Welcome to TechSpot Karen. These rogue programs are doing a number on a lot of people.
About AVG. Their author didn't leave any way for AVG to be disabled to run some of the scans. You will have to uninstall it temporarily to run Combofix and I'll give you a program to do that. So let's go this route:
(be sure to put one of the temporary AV on the system)
Download
AppRemover and save to the desktop
- Double click the setup on the desktop> click Next
- Select “Remove Security Application”
- Let scan finish to determine security apps
- A screen like below will appear:
- Click on Next after choice has been made
- Check the AVG program you want to uninstall
- After uninstall shows complete, follow online prompts to Exit the program.
Temporary AV: Use one:
Avira-AntiVir-Personal-Free-Antivirus
Avast Free Version
=============================
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions,
if needed
- Click START> then RUN
- Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
--------------------------------------
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop
- Double click combofix.exe & follow the prompts.
- ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
***Please note: if you have downloaded Combofix to a flash drive, then run it on the infected machine> the Recovery Console will not install- just bypass and go on.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
- Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
- .Click on Yes, to continue scanning for malware
- .If Combofix asks you to update the program, allow
- .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- .Close any open browsers.
- .Double click combofix.exe & follow the prompts to run.
- When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
Re-enable your Antivirus software.
Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Note 3: Combofix prevents autorun of
ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty
and terminates prematurely, the connection can be manually restored by restarting your machine.
Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
=======================================
it is important that you do not delete any files from your Temp folder or use any temp file cleaners.
================================
Boot into Safe Mode
- Restart your computer and start pressing the F8 key on your keyboard.
- Select the Safe Mode with Networking option when the Windows Advanced Options
menu appears, using your up/down arrows to reach it and then press ENTER.
=======================================
This infection may change your Windows settings to use a
proxy server that will not allow you to browse any pages on the Internet with Internet Explorer or update security software, we will first need need to fix this: Launch Internet Explorer
- Access Internet Options through Tools> Connections tab
- Click on the Lan Settings at the bottom
- Proxy Server section> uncheck the box labeled 'Use a proxy server for your LAN.
- Then click on OK> and OK again to close Internet Options.
========================================
To end the processes that belong to the rogue program:
Please click on
RKill
- At the download page, click on Download now button for iExplore.exe download link and save to the desktop
- Double click on the iExplore.exe icon
- Please be patient- it may take a bit.
- The black Window will close when through and you can continue.
Note: If you get a message that RKilll is malware, ignore it> it's from the malware.
=======================================
Do not reboot your computer after running RKilll as the malware programs will start again.
================================
4. This malware frequently comes with the TDSS rootkit, so do the following:
- Download the file TDSSKiller.zip and save to the desktop.
(If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
- Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
- Double click on TDSSKiller.exe. to run the scan
- When the scan is over, the utility outputs a list of detected objects with description.
The utility automatically selects an action (Cure or Delete) for malicious objects.
The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
- Select the action Quarantine to quarantine detected objects.
The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
- After clicking Next, the utility applies selected actions and outputs the result.
- A reboot is required after disinfection.
====================================
If TDSSKiller requires you to reboot, please allow it to do so. After you reboot, reboot back into Safe Mode with Networking again
====================================
5.
Update and rescan with Malwarebytes:
- Select Perform Full Scan on the Scanner tab
- Click on the Scan button.
- When scan has finished, you will see this image:
- Click on OK to close box and continue.
- Click on the Show Results button.
- Click on the Remove Selected button to remove all the listed malware.
- At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format>Uncheck Word Wrap before copying the log to paste in your next reply.
==============================
If the desktop background is black or if the theme has been removed:
Correct Display Changes if needed:
For Windows XP: Click on Start> Control Panel> Display> change theme and/or background if needed.
For Windows Vista or Windows 7: Click on Start> Control Panel> Appearance & Personalization> Select
Change Theme or
Change Desktop Background
=====================================
You can now reboot back into Normal Mode
====================================
If you seem to be missing icons, program, files, etc., go ahead and run the following:
1. Download
Unhide.exe and save to the desktop.
- Double-click on Unhide.exe icon to run the program.
- This program will remove the +H, or hidden, attribute from all the files on your hard drives.
Note: This does not remove the malware- only the attribute that hides icons and programs. It is important that you continue.
====================================
Summary to help you get through:
Run App Remover for AVG- put temp. AV on system
Run Combofix
Boot into Safe Mode
Stop Proxy
Stop malware process>>RKill
Run TDSS
Do a Full scan Mbam
--------------------
If you have the black screen display problem, fix that,
If you have hidden processes, run unhide.
==================================
After I check these logs, I may have you go back and run DDS.
======================================
My Guidelines: please read and follow:
- Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
- Read my instructions carefully. If you don't understand or have a problem, ask me.
- If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
- Follow the order of the tasks I give you. Order is crucial in cleaning process.
- File sharing programs should be uninstalled or disabled during the cleaning process..
- Observe these:
[o] Don't use any other cleaning programs or scans while I'm helping you.
[o] Don't use a Registry cleaner or make any changes in the Registry.
[o] Don't download and install new programs- except those I give you.
- Please let me know if there is any change in the system.
If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
=====================================