Active Antivirus soft has infected my computer

[Active] Antivirus soft has infected my computer

This one's a head banger. You know, repeatly hitting your forehead on the desk.

One of the boys in my house thought he needed to download some music, even tho they know better. Now I'm infected w/antivirus soft and cannot bring up any programs including dds.scr, anti-malware, word, avg or anything else. I'm frankly amazed that I can still get on the internet.

I did google antivirus soft and found several sites telling me how to remove it but I just don't trust them. I trust you guys and am hoping you can help me once again.

Where do I start?

Thanks so much

 

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.pif
* Rkill.exe

* Double-click on the Rkill desktop icon to run the tool.
* If using Vista or Windows 7 right-click on it and choose Run As Administrator.
* A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
* If not, delete the file, then download and use the one provided in Link 2.
* If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
* Do not reboot until instructed.
* If the tool does not run from any of the links provided, please let me know.

Download Malwarebytes' Anti-Malware (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure to checkmark the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Download the update from here if you have problems.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

Make sure that you restart the computer.

====

Download HijackThis Executable from here. Save it to your desktop.
Start HJT & press the "Do a system scan and save a log file" button. When the scan is finished a window will pop up giving you the option of where to save it. Save it to desktop where it is easy to access. Open the log file and then go to the format Tab and make sure that wordwrap is unchecked. Copy the entire contents of the file & paste it into the body of your post. DO NOT FIX ANYTHING YET. Most of what is there is necessary for the running of your system.

See if you can also get DDS to run now and post the logs.

 

Thank you for your quick reply.

I downloaded rkill.com and briefly saw the black dos box before antivirus soft said it was infected and couldn't run. I wasn't sure if it worked so I downloaded and ran rkill.scr and saved the log to the desktop, rebooted the computer.

Antivirus soft will still not allow me to open the log, run malwarebytes or HJT.

 

Delete the MBA-M installation file that is on your pc at present.
Go back to download MBA-M again. Click on the link to download it. Select the "Save" option.
When the panel pops up to ask you where you wish to save the file, before choosing where, rename the file. I chose "bambam. "
Once you have saved it, try again to install it. See if you can run it now.

 

I did exactly what you asked and anti-malware still will not load.

 

Can you go to safe mode with networking and try the following;

Please download ComboFix by sUBs from HERE or HERE

• You must rename combofix BEFORE saving it to your pc.
• You must download it to and run it from your Desktop
• Physically disconnect from the internet.
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
• Double click combofix.exe & follow the prompts.
• When finished, it will produce a log. Please save that log to post in your next reply.
• Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

 

I can get it in safe mode, but because I have only dial-up, I can't connect to the internet thru safe mode.

 

Try downloading combofix then boot into safe mode to run it.

 

Comfix will not run. This is very frustrating!

 

Download Itty Bitty Process Manager (IBProcMan.zip)(direct download) http://majorgeeks.com/Itty_Bitty_Process_Manager_d4690.html
Run the process manager. Near the top right there are a couple of icons. Select the one to the left to copy to the clipboard. Paste the results back here.

 

Antivirus soft won't let me run that program either.

 

Try changing the file name and try again. What happens when you try to run them?

Have a look for the following files and let me know if they exist;

Windows XP:

O4 - HKLM\..\Run: [<random>] %UserProfile%\Local Settings\Application Data\<random>\<random>sysguard.exe
O4 - HKLM\..\Run: [<random>] %UserProfile%\Local Settings\Application Data\<random>\<random>sftav.exe

Windows Vista and Windows 7:

O4 - HKCU\..\Run: [ucmnrejs] %UserProfile%\AppData\Local\<random>\<random>sysguard.exe
O4 - HKCU\..\Run: [ucmnrejs] %UserProfile%\AppData\Local\<random>\<random>sftav.exe

==

What OS are you running?

 

Still not working. When I try to bring up the processing manager, it flashes, then goes away and I get that message that the file is infected. Do you want to activate your antivirus software now?

I am running XP.

 

And this?

 

Sorry, where would I find those files?

 

Best of doing a system wide search for them. As shown above though, they will be in the userprofile (your name) folder > Local Settings > Application Data > random named folder.

 

this is the only file I found:


C:\Documents and Settings\mom\Local Settings\Application Data\yvhjvt

 

Are you able to delete the C:\Documents and Settings\mom\Local Settings\Application Data\yvhjvt folder?

 

No, says it's in use.

 

Can you go into the folder and delete the files there first?
Have you looked in Task Manager and seen any strange looking files running?
Are you able to take a screen shot of the processes in Task Manager and post it here?