.10 (just about up to date) for no apparent reason.  I really desperately need to be guided through the process of getting this fixed, and only have a couple of days to get to that point, so whatever timely assistance you guys can provide will be SUPREMELY appreciated.  Thanks in advance.

[Dr Jay]

Hello, and welcome to Computer Hope.

Please note the following information about the malware forum:

• Only the Malware Specialist Team is allowed to give advice on removing malware from your computer.
  
• From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by the staff I noted above.
  
• Please do not attach logs or post them in Quote/Code boxes unless requested.
  
• Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
• If you have already asked for help somewhere, please post the link to the topic you were helped.
• We try our best to reply quickly, but for any reason we do not reply in two days, reply to this topic with the word BUMP
  
• Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

Please download and run RKill.

Download mirror 1 - Download mirror 2 - Download mirror 3

• Save it to your Desktop.
• Double click the RKill desktop icon.
• It will quickly run and launch a log. If it does not launch a log, try another download link until it does.
• Please post its log in your next reply.
• After it has run successfully, delete RKill.

Note: This tool only kills the active infection, the actual infection will not be gone. Once you reboot the infection will be active again! Please do not reboot until instructed further to do so.


Please visit this webpage for a tutorial on downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

See the area: Using ComboFix, and when done, post the log back here.

[ecksemmess]

Bad news: all three versions of rkill you linked fail instantly upon run, and all in the same way: I get the message "Application cannot be executed.  The file [filename] is infected.  Do you want to activate your antivirus software now?"  This seems to be AV Security Suite acting up, since it's the same thing that happens when I try to run anything else.  Next step?

[Dr Jay]

Please open Notepad and enter in the following:

Code: [Select]

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\.EXE]
@="exefile"
"Content Type"="application/x-msdownload"

[HKEY_CLASSES_ROOT\.EXE\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_CLASSES_ROOT\exefile]
@="Application"
"EditFlags"=hex:38,07,00,00
"FriendlyTypeName"=hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,\
  00,6f,00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,\
  32,00,5c,00,73,00,68,00,65,00,6c,00,6c,00,33,00,32,00,2e,00,64,00,6c,00,6c,\
  00,2c,00,2d,00,31,00,30,00,31,00,35,00,36,00,00,00

[HKEY_CLASSES_ROOT\exefile\DefaultIcon]
@="%1"

[HKEY_CLASSES_ROOT\exefile\shell]

[HKEY_CLASSES_ROOT\exefile\shell\open]
"EditFlags"=hex:00,00,00,00

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@=""%1" %*"
"IsolatedCommand"=""%1" %*"

[HKEY_CLASSES_ROOT\exefile\shell\runas]

[HKEY_CLASSES_ROOT\exefile\shell\runas\command]
@=""%1" %*"
"IsolatedCommand"=""%1" %*"

[HKEY_CLASSES_ROOT\exefile\shellex]

[HKEY_CLASSES_ROOT\exefile\shellex\DropHandler]
@="{86C86720-42A0-1069-A2E8-08002B30309D}"

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\UserChoice]Then, click File > Save as...
Save as fixEXE.reg to your Desktop.
Choose Save as type... All Files.
Click Save.

Then, exit Notepad.

Double-click on fixEXE.reg. Allow it to merge in the Registry. Then, please reboot your computer, and let me know if you can open programs (exe files).

[ecksemmess]

I hate to break it to you, but the same thing happens with Notepad.

[Dr Jay]

Yikes.

Ok. Download and run this file: http://rapidshare.com/files/405619504/fixThis.reg

It is the same fix, but I already made it for you.

[ecksemmess]

Can't be sure whether that did anything useful or not, but I got the usual "Can't run" error for regedit.exe, so my guess is it didn't.  Crazy stuff.

[Dr Jay]

Please reboot to Safe Mode with Networking (tap the F8 key just before Windows starts to load and select the Safe Mode with Networking option from the menu).

Then, try to do ComboFix.

[ecksemmess]

"Incompatible OS.  ComboFix only works for workstations with Windows 2000 and XP" As stated, I'm running Win7 Home.  Just keeps getting better, eh? 

[Dr Jay]

Save these instructions so you can have access to them while in Safe Mode.

Please click here to download AVP Tool by Kaspersky.

• Save it to your desktop.
• Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
• Double click the setup file to run it.
• Click Next to continue.
• Accept the License agreement and click on next.
• It will, by default, install it to your desktop folder. Click Next.
• It will then open a box There will be a tab that says Automatic scan.
• Under Automatic scan make sure these are checked.

• Hidden Startup Objects
• System Memory
• Disk Boot Sectors.
• My Computer.
• Also any other drives (Removable that you may have)[/color]

Leave the rest of the settings as they appear as default.

• Then click on Scan at the to right hand Corner.
• It will automatically Neutralize any objects found.
• If some objects are left un-neutralized then click the button that says Neutralize all
• If it says it cannot be neutralized then choose the delete option when prompted.
• After that is done click on the reports button at the bottom and save it to file name it Kas.
• Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.
  
  Note: This tool will self uninstall when you close it so please save the log before closing it.

[ecksemmess]

OK, I've run the Kaspersky virus removal tool.  Please note, I am now back in Safe Mode w/Networking, and will stay in it until instructed otherwise.

The tool ran fine, with the exception that one infected item couldn't be deleted, as you'll see below.  However, the instructions you gave for using it seem to be out of date; there was no option to scan "System Memory", and unfortunately, no option for saving the results of an Automatic Scan to a log file.  I therefore had to screencap it, but I assure you I did this with the utmost care, and nothing is left out.  The screencap should be attached.

[recovering disk space - old attachment deleted by admin]

[Dr Jay]

Please download DrWeb-CureIt and save it to your Desktop. Do NOT perform a scan yet

• Double-click on drweb-cureit.exe to start the program.
  An Express Scan of your PC notice will appear.
  
• Under Start the Express Scan Now, Click OK to start the scan.
  This is a short scan that will scan the files currently running in memory.
  If something is found, click the Yes button when it asks you if you want to cure it.
  
• Once the short scan has finished, Click Options > Change settings
  
• Choose the Scan tab and UNcheck Heuristic analysis
  
• Back at the main window, click Custom Scan, then Select drives (a red dot will show which drives have been chosen).
  
• Then click the Start/Stop Scanning button (green arrow on the right, and the scan will start.
  
• When finished, a message will be displayed at the bottom advising if any viruses were found.
• Click Yes to all if it asks if you want to cure/move the file.
  
• When the scan has finished, look if you can see the icon next to the files found.

If so, click it, then click the next icon right below and select Move incurable.
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)

• Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  
• Save the DrWeb.csv report to your Desktop.
  
• Exit Dr.Web Cureit when you have finished.
• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  
• After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

[ecksemmess]

Whew!  That took nearly six hours, during which time of course I couldn't use my system for anything else!  Anyway, here's the log, with the ~100 MB (!!) of presumably useless "File was OK" messages edited out, of course (I highly doubt this forum could handle the entire thing, as even Notepad barely can  )





=============================================================================
Dr.Web Scanner for Windows v6.00.2 (6.00.2.05140)
(c) Doctor Web, Ltd., 1992-2010
Log generated on: 2010-07-08, 23:44:28 [OWNER-PC][owner]
Command line: "C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\cb1e5_xp.exe"

/lng /ini:setup_xp.ini /fast
Operating system: Windows Seven Premium x64/WOW (Build 7600)
=============================================================================
DwShield doesn't load
Engine version: 5.00 (5.00.2.03300)
Engine API version: 2.02
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\f72f8b85 -

823 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\f59d69a5 -

7998 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\f9b83964 -

29168 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\8d03e1e2 -

34202 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\0bc6dc15 -

28292 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\883efafc -

27164 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\79138d56 -

25131 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\aa6a8b8f -

31464 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\8d92e899 -

18281 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\df57f52f -

18009 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\e6a6f399 -

24685 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\eb23cf16 -

13715 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\86f12352 -

16025 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\70faebaf -

15644 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\04afdfb5 -

23265 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\7584b30f -

23135 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\10023e0c -

20510 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\9930c694 -

25475 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\76d9c989 -

16298 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\39e73f8a -

19357 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\5d6bac2a -

18381 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\18efa546 -

19562 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\42a65dd9 -

27102 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\8a4ab744 -

21223 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\ea20238f -

26228 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\f37fa412 -

23251 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\3a1b9bf6 -

14982 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\2d6ad0d0 -

17748 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\c2e0fcf6 -

18725 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\c8d21683 -

18429 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\fc8a0442 -

6229 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\4718d86e -

142240 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\b7a589f2 -

66726 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\af265669 -

24512 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\21aafd79 -

82762 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\d91dab36 -

508543 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\eb29214a -

587 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\9b125301 -

1959 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\af427890 -

2033 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\7557ee9a -

1812 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\3862db60 -

1738 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\2445575b -

1885 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\8ab49450 -

2091 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\5d93dc8b -

1569 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\9a38cddf -

1834 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\d8f649f0 -

1018 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\9f78d954 -

2297 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\5d803d5a -

2110 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\095c507e -

2007 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\4941e267 -

2370 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\3df513ae -

2241 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\6f9ba643 -

2596 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\8ca1d589 -

2024 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\baad09b8 -

1609 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\8db367b4 -

1471 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\2cec4a50 -

1445 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\606fbde9 -

1895 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\b283179b -

2312 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\23205ab4 -

3006 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\0247cf05 -

2146 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\71443fe5 -

1714 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\647e3e65 -

2095 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\aa797df8 -

2715 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\e90db8a4 -

2545 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\b5c50ad5 -

2801 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\7fe183f8 -

6197 virus records
[Virus database] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\ecc8ad90 -

28348 virus records
Total virus records: 1547754
[Self-checking] C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\cb1e5_xp.exe
Key file: C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-56FC85C6\setup.key
License key number: 0014068946
Registered to: An unauthorized User
License key activates on: 2010-03-16
License key expires on: 2010-09-16
Process in memory: C:\Windows\System32\smss.exe:228 - OK
Process in memory: C:\Windows\System32\csrss.exe:312 - OK
Process in memory: C:\Windows\System32\wininit.exe:348 - OK
Process in memory: C:\Windows\System32\csrss.exe:360 - OK
Process in memory: C:\Windows\System32\services.exe:404 - OK
Process in memory: C:\Windows\System32\lsass.exe:412 - OK
Process in memory: C:\Windows\System32\lsm.exe:440 - OK
Process in memory: C:\Windows\System32\winlogon.exe:468 - OK
Process in memory: C:\Windows\System32\svchost.exe:564 - OK
Process in memory: C:\Windows\System32\svchost.exe:636 - OK
Process in memory: C:\Windows\System32\svchost.exe:700 - OK
Process in memory: C:\Windows\System32\svchost.exe:736 - OK
Process in memory: C:\Windows\System32\svchost.exe:832 - OK
Process in memory: C:\Windows\System32\svchost.exe:892 - OK
Process in memory: C:\Windows\System32\svchost.exe:920 - OK
Process in memory: C:\Windows\System32\svchost.exe:128 - OK
Process in memory: C:\Windows\explorer.exe:1096 - OK
Process in memory: C:\Windows\System32\ctfmon.exe:1308 - OK
Process in memory: C:\_TEMP\_KILLIT\drweb-cureit.exe:2020 - OK
Process in memory: C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-

56FC85C6\985ee5.exe:756 - OK
Process in memory: C:\Windows\SysWOW64\ctfmon.exe:1200 - OK
Process in memory: C:\Users\owner\AppData\Local\Temp\3D788B89-8950E05-77C3C829-

56FC85C6\cb1e5_xp.exe:1468 - OK
[Memory scanning] No viruses found
Master Boot Record HDD1 - OK
Active OS/2 or WinNT Boot Sector HDD1 - OK
OS/2 or WinNT Boot Sector HDD1 - OK
OS/2 or WinNT Boot Sector HDD1 - OK

[Scan path] C:\Windows\system32
C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-

601632D005A0 - OK
C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-

601632D005A0 - OK


[...many megabytes of log material removed where files on disk were checked, all "OK"...]


-----------------------------------------------------------------------------
Scan statistics
-----------------------------------------------------------------------------
Scanned: 19361
Infected: 0
Modifications: 0
Suspicious: 0
Adware: 0
Dialers: 0
Jokes: 0
Riskware: 0
Hacktools: 0
Cured: 0
Deleted: 0
Renamed: 0
Moved: 0
Ignored: 0
Scan speed: 1922 Kb/s
Scan time: 0:11:36
-----------------------------------------------------------------------------

Master Boot Record HDD1 - OK
Active OS/2 or WinNT Boot Sector HDD1 - OK
OS/2 or WinNT Boot Sector HDD1 - OK
OS/2 or WinNT Boot Sector HDD1 - OK

[Scan path] C:\
C:\FINIS_IT.TXT - OK
C:\IPH.PH - OK


[...over 90 MB of log material removed where files were all "OK" with two exceptions, below:]


>>>C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-

85EF591126E7}\Norton\QBackup\{7F9F4FB6-7984-499B-9B76-24EFE7862B84}\{2D62FD9A-DB0F-44F7-AF9B-

49318AD01F54}.qbd/data001 infected with BackDoor.Tdss.2459
>C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-

85EF591126E7}\Norton\QBackup\{7F9F4FB6-7984-499B-9B76-24EFE7862B84}\{2D62FD9A-DB0F-44F7-AF9B-

49318AD01F54}.qbd - archive contains infected objects - moved


[...and futher down:]


>>>C:\Documents and Settings\owner\DoctorWeb\Quarantine\{2D62FD9A-DB0F-44F7-AF9B-

49318AD01F54}.qbd/data001 infected with BackDoor.Tdss.2459
>C:\Documents and Settings\owner\DoctorWeb\Quarantine\{2D62FD9A-DB0F-44F7-AF9B-49318AD01F54}.qbd

- archive contains infected objects - moved


[...finally:]


D:\System Volume Information\tracking.log - OK
D:\System Volume Information\EfaData\SYMEFA.DB - OK

-----------------------------------------------------------------------------
Scan statistics
-----------------------------------------------------------------------------
Scanned: 813751
Infected: 2
Modifications: 0
Suspicious: 0
Adware: 0
Dialers: 0
Jokes: 0
Riskware: 0
Hacktools: 0
Cured: 0
Deleted: 0
Renamed: 0
Moved: 2
Ignored: 0
Scan speed: 207 Kb/s
Scan time: 5:03:29
-----------------------------------------------------------------------------

=============================================================================
Total session statistics
=============================================================================
Scanned: 833112
Infected: 2
Modifications: 0
Suspicious: 0
Adware: 0
Dialers: 0
Jokes: 0
Riskware: 0
Hacktools: 0
Cured: 0
Deleted: 0
Renamed: 0
Moved: 2
Ignored: 0
Scan speed: 48 Kb/s
Scan time: 5:15:09
=============================================================================

[ecksemmess]

Before you reply - is there any way you could put me through more steps at a time?  I've seen some other posts on here where users are instructed to run, for example, SuperAntiSpyware, MBAM and HijackThis all in a single post, and then they post all three logs at once.  Something like that would be a lifesaver for me, because I'm under HUGE time pressures to get this fixed, and I could get a lot more done while you're logged off (some of these scans take forever!)

Thanks 

[Dr Jay]

The last three tools had to be done alone, due to the nature of how they scan and work. No biggie. I think we can finish up with these tools

Please do these steps in order.

1. Please download TFC by OldTimer to your desktop

• Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• It will close all programs when run, so make sure you have saved all your work before you begin.
  
• Click the Start
  button to begin the process. Depending on how often you clean temp
  files, execution time should be anywhere from a few seconds to a minute
  or two. Let it run uninterrupted to completion.
  
• Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

2. Please download Malwarebytes Anti-Malware from Malwarebytes.org.
Alternate link: BleepingComputer.com.
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• Please save the log to a location you will remember.
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

3. Please visit this webpage for instructions for downloading and running SUPERAntiSpyware (SAS) to scan and remove malware from your computer:

http://www.bleepingcomputer.com/virus-removal/how-to-use-superantispyware-tutorial

Post the log from SUPERAntiSpyware when you've accomplished that.

4. Please run a free online scan with the ESET Online Scanner

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
• Click Start
  
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, you may close the window
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  
• Copy and paste that log as a reply to this topic

5. Post the following in your next reply:

• MBAM log
• SAS log
• ESET log

And, please tell me how your computer is doing.