Strange!

Run this:

Go to TDSSKiller and Download TDSSKiller.zip to your Desktop

• Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
• Now double click the TDSSkiller.exe file to run it ( if using Vista or Windows 7 do not double click on it but rather, right click and select Run As Administrartor.
• Allow the application to run and a window will open showing that it is TDSSkiller from Kaspersky
• Click Start scan
• It will run rather quickly and will notify you of whether anything is found or not.
• Follow the instructions to delete/quarantine if asks you what to do when if finds something.

Whether an infection is found or not, a log file should be created on your C: drive ( or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply. (See: HOW TO: Attach Items To Your Post )

Then work through this:

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click and choose Run as Administrator

You only need to get one of them to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

1. Rkill.exe
2. Rkill.com
3. Rkill.scr
4. Rkill.pif

Once you've gotten one of them to run then try to immediately run the following.


Download and save the below to your PC (save it anywhere you can find it. The Desktop is fine). Then double click on it to run it.

AVPFind.bat

It should take a couple minutes to run. You will see a black command prompt window while it is running and it should close when it is finished. Once it finishes, attach the c:\avplog.txt file that is will hopefully create as long as the malware does not block the batch file from running. (See: HOW TO: Attach Items To Your Post )


Now download and Run exeHelper

• Please download exeHelper to your desktop.
• Double-click on exeHelper.com to run the fix.
• A black window should pop up, press any key to close once the fix is completed.
• A log file named log.txt will be created in the directory where you ran exeHelper.com
• Attach the log.txt file to your next message.

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


Also please try running the below online scan:

http://www.superantispyware.com/onlinescan.html

Reboot immediately after scanning if it finds and removes anything. Let me know if anything was found. See if you can save a log with it.


Then try running these instructions: Using MGtools


Attach the below logs when finished with all of the above:

• C:\avplog.txt - from AVPfind
• a log from online SAS scan if you could make one
• log.txt - from exeHelper
• C:\MGlogs.zip - from MGtools

The C:\ assumes that drive C is you Windows boot drive. If you boot from another drive, then use the correct drive letter above.

 

No problem, get to it when you can (Or point him in the direction of his thread so he can do it himself if he is wary of you using the computer without his presence.)

 

Yes, you can do that.

No, for now just do what I have already instructed in post #3.

 

Why is there now anti virus installed on this machine>?

Don't forget to include the SAS online results.

Java(TM) 6 Update 19 <--- uninstall this outdated java.

If you did not deliberately set this proxy yourself then please include it in the HJT fix below:

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix exit HJT.

Now download The Avenger by Swandog469, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Also delete all files in the below bold folders except ones from the current date (Windows will not let you delete the files from the current day).

• C:\WINDOWS\Temp
• C:\Documents and Settings\arthur bowmer\Local Settings\TEMP

Download Combofix and run it as per the instructions. Make sure it is directly on your desktop.

Reboot your machine and install the most current and up to date version of Java available here at the below link:

Java Runtime 6

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

Tell me how things are running now.

 

Entirely up to you's what you do, but we might as well try and finish up with what we started, no?

If you wish to continue then attach the requested logs.

 

Or refer him to this thread so he can continue himself.

 

Please do not make a habit of coming here to remove malware with our help in return for financial gain. We are unpaid volunteers here. If you want to help yourself with learning malware removal then perhaps you should take a look at this as it includes links to universities online who will train you properly so that you can removal malware independantly and not via our services:

Becoming A Malware Forum Helper

 

But you stated:

You say client not friend, so I am to assume you are charging him? (For my services)

(Or do you mean the cost of reformatting?)

 

You have at least been honest and upfront with me about charging a fee, I will have a word with my colleague and maybe he will will get back to you tonight with a reply about whether we will continue to assist you or not. (I am due in at work soon myself)

 

If you were helping them out of the goodness of your heart, that would be fine in my opinion, if you were charging them for YOUR knowledge and skills that would be fine, but you're not, you are using my/our skills experience and time which is a drain on precious resources. If you want to be an malware removal expert then I suggest you gain that knowledge from using the link I gave you earlier. We will see what my colleague says anyway. This is just my opinion.

 

It would seem that you are using this site to find answers to fixing computers that you are then asking to be paid for our work. If you were a contributing member and were actively helping others on this forum, then that would be a good trade off, but I don't see you doing that. We have helped you on numerous occasions with both malware and software issues, which I assume you have turned around and charged your customers for our work. That is almost tantamount to fraud as you are passing our work off as your own and getting compensation for it. You have had enough malware threads that it is time for you to start applying what you have been shown in regards to your clients. If you wish to continue receiving our help, I suggest you start helping out others on this site.

@Kestrel.......finish up this thread to a point where you are satisfied that the malware is gone and then close it out.

 

Thread closed at user's request.

Best of luck with your training!