[DinahMo]

Per the suggested initial process on geeks to go, I tried installing TFC, System Restore, and was about to do ERUNT when I gave up. I had to download the .exe's onto flash drive via my laptop - when I transferred the programs to my desktop (which is the one that is infected) they seemed to successfully install, but I could not open them as the attacking progam(s) says "Application cannot be executed. The file mbam.exe is infected. Do you want to activate your antivirus software now?" Same when I tried the system restore program.

Program keeps popping up the same security warning and lists wuauclt.exe as infected.

MacAfee Security cannot be opened now, although AVG Antispyware (not updated since Dec 08) could be opened once and did run but didn't find anything - however, now when I click it, it has the same "avgas.exe is infected" message. In fact, it seems most things come up with that message.

Periodically the computer opens up Internet Explorer and tries to go to www.viagra.com, or www.[bleep].com, etc.

I get a "Windows Security Center" window that pops up and looks official.

I also get a "Spyware alert" window that asks to "Activate your antivirus software" button.

Finally, an icon for "Antivirus Live" has appeared on my toolbar that occasionally opens and starts "scanning".

Thanks for any assistance you can give me.

Sincerely,

DinahMo

[Advertisements]

Sometimes if you rename the tool say from otl.exe to otl.com it will run.

You might try this tool:

http://www.symantec....-050614-0532-99

Probably be best if you could run it in Safe Mode (F8 during boot). If you can get it to work it should allow .exe files to run.

Another possibility is one of these:

http://www.askvg.com...ure-and-others/

Ron

[RKinner]

Sometimes if you rename the tool say from otl.exe to otl.com it will run.

You might try this tool:

http://www.symantec....-050614-0532-99

Probably be best if you could run it in Safe Mode (F8 during boot). If you can get it to work it should allow .exe files to run.

Another possibility is one of these:

http://www.askvg.com...ure-and-others/

Ron

[DinahMo]

Ron,

In Safe mode, I ran the Malwarebytes Anti-Malware tool - it found 30 items which were cleaned.

I then ran McAfee full system scan, where it found 1 item that has been quarantined.

I rebooted, and things looked good for about 30 seconds after full system boot - a skinny rectangle icon for "Antivirus Live" that had appeared in my toolbar tray during these events wasn't there, and MacAfee icon didn't have an X through it. All seemed well

But then ...

I got a similar "your file xxxxxxxx is infected, do you want to run anti-virus" message came on, the Antivirus Live icon appeared in the bottom tray again, and the computer started acting similarly to my first post, although I didn't give it time to start clicking arounf the desktop.

Next step?

DinahMo

[RKinner]

Bleeping Computer has a removal procedure:

http://www.bleepingc...-antivirus-live

Some of it you've done but I suspect the order is important.

Ron

[DinahMo]

OK - so I used SpyBot, and that seemed to do the trick, BUT ...

now I cannot log on to the internet. I have tried plugging, unplugging, etc.

On any site I try, I get "Internet Explorer cannot display webpage", with no option for "let IE try to fix this"

If I remove the cord from the back of the computer and plug it to my laptop, I can access the internet. I plug it back into the desktop, and nothing.

Any suggestions?

DinahMo

[RKinner]

Probably IE is looking for a proxy that is no longer there. In IE, Tools, Internet Options, Connections, LAN Settings, then uncheck all boxes and OK. Close IE and reopen and see if that helps.

Ron

[DinahMo]

That didn't work...

[RKinner]

Start, Run, cmd, OK to open a command window. Type with an Enter after each line and wait for the prompt to return before typing the next line:

ipconfig /all

If the IP address begins with 169. then we have problems. What IP address, mask and Default gateway do you have? What DNS server?

nslookup att.com

(This tests your system's DNS ability. You should get something like:

Server: UnKnown
Address: 192.168.0.1

Non-authoritative answer:
Name: att.com
Addresses: 144.160.134.80
144.160.103.104

If it times out then it's not working.)


tracert -d 212.187.255.8

(This checks your internet connectivity. You should get something like this:

Tracing route to 212.187.255.8 over a maximum of

1 10 ms 10 ms 9 ms 192.168.0.1
2 10 ms 11 ms 10 ms 192.168.1.254
3 24 ms 23 ms 23 ms 68.216.193.3
4 25 ms 26 ms 25 ms 68.216.193.37
5 38 ms 26 ms 28 ms 205.152.237.128
6 25 ms 26 ms 25 ms 65.83.236.12
7 25 ms 25 ms 27 ms 65.83.238.142
8 38 ms 37 ms 36 ms 12.123.34.18
9 38 ms 37 ms 37 ms 12.122.31.29
10 37 ms 39 ms 36 ms 12.122.82.101
11 195 ms 203 ms 199 ms 192.205.35.214
12 51 ms 36 ms 37 ms 4.68.103.30
13 55 ms 53 ms 53 ms 4.69.132.86
14 54 ms 53 ms 54 ms 4.69.134.142
15 58 ms 54 ms 54 ms 4.69.134.189
16 58 ms 59 ms 57 ms 4.69.132.94
17 128 ms 128 ms 126 ms 4.69.137.69
18 130 ms 127 ms 127 ms 4.69.139.110
19 128 ms 128 ms 127 ms 212.113.10.138
20 127 ms 128 ms 126 ms 212.187.255.8

Trace complete.

The above won't fix anything but it will tell me if we have network problems.
Ron

[DinahMo]

ipconfig /all =>
Windows IP Configuration
Host Name: your-b27fb1c401
Primary Dns Suffix:
Node Type: Hybrid
IP Routing Enabled: No
WINS Proxy Enabled: No

Ethernet adaptor Local Area Connection:
Media State: Media Disconnected
Description: Realtek RTL8139/810x Family Fast Eth
Ethernet NIC
Physical Address: 00-13-D4-EA-72-A5

nslookup att.com=>
Default Servers not available
Server: Unknown
Address: 127.0.0.1
Unknown can't find att.com: No responses from server

more to follow

[DinahMo]

What IP address, mask and Default gateway do you have? What DNS server?

Where do I find these? I don't know the terms mask and Default gateway.

[DinahMo]

tracert -d 212.187.255.8
Tracing route to 212.187.255.8 over a maximum of 30 hops
1 Destination host unreachable
Trace complete

[DinahMo]

disregard previous - I ran the commands without my internet chord being plugged in.

[RKinner]

Yep that's what it says:

Media State: Media Disconnected