explorer.exe using 100% cpu

My wife opened a message from the fake whatsapp voice message service 3 days ago. I ran avira, adaware, adwcleaner, and malewarebytes, and some security program that MS said would fix the problem. Yesterday the process running was vyyxab.exe and after running malewarebytes it has now changed to explorer.exe, or they were both there and separate viruses. I found the log file from adwcleaner, but when I go to where malewarebytes says the log file is I can't find it.

I am attaching the adwcleaners first log since it won't let me post it on here.
I found the mbam log but it's xml and can't be attached.

I will try to find the log from malewarebytes, the first run I did in normal mode and it took nearly 3 hours, and didn't fix the problem, but did remove 150. The second time I ran it in safe mode and it removed another 109. I am leaving it in safe mode and doing this on my Mac, hopefully this thing doesn't spread through usb drives when transferring the logs.

Hello and welcome to GeekPolice.Net My name is Dave. I will be helping you out with your particular problem on your computer.  

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
Remove the Adware:

• Please close all open programs and internet browsers.
  
• Double click on adwcleaner.exe to run the tool.
  
• Click on Delete.
  
• Confirm each time with OK
  
• Your computer will be rebooted automatically. A text file will open after the restart.
  
• Please post the content of that logfile in your reply.
  
• You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.
  

*********************************************
Please download Junkware Removal Tool to your desktop.

•Warning! Once the scan is complete JRT will shut down your browser with NO warning.

•Shut down your protection software now to avoid potential conflicts.

•Temporarily disable your Antivirus and any Antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

•Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click JRT and select Run as Administrator

•The tool will open and start scanning your system.

•Please be patient as this can take a while to complete depending on your system's specifications.

•On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

•Copy and Paste the JRT.txt log into your next message.
*****************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
************************************
Malwarebytes' Anti-Rootkit

Please download Malwarebytes' Anti-Rootkit and save it to your desktop.

• Be sure to print out and follow the instructions provided on that same page for performing a scan.
  
• Caution: This is a beta version so also read the disclaimer and back up all your data before using.
  
• When the scan completes, click on the Cleanup button to remove any threats found and reboot the computer if prompted to do so.
  
• Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  
• If there are problems with Internet access, Windows Update, Windows Firewall or other system issues, run the fixdamage tool located in the folder Malwarebytes Anti-Rootkit was run from and reboot your computer.
  
• Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
  
• Copy and paste the contents of these two log files in your next reply.
  

Profile name : default-1395609776932 [Profil par défaut]
File : C:\Users\b\AppData\Roaming\Mozilla\Firefox\Profiles\5bdh1le6.default-1395609776932\prefs.js

[OK] File is clean.

Profile name : default
File : C:\Users\Mario\AppData\Roaming\Mozilla\Firefox\Profiles\gmdjriqc.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v33.0.1750.154

File : C:\Users\b\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [4556 octets] - [23/03/2014 19:16:02]
AdwCleaner[S1].txt - [3589 octets] - [23/03/2014 19:16:48]
AdwCleaner[R2].txt - [1407 octets] - [23/03/2014 19:39:45]
AdwCleaner[R3].txt - [1467 octets] - [23/03/2014 19:41:20]
AdwCleaner[S2].txt - [1531 octets] - [23/03/2014 19:41:39]
AdwCleaner[R4].txt - [1463 octets] - [24/03/2014 14:57:08]
AdwCleaner[S3].txt - [1523 octets] - [24/03/2014 14:57:40]
AdwCleaner[R5].txt - [2209 octets] - [24/03/2014 16:58:46]
AdwCleaner[S4].txt - [2283 octets] - [24/03/2014 16:59:46]
AdwCleaner[R6].txt - [1713 octets] - [25/03/2014 11:18:37]
AdwCleaner[R7].txt - [1773 octets] - [25/03/2014 13:14:01]
AdwCleaner[S5].txt - [1704 octets] - [25/03/2014 13:14:23]

########## EOF - C:\AdwCleaner[S5].txt - [1832 octets] ##########



JRT would not run so I went on to the next:

Results of screen317's Security Check version 0.99.81
x64
Internet Explorer 11
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
Ad-Aware Antivirus
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Java 7 Update 51
Java(TM) 6 Update 3
Java version out of Date!
Adobe Flash Player 12.0.0.77
Google Chrome 33.0.1750.146
Google Chrome 33.0.1750.154
````````Process Check: objlist.exe by Laurent````````
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 1 %
````````````````````End of Log``````````````````````

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1009

(c) Malwarebytes Corporation 2011-2012

OS version: 6.0.6002 Windows Vista Service Pack 2 x64

System is currently in a safe mode

Account is Administrative

Internet Explorer version: 9.0.8112.16421

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 1.995000 GHz
Memory total: 3183779840, free: 1975422976

Downloaded database version: v2014.03.25.06
Downloaded database version: v2014.03.18.01
Initializing...
=======================================
------------ Kernel report ------------
03/25/2014 13:39:42
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\System32\Drivers\spnx.sys
\SystemRoot\System32\Drivers\WMILIB.SYS
\SystemRoot\System32\Drivers\SCSIPORT.SYS
\SystemRoot\system32\drivers\acpi.sys
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\DRIVERS\compbatt.sys
\SystemRoot\system32\DRIVERS\BATTC.SYS
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\msahci.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\AsDsm.sys
\SystemRoot\system32\DRIVERS\lullaby.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\msrpc.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\ecache.sys
\SystemRoot\system32\drivers\disk.sys
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\system32\drivers\crcdisk.sys
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\tunmp.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\athrx.sys
\SystemRoot\system32\DRIVERS\L1E60x64.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\kbfiltr.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\ETD.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\ATK64AMD.sys
\SystemRoot\system32\DRIVERS\msiscsi.sys
\SystemRoot\system32\DRIVERS\storport.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\System32\DRIVERS\rasacd.sys
\??\c:\program files\lavasoft\ad-aware antivirus\firewall engine\1.6.0.0\drivers\bdfndisf6.sys
\SystemRoot\system32\DRIVERS\tdx.sys
\??\C:\Program Files\Lavasoft\Ad-Aware Antivirus\Firewall Engine\1.6.0.0\Drivers\bdftdif.sys
\SystemRoot\system32\DRIVERS\smb.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_dumpata.sys
\SystemRoot\System32\Drivers\dump_msahci.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\framebuf.dll
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\system32\DRIVERS\cdfs.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\MBAMSwissArmy.sys
\Windows\System32\ntdll.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa80035f74c0
Upper Device Driver Name: \Driver\disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\
Lower Device Object: 0xfffffa80033d2060
Lower Device Driver Name: \Driver\atapi\
IRP handler 0 of \Driver\atapi points to an unknown module
Unhooking enabled.
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa80035f74c0
Upper Device Driver Name: \Driver\disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\
Lower Device Object: 0xfffffa80033d2060
Lower Device Driver Name: \Driver\atapi\
Driver name found: atapi
Initialization returned 0x0
Port sub-driver loaded: \??\C:\Windows\System32\drivers\ataport.sys (0x0)
Load Function returned 0x0
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa80035f74c0, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa80035f8b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa80035f74c0, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
DevicePointer: 0xfffffa8003345270, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xfffffa80033d2060, DeviceName: \Device\Ide\IdeDeviceP0T0L0-0\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
Upper DeviceData: 0xfffff880154f9720, 0xfffffa80035f74c0, 0xfffffa8005f48790
Lower DeviceData: 0xfffff88010d4f480, 0xfffffa80033d2060, 0xfffffa8005ef8080
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
File user open failed: C:\WINDOWS\SYSTEM32\drivers\sptd.sys (0x00000020)
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: D6811D82

Partition information:

Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 2048 Numsec = 625137664
Partition file system is NTFS
Partition is bootable

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 320072933376 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-625122448-625142448)...
Sectors 1 - 94 --> [Forged physical sectors]
Sectors 211 - 550 --> [Forged physical sectors]
Done!
Infected: C:\Users\b\AppData\Local\Temp\UpdateFlashPlayer_0a08805d.exe --> [Spyware.Zbot]
Infected: C:\Users\b\AppData\Local\Temp\UpdateFlashPlayer_162d1dab.exe --> [Spyware.Zbot]
Infected: C:\Users\b\AppData\Local\Temp\UpdateFlashPlayer_1aa89991.exe --> [Spyware.Zbot]
Infected: C:\Users\b\AppData\Local\Temp\UpdateFlashPlayer_a3f07173.exe --> [Spyware.Zbot]
Infected: C:\Users\b\AppData\Local\Temp\UpdateFlashPlayer_b09cdcaf.exe --> [Spyware.Zbot]
Infected: C:\Users\b\AppData\Local\Temp\UpdateFlashPlayer_ec6f43a1.exe --> [Spyware.Zbot]
Infected: C:\Users\b\AppData\Local\Temp\UpdateFlashPlayer_f72e80b1.exe --> [Spyware.Zbot]
Scan finished
Creating System Restore point...
Could not create restore point...
Cleaning up...
Removal scheduling successful. System shutdown needed.
System shutdown occurred
=======================================


Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-0-2048-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\LBA-0-1-u.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\LBA-0-1-k.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\LBA-0-211-u.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\LBA-0-211-k.mbam...
Removal finished


Database version: v2014.03.25.06

Windows Vista Service Pack 2 x64 NTFS (Safe Mode/Networking)
Internet Explorer 9.0.8112.16421
b :: B-PC [administrator]

3/25/2014 1:39:49 PM
mbar-log-2014-03-25 (13-39-49).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Kernel memory modifications detected. Deep Anti-Rootkit Scan engaged.
Objects scanned: 319438
Time elapsed: 37 minute(s), 4 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 7
C:\Users\b\AppData\Local\Temp\UpdateFlashPlayer_0a08805d.exe (Spyware.Zbot) -> Delete on reboot.
C:\Users\b\AppData\Local\Temp\UpdateFlashPlayer_162d1dab.exe (Spyware.Zbot) -> Delete on reboot.
C:\Users\b\AppData\Local\Temp\UpdateFlashPlayer_1aa89991.exe (Spyware.Zbot) -> Delete on reboot.
C:\Users\b\AppData\Local\Temp\UpdateFlashPlayer_a3f07173.exe (Spyware.Zbot) -> Delete on reboot.
C:\Users\b\AppData\Local\Temp\UpdateFlashPlayer_b09cdcaf.exe (Spyware.Zbot) -> Delete on reboot.
C:\Users\b\AppData\Local\Temp\UpdateFlashPlayer_ec6f43a1.exe (Spyware.Zbot) -> Delete on reboot.
C:\Users\b\AppData\Local\Temp\UpdateFlashPlayer_f72e80b1.exe (Spyware.Zbot) -> Delete on reboot.

Physical Sectors Detected: 2
Physical Sector #1 on Drive #0 (Forged physical sector) -> Replace on reboot.
Physical Sector #211 on Drive #0 (Forged physical sector) -> Replace on reboot.

(end)

I have the second one running now in safe mode because the explorer.exe was very persistent during the entire process, but only attacks when on a network.

So I finished the tests, and I ran the fixtools that came with the last one hoping that it would fix the security but doesn't seem to have worked. After rebooting into safe mode with network the virus still came back so I rebooted it back into safe mode and put it to sleep until I get my next step of directions. I saw that java is out of date, and was going to fix that but then remembered that I am supposed to do things as instructed. Sorta sad though, I have an AAS degree in programming with Java as my main language. But it is my wifes computer, I hate MS.

The reason why it's show out-of-date is because there's an older version there. You can uninstall Java(TM) 6 Update 3
Keep trying to run JRT.

Download Combofix from any of the links below, and save it to your DESKTOP.
If your version of Windows defaults to you download folder you will need to copy it to your desktop.

Link 1
Link 2
Link 3

To prevent your anti-virus application interfering with ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.

• Close any open windows and double click ComboFix.exe to run it.
  
  You will see the following image:
  

Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:



As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.



Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

Tried to run JRT and the box to run showed this time, but when I click run you see a box open and close then nothing. So I am running combofix now. I'm hoping I didn't do something wrong because Ad-aware is not responding when trying to shut it down, it says no service available, so I went into the task manager and ended it's process there. Combofix says it's still running so I tried to uninstall but combofix took over and shut down all other windows and ran anyway.

Last edited by ripper1028 on 26th March 2014, 2:31 pm; edited 1 time in total (Reason for editing : Can't paste combo's Log so attaching it.)

I couldn't paste combfix.txt, I keep getting you can't post emails or links. I removed all of the @ symbols and tried again and still got the error so I removed the only links that I could find and still got the error.

Internet Explorer's security is based upon a set of zones. Each zone has different security in terms of what scripts and applications can be run from a site that is in that zone. There is a security zone called the Trusted Zone. This zone has the lowest security and allows scripts and applications from sites in this zone to run without your knowledge. It is therefore a popular setting for malware sites to use so that future infections can be easily done on your computer without your knowledge as these sites will be in the Trusted Zone. Therefore, I recommend that nothing be allowed in the trusted zone. If you agree, please do the following.

Re-running ComboFix to remove infections:

• Close any open browsers.
  
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
• Open notepad and copy/paste the text in the quotebox below into it:
  

  
  KillAll::
  
  DDS::
  Trusted Zone: engdis.com
  
  Firefox::
  Trusted Zone: engdis.com
  
  

  
  
• Save this as CFScript.txt, in the same location as ComboFix.exe
  
  
  
  
• Referring to the picture above, drag CFScript into ComboFix.exe
  
• When finished, it shall produce a log for you at C:\ComboFix.txt
  
• I don't need to see the log from this action.
  

*********************************************
I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan

•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.

• Leave the check mark next to Remove found threats.
  

•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

I ran the combofix with the added script file, but when I ran the other online scan it got to 68 percent and just stayed there for almost an hour before I gave up and shut it down. I ran it in the normal booted up OS. Should i try it in safe mode with networks? When I opened the task manager there were 8 explorer.exe with 100% CPU and 97% of the memory taken. Ironically at 68% through it hadn't found any malware yet.

So SuperDave, 4 days and 15 cleaner programs later and I don't see an end in sight. I am shopping around for a good Linux OS. It will be sad to lose my wife's Office suite because she is learning how to use it from one of my school books, but to not have to go through this it's worth it. I sure do appreciate your time and effort, and have much respect for someone that can deal with this garbage day in and day out. It sure makes me wonder why people use Microsoft at all. 8 years using a Mac and never having anti anything, but 4 years with MS with antivirus and here I am. The first one I removed myself, but this one is way beyond my knowledge. I guess if the market was different the ignorant creators of these things would find a way, but I don't think they would ever be as bad as they are on a Gates machine. And my professor asked me why I don't want to learn .Net, because I don't want to use windows silly professor.

So my question is, IF I can get this virus off my windows machine, will it ever run the same again. It just took me 11 hours to save my pictures and videos, way too long, but from what I have read about these viruses it seems like there are going to be many side effects even after removal. I don't know if I have a restore disc anymore, I lost a lot of stuff in a tornado in 2011, so I don't think I can just wipe it and reinstall vista.

My other question is the stuff that I am putting on my external drive, is it going to bring the virus with it?

IF I can get this virus off my windows machine, will it ever run the same again. It just took me 11 hours to save my pictures and videos, way too long, but from what I have read about these viruses it seems like there are going to be many side effects even after removal.

Yes, if we can get it cleaned it should be the same with no side effects.

My other question is the stuff that I am putting on my external drive, is it going to bring the virus with it?.

Not likely but they should be scanned your your AV and MBAM before putting them back on the computer.

Download Process Explorer: http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
Unzip ProcessExplorer.zip, and double click on procexp.exe to run the program.
Click on View > Select Colunms.
In addition to already pre-selected options, make sure, the Command Line is selected, and press OK.
Go File>Save As, and save the report as Procexp.txt.
Attach the file to your next reply.

Last edited by Superdave on 27th March 2014, 7:33 pm; edited 1 time in total

Here is the report

P2P - I see you have P2P software installed on your machine. (Ares) We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.
This is how your computer was most likely infected.

When I opened the task manager there were 8 explorer.exe with 100% CPU and 97% of the memory taken.

The next time this happens try closing all but one of them, one at a time and let me know what's happening.

Run the BitDefender Online scanner

Agree to the license and then select Scan. DO NOT CHANGE THE OPTIONS TO SHOW ALL FILES SCANNED. That will make your logs huge and we don't need to see clean files.

Once Bitdefender completes the scan:
Click-on the Detected Problems tab.
Then select Click here to export the scan report.

When the window comes up to save the report, change the Save as type: box to:
Text (Tab Delimited) (*.txt) and then in the File name box enter change to bdscan then click Save.

This will save a file named bdscan.txt. I would suggest saving it to the Desktop so you can easily find it. (take notice of where you save it so you can find it later).
This bdcan.txt file will actually contain HTML code that we can easily view later while reviewing your log. All we have to do is rename the file to bdscan.html.

If you do not follow these step, you will have an incorrect log or worse a log summary which is useless to us.

Post the bdscan.txt file as an Attachment.

I appreciate you pointing this out to me. I don't know if this came installed on my computer or if one of us installed it. As far as I know no one uses it, at least we don't do any file sharing, just streaming sometimes. I will get rid of it, and run bitdefender. The only way I have been able to get any of these to run not in safe mode is to sit in front of the computer and close the explorer.exe as they appear. Once I let more than 3 or 4 run the computer just freezes and the scanner fights to get 1% of the cpu. That was what happened last night with the online scanner. It wouldn't let me keep the task manager opened, and then the whole thing just stopped working. I believe that this virus multiplies itself. The first time I ran the malewarebytes it removed 150 files running in normal mode and the scan took 3 hours. So the next time I ran it in safe mode and it took 23 minutes and removed 109. The next day was when I realized that it was still there and contacted you.