On Monday I got some scareware that directed me to buy some bogus antivirus software. It locked everything down- didn't allow me access to anything that could fix it (AVG, malwarebytes, spybot, etc.), and i couldn't download anything that might help. I restarted in Safemode, networking, and was able to get rid of it... i thought.

Since then, my computer has been locking up every once in awhile, requiring a hard restart, and the internet was running very slow. Then I get an alert from AVG that I have WIN32 heur in my volume control file, and I deleted them. I went to safemode, ran malwarebytes and got rid of some more probems. I deleted restore points and everything seemed fine- internet ran fast, no locking etc. I decided that it was too easy, and I went through your preliminary steps for malware removal... And that's when things got hairy.

After I disabled AVG, I downloaded GMER, and tried to run it... got a flash of bluescreen and a restart. I tried to run malwarebytes, and same thing. This morning, I started in safemode, and was able to run GMER and DDS, then I restarted to regular mode. It wanted to do a file cleanup, and I let it- it deleted and restore a bunch of files in the 3 steps.

So here I am, asking for help... This is way beyond my ability to take care of!!! Any help would be appreciated!

Can you please post the DDS and MBAM logs. Also GMER if you have gotten it to run.

__________________
__________________
Check us out on Facebook!

Useful Guides: Networking 101 Security 101 Disable Real Time Monitoring Virus/Malware Preliminary Removal Instructions

Here's what I have so far... GMER is giving me an error when I try to attach. I'll send what I've got, and keep trying for that...

Attached Files

	Attach.txt (42.2 KB, 2 views)
	mbam-log-2010-03-01 (15-59-49).txt (1.9 KB, 1 views)
	mbam-log-2010-03-02 (12-18-14).txt (1.1 KB, 1 views)
	mbam-log-2010-03-04 (11-04-05).txt (993 Bytes, 1 views)
	AVG Vault log.txt (1.1 KB, 1 views)

Ok, got it to upload. User error.

Attached Files

GMER Log.txt (1.3 KB, 1 views)

My work IT guy thinks that all these anti-viral/malware programs are reacting off of each other. He has a point- whenever resident shield pops up a warning, it shows up as malware/trojan/whatever, but the process the "malware" came from is mbam.

I don't think so, what you don't want is 2 anti-virus that both have resident protection. That can cause conflicts. The free MBAM does not actively scan memory or files unless you launch it and select scan. If anything would be conflicting it would probably be Client Security Solution by Lenevo and AVG.

Anyways I still see malware there:

Please download AVP Tool by Kaspersky.

• Save it to your desktop.
• Reboot your computer into SafeMode.

You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.

• Double click the setup file to run it.
• Click Next to continue.
• It will by default install it to your desktop folder. Click Next.
• Hit ok at the prompt for scanning in Safe Mode.
• It will then open a box. There will be a tab that says Automatic scan.
• Under Automatic scan make sure these are checked.

• System Memory
• Startup Objects
• Disk Boot Sectors.
• My Computer.
• Also any other drives (Removable that you may have)

After that click on Security level then choose Customize, click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then ok. Choose OK again to go back to the main screen.

• Click on Scan at the top right hand Corner.
• It will automatically Neutralize any objects found.
• If some objects are left un-neutralized then click the button that says Neutralize all
• If it says it cannot be Neutralized then choose the delete option when prompted.
• After that is done click on the reports button at the bottom and save it as Kas to the desktop
• Post only the detected Virus\malware in the report, it will be at the very top under Detected

Note: This tool will self uninstall when you close it so please remember to save the log before closing it.

__________________
__________________
Check us out on Facebook!

Useful Guides: Networking 101 Security 101 Disable Real Time Monitoring Virus/Malware Preliminary Removal Instructions

The Kaspersky link in your response does not work.. Resend?

Sorry about that, link fixed

__________________
__________________
Check us out on Facebook!

Useful Guides: Networking 101 Security 101 Disable Real Time Monitoring Virus/Malware Preliminary Removal Instructions

Ran Kasperski, but it wasn't 100% laid out the way you indicated in your instructions, but I worked through it. Also, there wasn't any option to save the results, which appeared to be perfectly clean, with 2 events- the start of the scan and the end.

They may have changed it a bit since last time I used it...

Disable AVG real-time protection for this part: How to disable real time monitoring...

---------------------------------------------------

Combofix
Download Combofix to your desktop from one of these locations:
Link 1
Link 2

• Double click combofix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  
  
  
  
  Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  
  
  
  
  Click on Yes, to continue scanning for malware.
  
• When the scan completes it will open a text window. Please attach that log back here

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

__________________
__________________
Check us out on Facebook!

Useful Guides: Networking 101 Security 101 Disable Real Time Monitoring Virus/Malware Preliminary Removal Instructions