One Nasty Virus/Trojan - Kills all virus scanners

[essexboy]

There appear to be a few miscreants remaining but I will wait for edifyguy  to return 

[edifyguy]

Be back later.. edifyguy must be taking a break ..

Edifyguy had to go to work for a bit 

I'm going to look at your log.

I'd rather you didn't uninstall Avast! at the moment if it can be prevented. There's a way to circumvent the skins if that's actually what's holding it up from starting, but I'd rather not stop the on-access scanner at the moment. Can you blame me? 

[Lynn210]

Ok .. no problem..
When should I check back

[edifyguy]

Well, ComboFix did a great job, as usual.

If you right-click the Avast! a-ball, you can go into "Program Settings" and uncheck the box next to "Enable skins for simple user interface." If skins are preventing you from starting Avast! that should let it start.

From the Tools menu, select "Schedule boot-time scan" and let it scan everything. I personally suggest telling it that it's OK to move everything to the chest including stuff in the Windows folder (advanced options.)

From the looks of your ComboFix log, ComboFix did most of the work already, and Avast! just needs to finish the leftovers.

One warning: your computer is a bit of a mess. You'll probably need to reinstall Internet Explorer 8, as we may have broken it by moving a suspicious file out of its reach. You'll also want to make a fresh System Restore point and then run Eusing Free Registry Cleaner to clean up the mess of stuff in the registry that used to point to Malware but now points nowhere and makes error messages. You might also need to uninstall and reinstall the .NET framework.

But your computer should otherwise behave pretty normally now, from the looks of the ComboFix log. The running processes look good.

Anybody notice anything I didn't? I'm not quite at leisure to study it just yet......

[edifyguy]

I'm going through the ComboFix log, and I'm making a list of additional suspicious/malicious files to remove. I think I'll send it to you as a DOS script that will just move them to our previously designated safe spot.

One thing I see.....it reports that both Avast and BitDefender on-demand scanning were disabled. Did you do that at ComboFix's request (I usually don't) or did something else do it?

[edifyguy]

Here's a Windows removal script. Rename it to remove the .txt and it'll run. Let me know if you get any strange messages out of it. It'll pause and keep the window open so you can read the messages.

[Lynn210]

OK let me catch up

To run the boot scan .. of course I have to reboot right?

Does the script you made run the same way as in Linux
just click on it or type it into the command window


I disabled Avast at combo fixes request but combo fix reactivated it once it was finished.

Bitdefender .. I only use the online scanner now...

I tried the program and did not like it.. one of many that made my browser
so slow I grew a few gray hairs waiting for it to load.

.NET framework.. is a bumber.. it took me a long time to get that right last time
I had to uninstall and re-install

So...

Where should I start.. with the script or the boot scan?

[Lynn210]

I notice that you have Scheduler.exe in your script

That is a small little program I have used for many years
to set alarm notices for my daily reminders.

I have it on all my computers..
Makes a nice loud alarm at times I set each day.
and a window pops up with a message to me that I type
into the interface when I set the alarm.

Took me a long time to find one easy to use and very loud!

Oh.. extensions don't show in windows so I will try to retype
the name of the file as it should be and hopefully that will do it
otherwise I guess I need to manually open the command window and copy the
test into it???

[Lynn210]

Avast boot scan finished
Found a few more files
They are now in the chest.

I cannot get the bat file to run

Windows extensions are not turned on
I know there is a way to turn them on but dont remember
how to do it... so I cannot change the "dummy" txt extension

I reinstalled Malwarebytes.. thought I would run it too...

It has found 14 objects .. so far.. may just be the files already
in the chest.. but it can't hurt to see what it finds.

[Omega40]

Are we there yet? 

[Lynn210]

Still working at it.. edifyguy is taking a break..

-------------

I ran Malwarebytes just to see what it would find... it found a bunch more stuff
First Ran Quick Scan... then FUll Scan.. will attach those logs for you.
--------

Whenever computer reboots the only error popups are .NET framework
and RUNDLL

-----------------

[edifyguy]

I think MBAM checks the registry, so it'll find more interesting stuff. MBAM also looks for more privacy intrusions than Avast! does, whereas Avast! is primarily concerned with keeping viruses at bay.

SpyBot S&D would be another worthwhile check for privacy problems.

I think you've about got it, sounds like. Going to review your logs.

About getting that script to run: From any explorer select Tools then Folder Options, then on the View tab uncheck the box that says to hide extensions on known file types. That will allow you to truly change it into a .bat from the dummy .txt file. If scheduler is something you hold dear, just delete that line before you run it. It just looked as hokey as sin sitting there right in the root of the program files folder like that........

[Lynn210]

Ran CCleaner to do some registry cleaning

attaching results

Cannot update IE -
actually cannot download anything
keep getting an error message..
Is that because of .NET framework?

suppose that should be next

What is the best way to go about fixing .NET framework

[Lynn210]

Was going to run Bitdefender online Scanner too but
cant seem to get IE to let me do anything not even install IE8

Turned updates on but could not access the page that checks for updates
needed...

[edifyguy]

Hehe....no......your issue with IE8 is due to a file we removed because it was suspicious. Apparently it was safe. You can actually put it back manually if you like. It's in C:\quarants, it's called extexport.exe and it belongs in Program Files\Internet Explorer

If putting that back doesn't fix it (it should) I'll provide you with a link you can type into the "Run..." dialog box to download the reinstaller for it.

Looking at the MBAM logs, the full scan only found the stuff that ComboFix had quarantined already. But that's OK. I'm sure you feel better now that they've been quarantined twice.