Cannot Remove Several Problems

My wife’s computer has been attacked by several different “viruses”. The worst of which seems to be JS:FakeAV-AA [TRJ]. I also Found three rootkits, Win32.TDSS.rtk, Win32:Alureon-BY [rtk], and Win32:Alureon-CE[rtk]. So far i have run AVG in both normal and safe modes, Spybot s&d which crashes the system in normal mode but runs in safe mode, Adaware in normal and safe mode, and Avast! in normal and safe mode. Most times the software finds something. Many times it could not move the files to the chest but could delete them. Even still, the virus continues. Also, I have turned off system restore. The virus is not allowing me to ADD/Remove programs or open the task manager. The computer is running Windows XP Media Edition, SP3. Help!

you could give malwarebytes antimalware and superantispyware a try this are to other free anti malware products that’s run well with avast and other antivirus programs for that to so give those a try.

http://www.malwarebytes.org/
http://www.superantispyware.com/ download, install, update, and run a scan move to quartine it can be a false threat as well, but in your case it seems not so.

you can also try an boot scan with avast if you use it as your antivirus.
on your boot scan you can move the infected files to the chest. if that don’t work hit the delete button instead.

good luck writhe back if you get any more problem on the way.

and welcome to the forum.

Have a look at the link,download Rootrepeal,then copy/paste the log here

http://www.malwarebytes.org/forums/index.php?showtopic=12709

Thank you both for your rapid responses and insight. I had already done an avast! boot scan that didn’t help either. My newest problem is that I can still download but I cant get it to install anything. So both of your suggestions are on hold. Any new ones?

You could try renaming MBAM, I doubt this will help much,but its worth a try.MBAM will not remove the rootkits ( i doubt )However, rename the set up file for mbam eg, moon setup.exe and double click renamed file.If installation is successful, go to C\proram files\malwarebytes antimalware\mbam.exe and rename mbam.exe, doble click renamed file.
Also you may need to disable Avast to run rootrepeal, rootrepeal does not need installing

I downloaded rootrepeal but her computer cant read .rar files and I cant even install a .rar reader. When I try to install anything, nothing happens.

You need a program to open the rar file.In the rootrepeal link there is also a download link for a zip file,windows should open that

Free RAR extractor http://download.cnet.com/Free-RAR-Extract-Frog/3000-2250_4-10804840.html

@micky77

i think this game is by sality?(infects all exe and scr files).

edit : also creates autorun.inf entries. if it(sality) is the one then the system may go down(if system files are affected).

Maybe I wasn’t clear. I can’t install anything, including rar readers. Every time I try to install something, I press RUN and nothing happens. So it would seem the Windows Installer has been compromised. I also cant run anything with the run command such as msconfig.

Ok, all I can suggest, is ,try a rescue disk, download from another computer, double click on file,insert blank disk, program is automatically burnt to disk,insert cd/dvd into infected machine, reboot

Follow instructions from link. Write down any findings and report back

http://forum.avira.com/wbb/index.php?page=Thread&postID=730130#post730130

If your current antivirus failed to solve your problem, try another Antivirus engine, also it seems some of your problem cannot be fixed because your have some virus running which cannot be terminated. so a good solution for you is a bootable antivirus from another company. there are some free Bootable Antivirus disc, such as Dr.Web Live CD and Avira Rescue System, I offer your Avira Rescue System.

The Avira AntiVir Rescue System a linux-based application that allows accessing computers that cannot be booted anymore. Thus it is possible to repair a damaged system, to rescue data or to scan the system for virus infections. Just double-click on the rescue system package to burn it to a CD/DVD. You can then use this CD/DVD to boot your computer. The Avira AntiVir Rescue System is updated several times a day so that the most recent security updates are always available. You can download it from Here. You can learn how to use it from Here.
also, if you want to burn that disc yourself with your own burning tool (Such as Nero or…), you can download the Image File (.iso) from Here.
After burn it to disc, use it to boot your computer and do a full scan and remove everything it find.

and then you should be able to install new programs, so:
Download, install and update these programs (just use Offline update installer if you cannot use Live Update to update your programs):

[tr]
	[td][b]Program[/b][/td]
	[td][b]Download[/b][/td]
	[td][b]Offline Updater[/b][/td]
[/tr]
[tr]
	[td][b]Malwarebytes Antimalware[/b][/td]
	[td][url=http://www.malwarebytes.org/mbam.php]Download[/url][/td]
	[td][url=http://www.malwarebytes.org/mbam/database/mbam-rules.exe]Updater[/url][/td]
[/tr]
[tr]
	[td][b]SUPERAntiSpyware[/b][/td]
	[td][url=http://downloads.superantispyware.com/downloads/SUPERAntiSpyware.exe]Download[/url][/td]
	[td][url=http://www.superantispyware.com/downloads/SASDEFINITIONS.EXE]Updater[/url][/td]
[/tr]
[tr]
	[td][b]Spyware Terminator (Install as Scanner Only)[/b][/td]
	[td][url=http://www.spywareterminator.com/download/download.aspx]Download[/url][/td]
	[td][url=http://www.spywareterminator.com/dnl/files/1/bin_stdata_pack.cab]Updater[/url][/td]
[/tr]
[tr]
	[td][b]SpyBot S&D (disable all residents during Install)[/b][/td]
	[td][url=http://www.safer-networking.org/en/mirrors/index.html]Download[/url][/td]
	[td][url=http://www.spybotupdates.biz/updates/files/spybotsd_includes.exe]Updater[/url][/td]
[/tr]

scan your computer using them.

then, protect you windows hosts file from internet traffic to malware domains and prevent future problems.

Download and install HostsMan.
after install run it, click on “update Hosts”, choose “MVPS Hosts” and in below options choose “Overwrite Current” hosts.
this step would immunize your Hosts File and would prevent any internet traffic to malware sites and also would fix Windows Hosts File if it has been HiJacked by malwares.

Sorry If I’m a bit late about this but have you tried putting up a .exe version of hijackthis on to the computer and running that? Send us the code and we’ll get back to you

Just wanted to say thanks to everyone who contributed…Avira did the job. After that ran and did it’s job, I was able to remove everything else with Avast!. Thanks!

you’re welcome :slight_smile: