[Render]

I would like you to do this now:

On your working computer go here and create Avira rescue CD

• Boot your infected computer from that CD
• For Boot Options choose 1 (Boot AntiVir Rescue System (default))
• In Virus scanner tab click on Start scanner
• When the scan is finished save the scan report and post it in your next reply
• Eject and remove Avira Rescue CD
• Restart your system in Windows

To set your computer BIOS to boot from a CD

• Restart your computer. Watch the start-up instructions that are displayed on-screen.
• A message will be displayed instructing you to press a named key (often F2, F12, or Delete) to go into settings/setup/configuration. (The key and the message will vary according to the type of computer that you are running.)
• Press this key to enter the BIOS setup mode.
• (If your computer is particularly fast, it may remove the message before you have the chance to press the key; in this case, try pressing the key once a second, starting the moment you reboot.)

Some examples:

• On a Dell computer, you should hit F2 to enter the BIOS.
• Other computers may require you to hit the DEL (Delete) button to enter the BIOS.
• On newer computers, you may be able to hit F12 to select a temporary boot device rather than changing the permanent boot sequence in the BIOS itself. If your computer offers this option, simply select the CD or DVD drive containing the antivirus CD as your temporary boot device, and skip steps 2 and 3.

• In the BIOS window, find the area that controls the boot sequence and rearrange the list of devices so that your CD or DVD drive is checked before your hard drive.
• For most situations, a suitable sequence is:

• CDROM (or DVDROM)
• HD1 (or C).

• If your drives are listed in this order, then when you keep the CD in your CD or DVD drive during a reboot, your computer will be told to run and check for viruses on your system. (If the hard drive is listed earlier than the CD drive, your computer will not detect the CDs presence and will simply boot into Windows.)
• Save the settings and exit.
• When your computer reboots, it will check the CD or DVD drive containing the disk before it checks the hard drive. You may press any key on your keyboard to boot from CD.

[Advertisements]

This is the same problem http://www.geekstogo...and-off-solved/ but it does not show how it was resolved.

[skookum]

This is the same problem http://www.geekstogo...and-off-solved/ but it does not show how it was resolved.

[Render]

I still didn't find your main infection. I will search for solution to fix that blinking desktop. In meanwhile please proceed with instructions from my previous post.

[Render]

I'm still in the dark but let's try this first:

So you can get to Task Manager with pressing CTRL+ALT+DEL? If yes open it and then on Applications tab click on New Task...
Now type in Create New Task window: explorer.exe and press OK.

Icons still flashing?

[skookum]

Well Avira rescue is scanning now, it just found in Users/administrator/desktop/Combo-Fix.exe is the Trojan horse TR/Crypt.XPACK.Gen
Still scanning.......

[Render]

OK. Did you already tried suggestion from my previous post?

[skookum]

I'm still in the dark but let's try this first:

So you can get to Task Manager with pressing CTRL+ALT+DEL? If yes open it and then on Applications tab click on New Task...
Now type in Create New Task window: explorer.exe and press OK.

Icons still flashing?

Yes they are still flashing, however, now all processes are started up and running.
If i have nothing open icons flash and task bar flashes, if i have Firefox open and maximised the taskbar stops flashing and i have access to the processes in the taskbar.
I have 3 programs running at the moment UltraExplorer, UltraSearch and Firefox as long as one is maximised the taskbar does not flash.
I did have my task manager open and windows explorer but as soon as i minimised Firefox to look at desktop both windows explorer and task manger vanished.

Avira rescue scan (my son has got some explaining to do)

Avira / Linux Version 1.9.152.0
Copyright © 2010 by Avira GmbH
All rights reserved.
engine set: 8.2.4.236
VDF Version: 7.11.8.53
Scan start time: Tue May 31 20:41:49 2011
configuration file: /etc/avira/scancl.conf
WARNING: [All files in archive are encrypted] /media/Devices/sda1/Program Files/Amnesia - The Dark Descent/redist/super_secret.rar


WARNING: [Archive is invalid or corrupt] /media/Devices/sda1/Program Files/WinRAR/rarnew.dat


WARNING: [Unexpected end of file] /media/Devices/sda1/Program Files/SoulseekNS/uninstall.exe


WARNING: [Unexpected end of file] /media/Devices/sda1/Users/Administrator/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/41/57cbe429-72000c6a-temp


ALERT: [TR/Crypt.XPACK.Gen] /media/Devices/sda1/Users/Administrator/Desktop/Combo-Fix.exe <<< Is the Trojan horse TR/Crypt.XPACK.Gen [archive scan abort]


[renamed]
WARNING: [File is encrypted] /media/Devices/sda1/Users/Administrator/Documents/Vuze Downloads/Pirates.Of.The.Caribbean.4.2011.DVDScr.XVID - IMAGiNE/pirates4-imagine/pirates4-imagine/pirates4-imagine.rar


WARNING: [Unexpected end of file] /media/Devices/sda1/vsti/iZotope/Ozone 4/uninstall.exe


Statistics :
Directories............... : 39611
Archives.................. : 2912
Files..................... : 1109273
Infected.............. : 2
Renamed........... : 2
Warnings.............. : 288
Suspicious............ : 0
Infections................ : 2

[Render]

Hi,

Nothing serious in Avira log. That's good. So as I understand you are now able to download and run tools from that machine in question. If so I would start with this:

Download and scan with SUPERAntiSpyware Free for Home Users

• Double-click SUPERAntiSpyware.exe and use the default settings for installation.
• An icon will be created on your desktop. Double-click that icon to launch the program.
• If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
• Under "Configuration and Preferences", click the Preferences button.
• Click the Scanning Control tab.
• Under Scanner Options make sure the following are checked (leave all others unchecked):
  • Close browsers before scanning.
  • Scan for tracking cookies.
  • Terminate memory threats before quarantining.
• Click the "Close" button to leave the control center screen.
• Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
• On the left, make sure you check C:\Fixed Drive.
• On the right, under "Complete Scan", choose Perform Complete Scan.
• Click "Next" to start the scan. Please be patient while it scans your computer.
• After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
• Make sure everything has a checkmark next to it and click "Next".
• A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
• If asked if you want to reboot, click "Yes".
• To retrieve the removal information after reboot, launch SUPERAntispyware again.
  • Click Preferences, then click the Statistics/Logs tab.
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
  • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  • Please copy and paste the Scan Log results in your next reply.
• Click Close to exit the program.

[skookum]

Downloaded 3 times to 3 seperate locations on each attempt to run i get "SETUP FAILED-ERROR READING SETUP DATA"

[Render]

Please run RogueKiller again:

• Quit all running programs
• For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
• When prompted, type 1 and validate
• The RKreport.txt shall be generated next to the executable.
• If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

Please post the contents of the RKreport.txt in your next Reply.

[skookum]

RogueKiller V5.1.9 [05/29/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-to...-Remontees.html

Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User: Administrator [Admin rights]
Mode: Scan -- Date : 06/01/2011 00:08:50

Bad processes: 0

Registry Entries: 0

HOSTS File:
127.0.0.1 localhost


Finished : << RKreport[1].txt >>
RKreport[1].txt

[Render]

That's OK. Now try to run aswMBR scan one more time.

[skookum]

Nope that won't run, same as before.

[Render]

OK. Try to run Malwarebytes Antimalware as described below:

Malwarebytes' Anti-Malware

I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings:

• Open Malwarebytes' Anti-Malware.
• Select the Update tab.
• Click on Check for Updates button.
• Click on OK.
• Select the Scanner tab.
• Select Perform quick scan, then click on Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

[skookum]

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6737

Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421

01/06/2011 00:37:31
mbam-log-2011-06-01 (00-37-31).txt

Scan type: Quick scan
Objects scanned: 212680
Time elapsed: 7 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)