HELP... my kids laptop is infected.

[carolsboy]

I am running Avast free antivirus on all my computers and it has worked well up to today.

My kid's laptop has developed a virus of some kind that affect all users. The computer screen when booting up to windows 7 will be either purple or black with a cursor... eventually I can get to the desktop where Avast is disabled and can't be started and I can't run the scan as I get a message that says Avast was unable to start scan due to there being no more endpoints from the endpoint mapper. Windows System Restore will not work and says to disable the antivirus software and try again (plus there is only one restore point shown from about a week ago and may not be of any value as I am unsure of how long ago this occurred). Is there something I can do short of running a recovery disk?

[essexboy]

Yep you can let me take a look at the system and see what is causing it - these programmes are non-intrusive they are just gathering data

Download OTL  to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Select All Users
  
• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
C:\Windows\assembly\tmp\U\*.* /s
CREATERESTOREPOINT

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Post both logs

[carolsboy]

both logs exceed 10000 characters by at least 3X. What is the work around for this?

[essexboy]

Yes could you attach the file please
Under additional options near the bottom
Select Browse
Select the logs (one at a time)
Then post  

[carolsboy]

Here they are... thank you for your help )

[essexboy]

OK lets start the cleaning

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  

  :OTL
  O2 - BHO: (Facetheme) - {66D8FBA6-D90F-40A9-AC55-84896F79CA69} - C:\Program Files (x86)\Object\bho_project.dll (InternetEngine)
  O2 - BHO: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dll ()
  O3 - HKLM\..\Toolbar: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dll ()
  O3 - HKU\S-1-5-21-2922725152-1482676609-851410680-1004\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
  
  :Files
  ipconfig /flushdns /c
  C:\Program Files (x86)\Search Toolbar
  C:\Program Files (x86)\Object
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [EMPTYFLASH]
  [CREATERESTOREPOINT]
  [Reboot]
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  

• Double click on ComboFix.exe & follow the prompts.
  
• Accept the disclaimer and allow to update if it asks

• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.[/b]
  

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[carolsboy]

Here is the new txt file...

[essexboy]

That looks a bit better - now for the combofix run - the programme may seem scary but it is not honest 

[carolsboy]

Sorry this reply was delayed as I had a memorial service to go to. I had to post this from my desktop computer as Internet Explorer won't run on the laptop since running ComboFix. There is a popup that says an illegal operation was attempted on a registry key marked for deletion.

[Pondus]

restart and try again

[carolsboy]

Thanks... I just figured it out... the third time was the charm!! Thank you for the help!

[essexboy]

Could you post the log please.  Combofix does that sometimes, it fails to release the registry - a reboot clears it