Posted 25 May 2011 - 09:19 PM
I'm a newbie here and am trying not to post anything to the wrong location, so please redirect me as appropriate.
OS is Windows XP. I have AVG free edition that I think supposedly runs in the background to alert to threats as they are encountered, but had not updated in a month or so. Using IE8 as browser.
After a thunderstorm, another user on my home PC found an "official-looking" window displayed that explained that the PC had critical errors and presented a scanner and fix to the errors. He assumed that the errors were the result of the T-storm and that the message was legit, so he ran the scan and "fixed" the errors. Of course, some appeared to be fixed but others required purchasing the full version of whatever this was. He is not very computer-savy so he did not go any further and asked me to take a look at it. It looked suspicious to me as I could not recall ever getting a message regarding critical errors without having run a scan, so I suspected malware of some sort . I also could not find any sort of identification related to the owner of the site/software I was "supposed" to buy.
At this point the scanner window would not go away and I could not access anything...desktop, programs, favorites, everything appeared to be gone. I restarted the computer and got the same "scanner" window with the message regarding critical errors. (Sorry, I did not think to write down the text.). I restarted the computer again in safe mode to see if I could get to anything that would help and evenually decided to restart in safe mode with networking. Tried to go to system restore but received this message:
"System Restore is not able to protect your computer. Please restart your computer, and then run system restore again."
Restarted computer and tried again in safe mode got the same message.
I was clicking around in the help and support section looking for something to try and although I'm not completely certain what I did or if AVG finally just kicked in, but I got a message from AVG that something had been detected and quarantined. This was identified as the YWJCRFUITUSQDA.EXE file. I then decided to update the AVG files and scan again.( I may have resarted in normal mode again by this time as I did turn the PC off and on a number of times.) One additional item was found and quarantined during the AVG scan that I requested, but I did not note the file name, thinking the removal of these files had saved me. I restarted the computer. The "scanning" screen no longer comes up, but I am still being directed to an apparently fake desktop that has nothing on the desktop and all program, files, etc seem to be gone. I know that they are, in fact, still there because I could see the program and files names flashing past during the AVG scan.
The above took me most of one eveing and the next morning before work. When I got to work, I did a search from my work computer on the YWJCRFUITUSQDA.EXE file and it appears to have only just surfaced this week. One threat related site indicated that this is malware that affects the root, task manager, and system restore. Advice was to go into support and disable system restore and then rescan so that the restore files will be clean, then restart and re-enable system restore. I was unable to disable the system restore, so I could not get this option to clean the root files. I guess this thing has taken over.
That is when, from safe mode with networking, I logged onto the internet for the first time under the system admin account and found this BC site. I have read through a lot of removal things posted, but none sounded exactly like what I experienced, although some were very similar and referenced rogue anti-spyware, fake scannersand ransoming of proper operation of Windows. I have gone through all of the things directed to do in the Preparation Guide for Use before Using Malware Removal Tools, including disabling CD emulator drivers and creation of all the logs and scans directed by BC. I saved all this to my desktop but really was not certain as to the proper procedure for posting the contents here. Should I just open these, copy the contents, and past here ? Or do I go to another forum to post the scan results? (By the way I acidentally closed the defogger window so don't know how to re-enable CD emulator drivers when the time comes).
Hopefully I have provided sufficient detail to allow someone more knowledgeable than me to suggest how to fix my problem and I thank you in advance for taking the time to read this and offer assistance.