My Windows 7 Computer is infected with Win7 Security 2011

[radioflyer91355]

Sorry about that Dave. I thought everything was good to go. Thank you for your patience. 

[recovering disk space - old attachment deleted by admin]

[SuperDave]

Please do not attach your logs unless absolutely necessary. Copy and paste them in your reply(ies)

When you run MBAM, you need to "Remove the infections". Please run it again.

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

R3 - URLSearchHook: (no name) - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - (no file)
O2 - BHO: Dealio Toolbar - {01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} - C:\Program Files\Dealio Toolbar\IE\4.4\dealioToolbarIE.dllO2 - BHO: (no name) - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - (no file)
O2 - BHO: (no name) - {E601996F-E400-41CA-804B-CD6373A7EEE2} - (no file)
O3 - Toolbar: Dealio Toolbar - {01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} - C:\Program Files\Dealio Toolbar\IE\4.4\dealioToolbarIE.dll
O4 - HKLM\..\Run: [MFARestart] "C:\ProgramData\MFAData\pack\avgrunasx.exe" /usereg

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.
**************************************************
Now, I need to see the logs for SAS, DDS and MBAM.

[radioflyer91355]

Here are all of those logs per your request. Thank you very much for your help on this 

[recovering disk space - old attachment deleted by admin]

[SuperDave]

Please do not attach your logs unless absolutely necessary. Copy and paste them in your reply(ies)

You still didn't fix the infections in MBAM. Here's the line from the instructions:
Make sure that everything is checked, and click Remove Selected.

Download OTL to your desktop.

* Open OTL
* Copy and Paste the following text in the codebox into the Custom Scans/Fixes window.

Code: [Select]

:OTL
uURLSearchHooks: H - No File
TB: {EBF2BA02-9094-4C5A-858B-BB198F3D8DE2} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File

:COMMANDS
[resethosts]
[purity]
[emptytemp]
[start explorer]

* Click Run Fix
* OTLI2 may ask to reboot the machine. Please do so if asked.
* Click OK
* A report will open. Copy and Paste that report in your next reply.
***********************************************************
The logs show that you have two Anti-Virus programs on your computer. Only one AV should be active on your computer. You should uninstall AVG because it will interfere with one of the scans. If you trouble uninstalling it please use the AVG removal tool below.

AVG Antivirus - AVG Antivirus Remover utility

Update Your Java (JRE)

Old versions of Java have vulnerabilities that malware can use to infect your system.

First Verify your Java Version

If there are any other version(s) installed then update now.

Get the new version (if needed)

If your version is out of date install the newest version of the Sun Java Runtime Environment.

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close ALL open web browsers before starting the installation.

Remove any old versions

1. Download JavaRa and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.

Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.
*****************************************
Download ComboFix by sUBs from one of the below links.  Be sure to save it to the Desktop.

link # 1
Link # 2
If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Right-click combofix.exe and select Run as Administrator and follow the prompts.
When finished, ComboFix will produce a log for you.
Post the ComboFix login your next reply.

NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.

[radioflyer91355]

Here are all of the logs from your last reply.

[recovering disk space - old attachment deleted by admin]

[SuperDave]

Please do not attach your logs unless absolutely necessary. Copy and paste them in your reply(ies)

Please download SystemLook from one of the links below and save it to your desktop.

Link # 1
Link # 2

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double-click SystemLook.exe to run it.

Copy the contents of the following codebox into the main textfield.

Code: [Select]

:filefind
userinit.exe
Click the Look button to start the scan.

Note: The scan may take some time so please just let it do its work and be patient (or do something else unrelated to the computer).

When finished, a notepad window will open with the results of the scan. Please post the log. The log can also be found on your desktop entitled SystemLook.txt

[radioflyer91355]

Here you go

[recovering disk space - old attachment deleted by admin]

[SuperDave]

Please do not attach your logs unless absolutely necessary. Copy and paste them in your reply(ies)

Go to Start > Run > type Notepad.exe and click OK to open Notepad.

Copy all of the text in the below Code box into Notepad.

Code: [Select]

@echo off
copy C:\Windows\ERDNT\cache\userinit.exe c:\userinit.exe
exit
In Notepad go to File > Save as, choose to save it to your desktop and name it event.bat

Now double click the event.bat file you just created and let it finish.

You will know it's finished when there is a new file on your desktop.

Please run another scan of ComboFix and post the log after doing the above bat file.

[radioflyer91355]

Combo Fix Log

[recovering disk space - old attachment deleted by admin]

[SuperDave]

Please go to Jotti's malware scan
(If more than one file needs scanned they must be done separately and links posted for each one)

* Copy the file path in the below Code box:

Code: [Select]

c:\windows\system32\windrv.sys
* At the upload site, click once inside the window next to Browse.
* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
* Next click Submit file
* Your file will possibly be entered into a queue which normally takes less than a minute to clear.
* This will perform a scan across multiple different virus scanning engines.
* Important: Wait for all of the scanning engines to complete.
* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.
Please update and run another scan with SAS and post the log here.
*****************************************************
Re-running ComboFix to remove infections:

• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Open notepad and copy/paste the text in the quotebox below into it:
  

  KillAll::
  
  DirLook::
  C:\sh4ldr
  
  
• Save this as CFScript.txt, in the same location as ComboFix.exe
  
  
  
  
• Referring to the picture above, drag CFScript into ComboFix.exe
• When finished, it shall produce a log for you at C:\ComboFix.txt
  
• Please post the contents of the log in your next reply.

[radioflyer91355]

http://virusscan.jotti.org/en/scanresult/ad4daa4b7959dc2a1524d4014e0b65deb1d67b37

[radioflyer91355]

ComboFix

[recovering disk space - old attachment deleted by admin]

[SuperDave]

Ok. That didn't work. Could you please open this folder and tell me what's in it?  C:\sh4ldr

SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

• Double click Sysprot.exe to start the program.
• Click on the Log tab.
• In the Write to log box select the following items.
• Process << Selected
  
• Kernel Modules << Selected
  
• SSDT << Selected
  
• Kernel Hooks << Selected
  
• IRP Hooks << NOT Selected
  
• Ports << NOT Selected
  
• Hidden Files << Selected
  
• At the bottom of the page
• Hidden Objects Only << Selected
  
• Click on the Create Log button on the bottom right.
• After a few seconds a new window should appear.
• Select Scan Root Drive. Click on the Start button.
• When it is complete a new window will appear to indicate that the scan is finished.
• The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

[radioflyer91355]

C:\sh4ldr
The file says sh4ldr.mbr
If I try to open it, the window pops up "Windows can't open this file"

[radioflyer91355]

ok that froze. Should I try it again?