Sophos Virus Removal Tool - scan fix failed: brontok+

Glancing at the logs (very helpful) the computer is getting cleaner, but there are two things left...

2015-06-24 07:04:28.156	File "C:\Documents and Settings\All Users\Application Data\Microsoft\{165bd50a-2e1f-8237-1f37-9bbe817854ac}\{165bd50a-2e1f-8237-1f37-9bbe817854ac}.exe" was not cleaned up. (32: The process cannot access the file because it is being used by another process.)
2015-06-24 07:04:28.328	File checksum: MD5=95c908c21c32d9891bc5aaff22032f51, SHA-1=e029b524aeff17e98226c10dee59f1a7cb142c4c
2015-06-24 07:04:28.328	Removal failed
2015-06-24 07:05:16.796	File "C:\Documents and Settings\All Users\Application Data\Microsoft\{910dd9b1-cff8-1a0d-e3b8-81e48a9014bd}\{910dd9b1-cff8-1a0d-e3b8-81e48a9014bd}.exe" was not cleaned up. (32: The process cannot access the file because it is being used by another process.)
2015-06-24 07:05:16.796	File checksum: MD5=70d906924e1337af1dd2cbf6dd5a2c1c, SHA-1=337d666e42b096e568d19a7fa07e72e21673c82a
2015-06-24 07:05:16.796	Removal failed

The reason according to the log is that 'The process cannot access the file because it is being used by another process'.  The process locking the files is C:\WINDOWS\system32\svchost.exe.

Now malware can use the process name svchost.exe as a trick so you think it a geniune system file.  However in this case the path to the genuine system file is correct so it does look like you have two files left over that cannot be removed because during boot they are being run and then the svchost.exe prevents anything else from deleting them.  So options (in no particular order because depending on your computer knowledge you may favor one over another):

• Reboot and rescan.  If you haven't already rebooted this is worth doing because the computer had so many detections a rescan will probably fine a lot less and the log will be a bit clearer.  Also the files that failed to be cleaned may now be unlocked.
• Either open the registy editor and go to the Run key.  Look for anything that is calling the files mentioned in bold above or anything suspicious.  If you don't like the registry editor you can search for 'Autoruns' (by Sysinternals/Microsoft) and install that and on the 'Logon' tab get a list of start up items.  Example...
  
  
  Screenshot it if you're not sure and post back what to do.  However the idea in either case is to track down what's calling the malware during start up, stop it being called, and then the files won't be run during startup and a rescan will find and delete the files.
• If the files just keep loading during start up and you can't fathom how the Sophos Bootable Anti-Virus tool will scan the computer's hard drive without having to boot the infected computer.  Ideally you need another, clean, Windows computer to download and setup the tool up on either a CD or USB pen drive.

Glancing at the logs (very helpful) the computer is getting cleaner, but there are two things left...

2015-06-24 07:04:28.156	File "C:\Documents and Settings\All Users\Application Data\Microsoft\{165bd50a-2e1f-8237-1f37-9bbe817854ac}\{165bd50a-2e1f-8237-1f37-9bbe817854ac}.exe" was not cleaned up. (32: The process cannot access the file because it is being used by another process.)
2015-06-24 07:04:28.328	File checksum: MD5=95c908c21c32d9891bc5aaff22032f51, SHA-1=e029b524aeff17e98226c10dee59f1a7cb142c4c
2015-06-24 07:04:28.328	Removal failed
2015-06-24 07:05:16.796	File "C:\Documents and Settings\All Users\Application Data\Microsoft\{910dd9b1-cff8-1a0d-e3b8-81e48a9014bd}\{910dd9b1-cff8-1a0d-e3b8-81e48a9014bd}.exe" was not cleaned up. (32: The process cannot access the file because it is being used by another process.)
2015-06-24 07:05:16.796	File checksum: MD5=70d906924e1337af1dd2cbf6dd5a2c1c, SHA-1=337d666e42b096e568d19a7fa07e72e21673c82a
2015-06-24 07:05:16.796	Removal failed

The reason according to the log is that 'The process cannot access the file because it is being used by another process'.  The process locking the files is C:\WINDOWS\system32\svchost.exe.

Now malware can use the process name svchost.exe as a trick so you think it a geniune system file.  However in this case the path to the genuine system file is correct so it does look like you have two files left over that cannot be removed because during boot they are being run and then the svchost.exe prevents anything else from deleting them.  So options (in no particular order because depending on your computer knowledge you may favor one over another):

• Reboot and rescan.  If you haven't already rebooted this is worth doing because the computer had so many detections a rescan will probably fine a lot less and the log will be a bit clearer.  Also the files that failed to be cleaned may now be unlocked.
• Either open the registy editor and go to the Run key.  Look for anything that is calling the files mentioned in bold above or anything suspicious.  If you don't like the registry editor you can search for 'Autoruns' (by Sysinternals/Microsoft) and install that and on the 'Logon' tab get a list of start up items.  Example...
  
  
  Screenshot it if you're not sure and post back what to do.  However the idea in either case is to track down what's calling the malware during start up, stop it being called, and then the files won't be run during startup and a rescan will find and delete the files.
• If the files just keep loading during start up and you can't fathom how the Sophos Bootable Anti-Virus tool will scan the computer's hard drive without having to boot the infected computer.  Ideally you need another, clean, Windows computer to download and setup the tool up on either a CD or USB pen drive.