"Your System is Infected" is virus leeching my computer - help please! :)

[pigeonpoo9]

I'm not sure what you mean by 'paid' - the PC Guard I was using was 'free' with my broadband, but I was paying for the Broadband... so I guess it's paid? It was also updated. However, I've since changed to avast, which has thrown up a few viruses. The file names are:

A0088169.exe - Win32: Trojan - gen
A0088444.exe - "
A0088763.exe - "
A0095249.exe - Win32: Rootkit - gen
Win32avs.exe.vir

I've deleted the above, but the following system files remain in the avast 'chest', as I didn't know what to do with them:

kernel32.dll
winsock.dll
wsock32.dll

My computer has also developed an annoying habit of opening the My Documents folder on start up. This has only started occuring since I deleted PC Guard and downloaded avast.

I've attached my latest Malwarebytes log

[attachment deleted by admin]

[evilfantasy]

I've deleted the above, but the following system files remain in the avast 'chest', as I didn't know what to do with them:

kernel32.dll
winsock.dll
wsock32.dll

Leave them there.

Run a new HijackThis scan and post the log please.

[pigeonpoo9]

Thanks

[attachment deleted by admin]

[evilfantasy]

Disable Spybot's TeaTimer

While TeaTimer is an excellent tool for the prevention of spyware, it can also interfere with HijackThis fixes. Please disable TeaTimer for now until we are done.

1. Right click Spybot in the System Tray (looks like a calendar with a padlock symbol). Choose Exit Spybot S&D Resident
2. Run Spybot S&D
3. Go to the Mode menu, and make sure Advanced Mode is selected.
4. On the left hand side, choose Tools > Resident
uncheck Resident TeaTimer and OK any prompt and Restart your computer.

Note: If TeaTimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

If TeaTimer will not turn off then uninstall Spybot until we are done cleaning.

----------

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

- F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe,C:\WINDOWS\system32\word64main.exe,

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

[pigeonpoo9]

I performed the Malwarebytes scan, and checked and fixed
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe,C:\WINDOWS\system32\word64main.exe,

However, it seemed to fix it so quickly, that I wasn't sure that I done done it properly. I pressed scan again, and found:

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\word64main.exe,

Is this right?

I've also attached the latest ComboFix log.

[attachment deleted by admin]

[pigeonpoo9]

 

[attachment deleted by admin]

[evilfantasy]

That's the same log you posted earlier.Download OTM by OldTimer to your desktop.

Note: If you are running on Vista, right-click on OTM.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTM.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code: [Select]

:Processes
explorer.exe

:services

:reg

:files

:Commands
[purity]
[emptytemp]
[start explorer]

* Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes.

[pigeonpoo9]

Oh dear....

After I copied that information into OTM and clicked Moveit!, the program did its thing, then asked to reboot. I couldn't select any of the information in the Results section, so couldn't copy it.

When the computer rebooted, all I got was my background. I managed to get task manager up, and rebooted several times, but still, just the background. I rebooted in Safe Mode, but all I got was a black screen, so had to restart.

I've managed to get my internet connected and an internet browser window up using Task Manager, but do not have a Task bar or start button, and there's nothing on my desktop. I tried to run OTM, and it brought up a log, so I've posted that.

I must have done something wrong, but followed the instructions exactly. I was sure that I only highlighted the text on the previous Code box; would it have made a difference if there was an extra space in it??

With regards to the previous Combo Fix log - I definately attached a log that was different to the previous one - unless I failed to follow previous instructions properly....

[attachment deleted by admin]

[evilfantasy]

Start the computer in Safe Mode. Getting into Windows Safe Mode.

From the options choose Last Known Good Configuration.

Let me know how that goes.

Do you have your Windows install CD?

[pigeonpoo9]

I'll do that now.

I don't have the Windows Install CD - I have recovery discs, though. Will this do any good?

 - Had a go at starting in Last Known Good Configuration... no luck. I'll get the recovery discs ready!

-  Sorry to modify my post yet again, but something strange has happened. I tried to open just any old folder in desperation using Task Manager (I think it was shared documents or something), and a Windows message came up:

/idlist.:992:3832,C:\Documents
Windows cannot find '/idlist.:992:3832,C:\Documents'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.

My start menu, task bar and Desktop came back at this. When I restarted my computer, they were gone again, but when I opened another folder, I got the Windows message and they came back again, although my computer is slowing down at odd moments, then picking up in speed again. Hummm... is this no longer a malware problem? Should I post this in another forum?

Thanks

[Acomber]

Edited.

[sunnysky]

I had a similar-looking virus wreak havoc on my comp a few weeks ago. I had norton antvirus, which, apparently, proved to be useless. The virus simply messed it up. The virus prevented me from opening any antivirus programs...so I restarted in safe-mode and ran Malwarebytes. MB picked up the virus and squashed it flat against the wall, like a disgusting bug. I know this method doesn't work for everyone...but it's worth a try.

[SuperDave]

Due to no further response from the OP, this thread is locked. If the OP wants it re-opened, please pm me.