My Anti Spyware

[JBL]

Hi Guys..

Having a lot of trouble with this one. I've got one laptop infected with it, no with no internet connection. So using another computer I've managed to get rkill, and mbam-setup onto the desktop.

rkilll wont open due to the infection, so I've tried both fixes listed here http://www.myantispyware.com/2011/02/18 ... irus-2011/ but unfortunately that's not worked either.

Due to the infected laptop having lost internet connection, I had to manually type the fix's into the notepad. So first thing is for me to try that again and make sure they've been typed in correctly.

Any other ideas?

Cheers guys

[12056]

Please download TFC to your desktop,
Save any unsaved work. TFC will close all open application windows.
Double-click TFC.exe to run the program.
If prompted, click "Yes" to reboot.

Download aswMBR.exe to your desktop.
Double click the aswMBR.exe to run it
Click the "Scan" button to start the scan
If a "Rootkit" is found, shown in red, Click the "FIX" button, if the Fix button is disabled your not infected!
Allow it to remove the infection, the log file should save to your desktop, if infected please post (to ensure removal).

As a final check:

Please download ComboFix from here.
Close your browser, and Double-Click on the tiger icon.
Let ComboFix run unhindered, mouse clicks may cause it to stall.
Your computer may restart, after the scan, this is normal.

Please post the ComboFix log, it will appear after the restart.

[JBL]

Thanks for that, I'll give it a go shortly.

Maybe worth mentioning, but as there's now no internet connection on the infected machine, I'm having to download onto a mac, save to a cd, then transfer to the infected laptop. Will that make any difference?

[12056]

No, it shouldn't make any difference and for the time being, the infected computer should be quarantined (removed) from any network and Internet connections, until it is "clean", to prevent it from spreading (if applicable).

[JBL]

ok. I'll try what you suggested. It's as good as quarantined anyway as the virus/malware seems to have removed my internet connection.

I'll post the results after I've tried the above.

thanks

[JBL]

I've managed to get TFC onto the desktop of the infected machine, but unfortunately I cant get TFC to open or run. Shortly after I double-click on it, the XP Internet Security 2011 starts up with all the alerts etc.

[JBL]

Nos sure if this is relevent, I assumed it was the same issue. But as well as the "XP Internet Security 2011" warnings, there is also "Windows Security Centre"

I'm about to shut it down, start up again in "safe mode", then try to run TFC again.

[JBL]

Re last post.

went into "safe mode' and tried to start TFC, still no luck. trying to start it only opens the "windows security centre" and "xp internet security 2011" again. I am now officialy clueless. Any ideas?

[12056]

Go ahead and try running Combofix...
We can complete the other two once your system is somewhat stable.

[JBL]

ok, I'll give that a try. I'v not been able to open any program though since the "infection"...

I'll try Combofix in normal mode initially, and then in safe if the first attempt doesnt work.

By the way, thanks for all your time on this..

[JBL]

Still nothing, tried Combofix in normal mode, then in safe mode. Clicking on it only opens the "windows security centre" and "XP Internet security 2011" again. The only time the malware doesnt seem to open is when in safe mode but logged in as "administrator, but then none of the programs I've added ( Combofix, rkill, TFC, mbam-setup) are available on the desktop when logged in as admin.

[12056]

Copy the programs to a removable disk/ flash drive and use the Administrator account, as it appears to be the only one that will work.
Combofix will be able to find and log/remove the infection from this account.

[JBL]

Combofix was taking a while to download onto the clean computer, so I put malwarebytes onto a memorystick and I'm running the "full scan" now on the infected laptop, in safe mode on the administrators account

Unfortunately, because the laptop now doesnt have an internet connection I wasnt able to update it MWB before running it. Its been running for almost 17 hours now, but found no infected objects.....

[12056]

At this point, you should try to get Combofix to run... The log that it produces is critical for me to pinpoint the infection(s).

[JBL]

no problem, I stopped the Combofix download last night as it seemed as though it had stalled. I'll try it again.

If I can get it downloaded, you'd recommend stopping the malwarebytes scan that's currently running, and starting combofix instead? (in safe mode, as "admin")??

Sorry if I'm being dense, just trying to follow things properly.

Cheers Fella