Hello,

Earlier today I noticed a bunch of IE pop-ups coming out of nowhere (I use Firefox). Suspecting malware I looked at the task manager and identified msa.exe and b.exe running, which a Google search confirmed is a virus.

The problem first surfaced while my anti-virus program was running a full system scan. I use McAfee software. New IE popups seemed to coincide with each time McAfee deleted a file in its scan. It then appeared to start deleting system files that it identified as viruses - it seemed to delete quite a few before I could stop it.

I attempted to look into the issue but am now stuck because my computer will no longer boot properly. Attempting to start in Safe Mode leads to a blue screen of death. Attempting to start normally causes the start up process to stall after I enter my password - I see a background image and cursor, but no desktop, and no ability to right click. The Task Manager also does not respond.

Does anyone have any suggestions? It seems that I cannot disinfect my computer without being able to start. As another question, is it safe to attempt to copy files from the compute that I need for work purposes if I were to get access to it again?

Thank you for your help!

Sorry, a quick update - I managed to start Windows using the "Last Good Configuration" setting. I was able to do this once earlier and attempted to start following Malware removal instructions (starting with running TFC.exe) but it took several more startups before it returned to a seemingly stable state. I am hesitant to pursue further manual removal steps without instructions.

Please let me know what I can do! Thank you very much in advance for your assistance.

Hi there. I will need a look at your system before I can proceed

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop

• Close ALL OTHER PROGRAMS.
• Double-click on OTS.exe to start the program.
• Check the box that says Scan All Users
• Under Additional Scans check the following:
  • Reg - Shell Spawning
    
  • File - Lop Check
    
  • File - Purity Scan
    
  • Evnt - EvtViewer (last 10)
• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

THEN

Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

Start the Sysprot.exe program.

• Click on the Log tab.
• In the Write to log box select all items.
• Click on the Create Log button on the bottom right.
• After a few seconds a new Window should appear.
• Make sure Scan all drives is selected and click on the Start button.
• When it is complete a new Window will appear to indicate that the scan is finished.
• The log will be created and saved automatically in the same folder. Open the text file and copy/paste the log here.

Hi there,

I downloaded OTS as directed. Because I can no longer access the task manager to manually end programs/tasks, I was unsure of whether all other programs were closed.

Upon running OTS, it appears to go through its scans without trouble. The window then closes, but no log shows up. I was then unable to run it again as the system told me I lacked sufficient permissions. I downloaded and ran it again with Notepad open in the backgroudn and still no logs.

Thoughts?

Thanks!

Ok I think I now know what the infection is

Could you run these two programmes so that I can see what my next steps will be

Please save this file to your desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

We Need to check for Rootkits with RootRepeal

1. Download RootRepeal from the following location and save it to your desktop.
   
   • Zip Mirrors (Recommended)
     
     • Primary Mirror
       
     • Secondary Mirror
       
     • Secondary Mirror
     
     
   • Rar Mirrors - Only if you know what a RAR is and can extract it.
     
     • Primary Mirror
       
     • Secondary Mirror
       
     • Secondary Mirror
2. Extract RootRepeal.exe from the archive.
3. Open on your desktop.
4. Click the tab.
5. Click the button.
6. Check all seven boxes:
7. Push Ok
8. Check the box for your main system drive (Usually C:), and press Ok.
9. Allow RootRepeal to run a scan of your system. This may take some time.
10. Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Hi there,

I have attached the Win32kDiag log file.

When attempting to run RootRepeal, I first received an error that said "Invalid PE image found!." It allowed me to scan, and appeared to work correctly but then quit unexpectedly without giving the option to save a log.

in case it's useful, here is a complete list of symptoms that I have identified thus far:

- Virus scan appeeared to delete system files
- saw IE pop ups suddenly, including pop ups designed to look like windows programs
- Seemingly installed Windows Defender
- Google searches redirect to other sites
- No ability to terminate programs
- Can only open a program once, receive a permissions error second time
- Have pornographic links on desktop
- No background image on desktop
- Keyboard "focus" is periodically stolen by something.
- Occasional IE like pop ups indicated "unsafe behavior"

Thank you!

 Win32kDiag.txt ( 7.67K ) Number of downloads: 8

OK time to start clearing some of this rubbish

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

THEN

Download Combofix from any of the links below. You must rename it before saving rename it to svchost before saving it to your desktop.

Link 1
Link 2


==================================


Double click on the renamed ComboFix.exe & follow the prompts.

When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt so we can continue cleaning the system.

I have pasted in the Win32K text below.

ComboFix would not run, despite renaming it as you stipulated. After showing an initial loading bar, I received no further prompts. Should I attempt a restart and try again?

Thanks!


Running from: C:\Documents and Settings\Reid Van Lehn\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Reid Van Lehn\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP21.tmp\ZAP21.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP21.tmp\ZAP21.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2CE.tmp\ZAP2CE.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2CE.tmp\ZAP2CE.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP414.tmp\ZAP414.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP414.tmp\ZAP414.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP51A.tmp\ZAP51A.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP51A.tmp\ZAP51A.tmp

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\temp\temp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d1\d1

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d2\d2

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d3\d3

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d4\d4

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d5\d5

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d6\d6

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d7\d7

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d8\d8

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\chsime\applets\applets

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\shared\res\res

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Found mount point : C:\WINDOWS\Installer\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\Temp\Temp

Found mount point : C:\WINDOWS\Installer\_{AED53CDF-1046-4C6B-B5E2-C195125ECDA0}\_{AED53CDF-1046-4C6B-B5E2-C195125ECDA0}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\_{AED53CDF-1046-4C6B-B5E2-C195125ECDA0}\_{AED53CDF-1046-4C6B-B5E2-C195125ECDA0}

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\classes\classes

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.Net\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.Net\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\Microsoft.Net\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.Net\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

Attempting to restore permissions of : C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\SoftwareDistribution\authcabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\authcabs\Downloaded\Downloaded

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-03 19:56:44 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 20:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

[2] 2008-04-13 20:11:53 56320 C:\System Volume Information\_restore{81043108-CFFF-4332-AAEB-3458C98BC3D5}\RP229\A0056730.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\Temp\5B31\x64\x64

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\5B31\x64\x64

Found mount point : C:\WINDOWS\Temp\History\Results\Results

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\History\Results\Results

Found mount point : C:\WINDOWS\Temp\RtSigs\Data\Data

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\RtSigs\Data\Data

Found mount point : C:\WINDOWS\Temp\SETUP48FFB1B95D\SETUP48FFB1B95D

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\SETUP48FFB1B95D\SETUP48FFB1B95D

Found mount point : C:\WINDOWS\Temp\TestEngDat64\TestEngDat64

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\TestEngDat64\TestEngDat64

Found mount point : C:\WINDOWS\Temp\_ISTMP1.DIR\_ISTMP0.DIR\_ISTMP0.DIR

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\_ISTMP1.DIR\_ISTMP0.DIR\_ISTMP0.DIR

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp



Finished!

No I have now found the infected file

1. Please download The Avenger2 by Swandog46 to your Desktop.

• Right click on the Avenger.zip folder and select "Extract All..."
• Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):



Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

• Right click on the window under Input script here:, and select Paste.
• You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
• Click on Execute
• Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply.

THEN

Delete the current copy of combofix and download a fresh one - we will change the name this time

Download Combofix from any of the links below. You must rename it before saving rename it to Gotcha before saving it to your desktop.

Link 1
Link 2


==================================


Double click on the renamed ComboFix.exe & follow the prompts.

When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt so we can continue cleaning the system.

Still no luck on ComboFix. Here is the Avenger log file:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\WINDOWS\system32\logevent.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

OK we will approach from another angle - don't worry I will clear all these tools away when complete

Download avz4.zip from here

1. Unzip it to your desktop to a folder named avz4
2. Double click on AVZ.exe to run it.
3. Run an update by clicking the Auto Update button on the Right of the Log window:
4. Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again

1. Start AVZ.
   
2. Choose from the menu "File" => "Standard scripts " and mark the "Advanced System Analysis with Malware removal mode enabled " check box.
   
3. Click on the “Execute selected scripts”.
4. Automatic scanning, healing and system check will be executed.
5. A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
6. It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
7. All applications will work properly after the system restart.

When restarted

1. Start AVZ.
   
2. Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Analysis " check box.
   
3. Click on the "Execute selected scripts".
4. A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Attach both virusinfo_syscure.zip and virusinfo_syscheck.zip to your next post

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

Here are attachments. When I booted up, the computer performed a drive consistency check if that means anything.

 virusinfo_syscure.zip ( 54.65K ) Number of downloads: 9

 virusinfo_syscheck.zip ( 53.11K ) Number of downloads: 6

There is a lot there I will try to kill as much as possible this time round - on completion of this run try combofix again

AVZ FIX

1. Double click on AVZ.exe
   
2. Click File > Custom scripts
   
3. Copy & paste the contents of the following codebox in the box in the program (start with begin and end with end )
   
   CODE
   begin
   SearchRootkit(true, true);
   SetAVZGuardStatus(True);
   SetAVZPMStatus(True);
   SetServiceStart('NetLogin', 4);
   DeleteService('NetLogin');
   StopService('NetLogin');
   SetServiceStart('Net_Login', 4);
   DeleteService('Net_Login');
   StopService('Net_Login');
   TerminateProcessByName('c:\windows\isvchost.exe');
   BC_DeleteFile('c:\windows\isvchost.exe');
   DeleteFile('c:\windows\isvchost.exe');
   BC_DeleteFile('C:\WINDOWS\svchust.exe');
   DeleteFile('C:\WINDOWS\svchust.exe');
   BC_DeleteFile('C:\WINDOWS\svchost.exe');
   DeleteFile('C:\WINDOWS\svchost.exe');
   BC_DeleteFile('c:\windows\system32\iasex.dll');
   DeleteFile('c:\windows\system32\iasex.dll');
   BC_DeleteFile('c:\windows\system32\ipripv32.dll');
   DeleteFile('c:\windows\system32\ipripv32.dll');
   BC_DeleteFile('C:\WINDOWS\system32\msxm192z.dll');
   DeleteFile('C:\WINDOWS\system32\msxm192z.dll');
   BC_DeleteFile('C:\WINDOWS\TEMP\zra1.tmp');
   DeleteFile('C:\WINDOWS\TEMP\zra1.tmp');
   RegKeyParamDel('HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Services\acs\NetworkProvider','ProviderPath');
   BC_DeleteFile('2');
   DeleteFile('2');
   BC_DeleteFile('C:\DOCUME~1\REIDVA~1\LOCALS~1\Temp\c.exe');
   DeleteFile('C:\DOCUME~1\REIDVA~1\LOCALS~1\Temp\c.exe');
   RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','PopRock');
   BC_DeleteFile('C:\Documents and Settings\All Users\Application Data\dbf2e4c\WSdbf2.exe');
   DeleteFile('C:\Documents and Settings\All Users\Application Data\dbf2e4c\WSdbf2.exe');
   RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','Windows System Defender');
   BC_DeleteFile('C:\WINDOWS\fonts\services.exe');
   DeleteFile('C:\WINDOWS\fonts\services.exe');
   BC_DeleteFile('C:\WINDOWS\TEMP\wow64main.exe');
   DeleteFile('C:\WINDOWS\TEMP\wow64main.exe');
   RegKeyParamDel('HKEY_USERS','S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run','wow64main.exe');
   RegKeyParamDel('HKEY_USERS','.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run','wow64main.exe');
   RegKeyParamDel('HKEY_USERS','S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run','winhbt.exe');
   BC_DeleteFile('C:\WINDOWS\TEMP\winhbt.exe');
   DeleteFile('C:\WINDOWS\TEMP\winhbt.exe');
   RegKeyParamDel('HKEY_USERS','.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run','winhbt.exe');
   RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run','exec');
   BC_DeleteFile('C:\WINDOWS\system32\net.net');
   DeleteFile('C:\WINDOWS\system32\net.net');
   RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','net');
   BC_DeleteFile('C:\WINDOWS\system32\sdra64.exe');
   DeleteFile('C:\WINDOWS\system32\sdra64.exe');
   BC_DeleteFile('C:\WINDOWS\system32\progman.exe');
   DeleteFile('C:\WINDOWS\system32\progman.exe');
   RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows NT\CurrentVersion\WOW\boot','shell');
   BC_DeleteFile('C:\DOCUME~1\REIDVA~1\LOCALS~1\Temp\d.exe');
   DeleteFile('C:\DOCUME~1\REIDVA~1\LOCALS~1\Temp\d.exe');
   BC_DeleteFile('C:\WINDOWS\Temp\VRT1B7.tmp');
   DeleteFile('C:\WINDOWS\Temp\VRT1B7.tmp');
   BC_DeleteFile('C:\WINDOWS\Temp\VRTC.tmp');
   DeleteFile('C:\WINDOWS\Temp\VRTC.tmp');
   DeleteFile('C:\WINDOWS\Temp\VRTE.tmp');
   BC_DeleteFile('C:\WINDOWS\Temp\VRTE.tmp');
   BC_DeleteFile('C:\WINDOWS\Fonts\services.exe');
   DeleteFile('C:\WINDOWS\Fonts\services.exe');
   BC_DeleteFile('D:\autorun.inf');
   DeleteFile('D:\autorun.inf');
   BC_DeleteFile('D:\IEXPLORE.EXE');
   DeleteFile('D:\IEXPLORE.EXE');
   ExecuteRepair(9);
   BC_ImportDeletedList;
   ExecuteSysClean;
   BC_Activate;
   end.
   
   
4. Note: When you run the script, your PC will be restarted
   
5. Click Run
   
6. Restart your PC if it doesn't do it automatically.

ON COMPLETION

1. Start AVZ.
   
2. Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Analysis" check box.
3. Click on the "Execute selected scripts".
4. A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Attach the zip file to your next post

OK, I ran the script you sent. It did not restart automatically. After manually restarting with the normal Windows boot mode, I was unable to log in - after entering my password I was given the error message "XXX Domain not available" where XXX is my name. I restarted again using the "last known good configuration" option and ran the second AVZ analysis, with output appended.

Thank you so much for you help thus far! If things prove too complicated I am not adverse to reinstall my OS, though I would want to recover files where possible.
 virusinfo_syscheck.zip ( 41.93K ) Number of downloads: 9

Oh and sorry, but ComboFix still did not seem to work.