[*]Double-click the icon to start the tool.
[*]It will ask you where to extract it, then it will start.
[*]Warning!Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
[*]Click in the introduction screen “next” to continue.
[*]Click in the following screen “Update” to obtain the latest malware definitions.
[*]Once the update is complete select “Next” and click “Scan”.
[*]When the scan is finished and no malware has been found select “Exit”.
[*]If malware was detected, make sure to check all the items and click “Cleanup”. Reboot your computer.
[*]Open the MBAR folder and paste the content of the following files in your next reply:
Always have one (and no more than one!) AntiVirus program! In this case having more of them will not provide you with better protection - instead they may cause slowness, lock-ups and even mark another ones as harmful, leading to leave your system unstable and even damaged. Please choose only one from the listed below to stay with and uninstall the others:
Dear TwinHeadedEagle,
Attached, you should find a copy of fixlog.txt as requested.
Panda Antivirus was the programme that allowed the malware through in the first place. I turned it off once I had successfully installed Avast. I have now uninstalled it as requested.
After rebooting, the home page for internet explorer changed from google to:
http://www.msn.com/en-ae/?ocid=iehp
Avast became inaccessible in internet explorer. There was a message:
Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://forum.avast.com again. If this error persists, contact your site administrator.
I did this, but found that they were already turned on. I have therefore re-opened IE and I hope am now able to communicate.
Thanks for continuing this process. Do let me know what I should do next!
At first, everything seemed fine with my external hard drive, but now it has started disappearing (from Windows Explorer), then reappearing again (after an MCShield scan – which says that it’s clean each time).
The external hard drive didn’t behave like this on the other computer, yesterday. The timing resembles that of its previous behaviour on my computer (when it became inaccessible).
Notwithstanding the drive’s coming and going, Avast managed to scan it and found no malware – although it was unable to scan a large number of files.
Dear TwinHeadedEagle,
Thanks for the message. I’m sorry to hear that your hands are tied and that you cannot help me further. I recognize that you’ve helped me significantly – for which many thanks! – but I am pretty sure that my computer is still infected with malware.
I certainly don’t think that my external hard drive is malfunctioning hardware-wise as you suggest, as it works perfectly with a different computer.
I am of course, very disappointed that Avast isn’t able to detect the malware on my computer.
I guess I’ll just have to delve further into the realms of malwarfare until I can find someone who is able to address the problem. If you have any suggestions of where to look, I’d be very grateful…
One additional bit of information: I took a memory stick with files from my computer (on which it appears to work perfectly – no shortcuts, no viruses according to Avast) to another computer today (to print out a document), and discovered that the memory stick was full of shortcuts that I certainly hadn’t put there intentionally…
Thanks, once again, TwinHeadedEagle. Attached, you should find fixlog.txt, as requested. Let me know what I should do next. I tried copying some files onto my external hard drive last night. It transferred the files rather slowly (~1Mb per sec), but did not disappear or become inaccessible…
Hi, TwinHeadedEagle,
This is an attempt to keep you updated.
I’m glad to say that my computer appears to have stopped filling up external drives with spurious links and shortcuts.
However, it’s slow, sometimes very slow. It speeds up briefly, after cleaning, but it’s as if there’s something that quickly clogs up the memory.
Might it be something to do with the following?
• C:\Windows\SysWOW64\wpcmig.dll
• C:\Windows\SysWOW64\wpcumi.dll
They always appear as ‘Broken CLSIDs’ when I clean the Registry.
Svchost.exe is often the process taking up the largest part of the memory (from time to time – when things are bad) and the relevant Services Group is usually ‘netsvcs’ or ‘LocalSystemNetworkRestricted’.
Anyway, I attach two files, the results of scanning with Farbar Recovery Scan Tool.
Avast is running as is MCShield: neither has sent any warning signals.
This is a very powerful tool that should be used only if advised by Malware Analyst. Do not run ComboFix on your own!
Referring to this instruction, please download ComboFix by sUBs and save it to your desktop.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.