2 out 3 users ok

I have 3 users on my machine. I have run Quick scan and 1 threat was detected and deleted. then ran a full scan with no reports of problems. However one of the users has malware ( the police crime UK). which stops his log on. I’m new to Avast and not that good with computers. Any help would be appreciated. Ann

hey and warm welcome to the avast forum Ann.

i suggest you follow this guide an attach your logs

we need the logs from otl,adclener,aswmbr and malwarebytes

http://forum.avast.com/index.php?topic=53253.0

thank you for the advice. I’ve loaded Malware bytes and run a quick scan with no threats reported. My machine is now running a full scan which I hope will find the problem, but will take a long time. Ann

Is it just one user on the XP system that has the malware ?

I have windows 7 home edition, Microsoft Version 6.1.7601. The full system scan found a Trojan which I deleted. The log read c:\users\Dad\Documents59b0f739.exe. when we tried to restart using the affected user i.d. on a black screen we got Administrator.cmd.exe
C:Users\Rich.Dad\documents\59b0f739.exe is not recognised as an internal or external command then
C:\Windowssystem32>
nothing then would happen so we use Alt Ctrl Del to escape it.
Not much further forward now and very confused.
Ann

OK could you run OTL on the affected computer please

Download OTL to your Desktop
Secondary link

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif

[*]Select All Users
[*]Under the Custom Scan box paste this in

netsvcs
BASESERVICES
%SYSTEMDRIVE%*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
winsock.*
/md5stop
CREATERESTOREPOINT

[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Attach both logs

When I tried to run the program I got back that it could not be run from a temporary folder.

Aye it needs to be on the desktop

I’ve managed to do it , I think, and attached the report. Ann

OK I can see it :slight_smile: I see you also have McAfee installed, you will need to remove either that or Avast as more is not better in this case
Let me know which you wish to remove and I will give instructions for it

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:OTL
O20 - HKLM Winlogon: Shell - (C:\PROGRA~3\eqgwb.bat) - C:\ProgramData\eqgwb.bat ()
[2013/05/10 16:09:24 | 001,038,437 | ---- | M] () -- C:\ProgramData\2433f433
[2013/04/13 11:13:54 | 095,023,320 | ---- | M] () -- C:\ProgramData\eqgwb.pad
[2013/04/13 01:25:55 | 000,000,151 | ---- | M] () -- C:\ProgramData\eqgwb.reg
[2013/04/13 01:25:54 | 000,000,055 | ---- | M] () -- C:\ProgramData\eqgwb.bat
[2013/03/23 10:34:32 | 000,000,153 | ---- | C] () -- C:\ProgramData\0067757.reg
[2013/03/23 10:34:32 | 000,000,063 | ---- | C] () -- C:\ProgramData\0067757.bat
[2013/03/23 10:34:17 | 000,011,576 | ---- | C] () -- C:\ProgramData\0067757.pad

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Just removed McAfee but still got Malwarebytes as I read the two are ok to keep and that McAfee is not as good as Avast.
Thank you for your patience. Ann

Done that, hope the report attached as I struggle with this sort of stuff. Ann

Just realised I did not check the All Users box before doing the quick scan is that ok. Ann

Could you now confirm that the infected account is now accessible and usable

Sorry to say he still can’t log on. Same as originally reported.
Administrator.cmd.exe
“C:\Users\Rich.Dad\Documents\59b0f739.exe” is not recognised as an internal or external command.
Operable program or batch file C:\windows\system32>
Shame really because when I logged bag in from power up the machine seemed faster than before.
Now what do I do. Ann

OK are you able to get to safe mode with that account ?

If not could you run a fresh OTL log for me please again selecting all users

Can’t get in using Safe Mode. The scan was much faster. Log attached.Ann

Hmm I cannot see that launch point

[*] Download RogueKiller and save it on your desktop.

NOTE: If using IE8 or better Smartscreen Filter will need to be disabled

[*]Quit all programs
[*] Start RogueKiller.exe.
[*] Wait until Prescan has finished …
[*] Click on Scan

https://dl.dropbox.com/u/73555776/RKScan.GIF

[*]Wait for the end of the scan.
[*] The report has been created on the desktop.
[*] Click on the Delete button.

https://dl.dropbox.com/u/73555776/RKDelete.GIF

[*]The report has been created on the desktop.

[*]Next click on the ShortcutsFix

https://dl.dropbox.com/u/73555776/RKFixShortcuts.GIF

[*]The report has been created on the desktop.

Please post: All RKreport.txt text files located on your desktop.

Thank you so much for your time and patience. It’s been a long day for me and still you’re working on my problem. Now my brain hurts so I will carry on tomorrow. Thanks again Ann

No problem, nearly my bedtime now :slight_smile: