rajjs,
Thanks for the reports.
The USB drive needs attention, as well as your computer. Have no clue where you are at with this issue, however, in your case, there is more to do after killing a process and deleting a file.
Let's start with FRST...
Please open Notepad (Start > All Programs > Accessories > Notepad)
Copy the entire contents of the code box below
Save it to the Desktop, and name it: fixlist.txt
Code:
start
HKLM\...\Run: [qjmavtlxpm] - wscript.exe //B "C:\Users\RAJ\AppData\Local\Temp\qjmavtlxpm..vbs"
HKLM-x32\...\Runonce: [] - [x]
HKCU\...\Run: [] - [x]
HKCU\...\Run: [qjmavtlxpm] - wscript.exe //B "C:\Users\RAJ\AppData\Local\Temp\qjmavtlxpm..vbs"
Toolbar: HKLM-x32 - No Name - {10EDB994-47F8-43F7-AE96-F2EA63E9F90F} - No File
Toolbar: HKCU - No Name - {8567A644-E36C-470C-86CF-9C5B4F37DB81} - No File
Winsock: Catalog5 01 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 05 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5-x64 01 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 05 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction
C:\ProgramData\win_mpwd_sys.dat
end
Once again, double-click FRST to run it.
When the tool opens click Yes to disclaimer.
Press the Fix button.
When done, FRST produces Fixlog.txt on the Desktop.
Please provide the Fixlog.txt on your reply.
Now, connect the USB drive and press the Windows key and the R key at the same time for the Run prompt to appear.
In the Run prompt, type the following in the Open area, and press Enter: cmd
When the Command Prompt opens, copy/paste (with the mouse) the following, and press: Enter
Code:
attrib -h -s -r -a /s /d X:\*.*
(Change the drive letter X to the letter corresponding to the problem USB removable drive.)
Regardless of what action you have taken so far, make sure the USB drive is connected, and please run USBFix once again to see if the USB drive is really clean.
Press: Research
When done, the program closes on its own, and a report appears.
The report file is also found at C:\UsbFix.txt
Please post the UsbFix.txt (Research Mode) report in your reply.
Note: As before, if your AntiVirus program detects USB as malware, either let the AV program allow USBFix to run, or, temporarily disable your AntiVirus program.
Please run Malwarebytes Anti-Malware:
http://www.bleepingcomputer.com/download/malwarebytes-anti-malware/
Save to the Desktop
Double-click the downloaded MBAM file to run it.
When the installation begins, follow the prompts in the setup process.
DO NOT make any changes to default settings and when the program has finished installing, make sure only the following options are checked:
>Update Malwarebytes’ Anti-Malware
>Launch Malwarebytes’ Anti-Malware
Uncheck:
>Enable free trial of Malwarebytes Anti-Malware PRO
Click on the Finish button.
If an update is found, the program automatically updates itself.
At the program console, on the Scanner tab, and select:Perform Full Scan
When the Select the Drives to scan prompt appears, make sure the USB drive is also selected.
Next, click on: Scan
When the Malwarebytes scan is completed, click on: Show Results
When presented with a screen showing the malware detected, make sure everything is Checked, and click on:Remove Selected
When removal is completed, a report opens in Notepad.
Please copy/paste the entire contents of the MBAM report in your reply.
Note: If MBAM encounters a file that is difficult to remove, you are asked to reboot the computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) prevents MBAM from removing all the malware.
Also, download RogueKiller:
http://tigzy.geekstogo.com/roguekiller.php
Select the version that applies to the system.
Save to the Desktop.
After closing all windows and browsers, right-click the downloaded RogueKiller file and select: Run as Administrator
At the program console, wait for the Prescan to finish. (Under Status, it says: Prescan finished.)
Press: SCAN
When done, a report opens on the Desktop: RKreport.txt
Please provide the RKreport.txt (Mode: Scan) in your reply.