My computer has become infected with a little nasty. I followed the Malware and Spyware Cleaning guide but the problem is still there. It actually seems to be worse now. I can not open any program. I tried reopening malwarebytes again to run another scan cause I can't seem to find the log from the one I did the other day. Not sure if it automatically saves or if I was supposed to do it. I can't open rootkiller or otl. I was originally able to open into safe mode but now it seems like when I try to it just reboots in to my normal windows. When ever I try and opening an application I get a warning bubble down at the bottom saying application can not be executed the file is infected please open your anti virus software but the bubble is coming from the system security icon.

I'm not sure what to do know seeing as how I cannot open any of the programs that I need to clean up my computer.

Hi Deadpool57,

Welcome to Geeks to Go! My name is SpySentinel and I will be helping you fix your computer problem.
Sorry for the delay, we have been very busy lately, and I apologize for your wait.



Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2





--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.

• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt so we can continue cleaning the system.

When I try to download to my desktop the download gets to 99 percent and then says cannot copy combofix[1]: Access denied. Make sure the disk is not full or write-protected and that the file is not currently in use.

Also I did forget to mention that even my internet browser is not opening and I am posting from a second computer.

Hi Deadpool57,

Sorry for the delay.


Lets see if we can disable this threat:


Download RootRepeal.zip and unzip it to your Desktop.

• Double click RootRepeal.exe to start the program
• Click on the Report tab at the bottom of the program window
• Click the Scan button
• In the Select Scan dialog, check:
  • Drivers
  • Files
  • Processes
  • SSDT
  • Stealth Objects
  • Hidden Services
• Click the OK button
• In the next dialog, select all drives showing
• Click OK to start the scan
  

  Note: The scan can take some time. DO NOT run any other programs while the scan is running

• When the scan is complete, the Save Report button will become available
• Click this and save the report to your Desktop as RootRepeal.txt
• Go to File, then Exit to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

RootRepeal is like all of the other applications that I have tried to run. I just get the bubble at the bottom of my screen that says "Application cannot be executed. The File RootRepeal.exe is infected. Please Activate your antivirus software."

Let me know if this works:


Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
• Now click the Scan button.
  Once the scan is complete, you may receive another notice about rootkit activity.
• Click OK.
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
• Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

Same problem with this one.

You have an infection that monitors for new processes being created, and when ANY new process is being created, and then terminates it and shows an error.


1. Go to Start->Run and type in notepad and hit OK.

2. Then copy and paste the content of the following codebox into Notepad:



3. Save the file as "Show.bat". Make sure to save it with the quotation marks.

4. Double click Show.bat.


It will create a file on your desktop called Processes.txt
Post that in your next reply.

It blocks notepad as well.

You have an infection that is disallowing any new processes from running, and enumerating and then terminating any processes that start. So lets see if we can trick it.



Please delete ComboFix from your desktop.


Download Combofix from any of the links below. You must rename it before saving it.

When it asks you for a save location, navigate to C:\Windows and save it as svchost.exe

Link 1
Link 2



--------------------------------------------------------------------

Double click on svchost.exe & follow the prompts.

• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt we can continue cleaning the system.

This post has been edited by SpySentinel: Jul 16 2009, 05:23 PM

It got farther than the others but still got blocked. I received a little loading type bar to show it was opening and then after it was full I received the bubble at the bottom saying something like n.pif was infected.

We are making progress, navigate to C:\ComboFix and if there is a log file please post it. If not let me know.

There is no log file.

Lets try this:


Please remove RootRepeal if you still have it.


Download RootRepeal.zip

When it asks you to save it, make sure you rename it to svchost.exe and unzip it to C:\Windows.

• Double click svchost.exe to start the program
• Click on the Report tab at the bottom of the program window
• Click the Scan button
• In the Select Scan dialog, check:
  • Drivers
  • Files
  • Processes
  • SSDT
  • Stealth Objects
  • Hidden Services
• Click the OK button
• In the next dialog, select all drives showing
• Click OK to start the scan
  

  Note: The scan can take some time. DO NOT run any other programs while the scan is running

• When the scan is complete, the Save Report button will become available
• Click this and save the report to your Desktop as RootRepeal.txt
• Go to File, then Exit to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

This post has been edited by SpySentinel: Jul 19 2009, 02:36 PM

This one got a little farther but I was unable to run the scan. When I opened it I recieved a svchost error and then a rootrepeal screen that looked like the following picture but with not buttons or tabs or anything.

Sorry for the poor quality picture I just snapped a quick picture with my cell.

This post has been edited by Deadpool57: Jul 21 2009, 01:11 PM