Cannot seem to remove virus -- Please help!!

[SteveInLaguna]

My computer appears to be infected, and despite following a number of steps recommended in other topics on this forum, I don't seem to be able to fix the problem. Here are the steps and results:

1. In Safe Mode with Networking, I started MBAM 1.46 DB Version 4311. I tried to see if there was a later version of the DB, but when I clicked Check for Updates, I received a dialog box with the error message "MBAM_ERROR_UPDATING (12007,0,WinHttpSendRequest)". I then did a QuickScan, with the following result:

==== Log file (non-relevant lines removed) ====

Malwarebytes' Anti-Malware 1.46

Database version: 4311

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 8.0.6001.18702

7/13/2010 9:40:38 PM

mbam-log-2010-07-13 (21-40-38).txt

Scan type: Quick scan

Objects scanned: 128694

Time elapsed: 3 minute(s), 21 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

C:\WINDOWS\Temp\80fad6e6.tmp (Trojan.Ransom) -> Failed to unload process.

Files Infected:

C:\WINDOWS\Temp\80fad6e6.tmp (Trojan.Ransom) -> Delete on reboot.

==== End of Log File ====

2. After the above scan completed, I rebooted the machine as instructed, but this time into Safe Mode (without networking). I then ran a FullScan which came back clean.

3. I then rebooted the machine into regular Windows mode. I could not execute MBAM directly, so I copied it to Winlogon.exe and was able to start the program. I tried to see if there was a DB update, but received the same error as in step 1. (It turns out that 4311 is the most recent DB version.)

Then I did a QuickScan with the following result:

==== Log file (non-relevant lines removed) ====

Malwarebytes' Anti-Malware 1.46

Database version: 4311

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

7/13/2010 10:34:50 PM

mbam-log-2010-07-13 (22-34-50).txt

Scan type: Quick scan

Objects scanned: 129674

Time elapsed: 3 minute(s), 40 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 4

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

C:\WINDOWS\Temp\17bbc4.tmp (Trojan.Ransom) -> Failed to unload process.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.162.61,93.188.161.201 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.61,93.188.161.201 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5ddbb7b7-6f9e-4b8e-9864-24abc11e837e}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.162.61,93.188.161.201 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5ddbb7b7-6f9e-4b8e-9864-24abc11e837e}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.61,93.188.161.201 -> Quarantined and deleted successfully.

Files Infected:

C:\WINDOWS\Temp\17bbc4.tmp (Trojan.Ransom) -> Delete on reboot.

C:\WINDOWS\system32\ernel32.dll (Trojan.Agent) -> Delete on reboot.

==== End of Log File ====

4. I then rebooted as instructed into regular Windows, and could not execute MBAM, however I was again able to start the program using the Winlogon.exe file. I then executed a FullScan with the following result:

==== Log file (non-relevant lines removed) ====

Malwarebytes' Anti-Malware 1.46

Database version: 4311

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

7/13/2010 10:55:29 PM

mbam-log-2010-07-13 (22-55-29).txt

Scan type: Full scan (C:\|)

Objects scanned: 183667

Time elapsed: 16 minute(s), 27 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Files Infected:

C:\WINDOWS\system32\ernel32.dll (Trojan.Agent) -> Delete on reboot.

==== End of Log File ====

5. I then rebooted again as instructed, and again ran a FullScan using the Winlogon.exe file, with the following result:

==== Log file (non-relevant lines removed) ====

Malwarebytes' Anti-Malware 1.46

Database version: 4311

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

7/13/2010 11:15:51 PM

mbam-log-2010-07-13 (23-15-51).txt

Scan type: Full scan (C:\|)

Objects scanned: 183728

Time elapsed: 16 minute(s), 12 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 4

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

C:\WINDOWS\Temp\4a046b40.tmp (Trojan.Ransom) -> Unloaded process successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.162.61,93.188.161.201 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.61,93.188.161.201 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5ddbb7b7-6f9e-4b8e-9864-24abc11e837e}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.162.61,93.188.161.201 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5ddbb7b7-6f9e-4b8e-9864-24abc11e837e}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.61,93.188.161.201 -> Quarantined and deleted successfully.

Files Infected:

C:\WINDOWS\Temp\4a046b40.tmp (Trojan.Ransom) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ernel32.dll (Trojan.Agent) -> Delete on reboot.

==== End of Log File ====

6. I then rebooted into Safe Mode with Networking and ran a QuickScan. Here's the result:

==== Log file (non-relevant lines removed) ====

Malwarebytes' Anti-Malware 1.46

Database version: 4311

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 8.0.6001.18702

7/13/2010 11:36:28 PM

mbam-log-2010-07-13 (23-36-28).txt

Scan type: Quick scan

Objects scanned: 129123

Time elapsed: 3 minute(s), 20 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 4

Memory Processes Infected:

C:\WINDOWS\Temp\7120ff47.tmp (Trojan.Ransom) -> Unloaded process successfully.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 (Trojan.Dropper) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\malwarebytes anti-malware (reboot) (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:

C:\WINDOWS\Temp\7120ff47.tmp (Trojan.Ransom) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\6to4v32.dll (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\swbh.tmp\setup.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Program Files\Malwarebytes' Anti-Malware\Winlogon.exe (Trojan.Agent) -> Not selected for removal.

==== End of Log File ====

7. So it appears that the infected files are being re-created upon every reboot of the system, occasionally corrupting the registry as well.

Incidentally, I tried to use the virus scanner at www.eset.eu/online-scanner, however despite logging on as the Administrator, I received an Access Denied message when trying to start the scanner.

Can anyone please help? I'm scared to touch the machine right now.

Thanks - Steve

[SteveInLaguna]

Jessica, thank you for the coupons, but I would have preferred one from Domino's Pizza so that I could asked them to deliver some food while I stayed up most of the night trying to fix my computer.

Can anyone please help?

[AdvancedSetup]

Hi Steve,

Please run the following.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------

1. Download ComboFix from below:
   Combofix download
   * IMPORTANT !!! Place combofix.exe on your Desktop
   
2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   You can get help on disabling your protection programs here
   
3. Double click on combofix.exe & follow the prompts.
   
4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
   Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
   
   The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
   With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
   Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
   ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
   Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
   The Recovery Console was successfully installed.
   
   Click on Yes, to continue scanning for malware.
   
5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
6. When finished, it shall produce a log for you. Post that log in your next reply
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   ---------------------------------------------------------------------------------------------
   
7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
   ---------------------------------------------------------------------------------------------
   

[screen317]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!