Ried

Ok Scott, this is what I want you to do.

Before doing anything, MAKE SURE that you can keep your computer on (at least until we get it fixed). This infection requires us to detect and remove it without rebooting or restarting your computer (unless the instructions say so). If you can't keep your computer on today, then I suggest that you don't carry out these instructions until you are ready. With that said (when ready):

1. Please download The Avenger to your Desktop.

• Click on Avenger.zip to open the file
• Extract avenger.exe to your desktop

We'll use this later.

Please download SilentRunners.vbs - Right click & choose Save As... SilentRunners.vbs

Before proceeding, disable any anti-virus or anti-spyware programs that may block/disable scripts

Launch SilentRunners by double-clicking the downloaded file. In the ensuing Window, select 'No' to avoid skipping supplementary searches. Please be patient as the script requires a few minutes to complete.

When it's done, you'll receive the prompt "All Done!". It will create a file called "Startup Programs". Post ALL its contents here in your next reply.


Download StartDreck

Unzip to its own folder and start the program:
Press 'Config'
Press 'mark all'

Uncheck the following boxes only:
System/Running Process -> List Modules
System/Drivers -> NT Services
System/Drivers -> NT Kernel- and FS-drivers
Press 'OK'

Press 'Save' and select the location to save the log file (default is the same folder as the application)

Post that log here

---------------------------------------

If you'll notice, the eraseme...file keeps changing on us. Ewido cleans it, and it simply changes names. Navigate to C:\Windows\System32 and look for any file beginning with eraseme_

Write down the full file name that you find and post it here for me along with the Silent Runners and Startdreck logs.

Leave your PC on--do NOT reboot or the name will change again.