Antivirus System PRO Virus [Logs Attached]

Well this all started when Firefox started acting up. I posted a thread about it in the computer software forum and a solution was never found (more like I was still waiting for a response).
For information about that see here: http://www.computerhope.com/forum/index.php/topic,95724.msg648308.html#msg648308.

Now today, about 2-3 hours ago, while I was browsing the internet on Firefox I noticed a strange icon that resembled a blue shield with white stripes in my taskbar. A pop-up came up saying that "windows" had detected a virus and that I needed to run some program called Antivirus System PRO. I closed out Firefox and tried opening up AVG only to find that "windows" thought it was infected and wouldn't open it. The same thing happened when I tried opening Malwarebytes, Internet Explorer, Firefox, etc. (Basically all .exe files).
I went to shut down the computer and found that it was preventing me from doing that as well. So I had to turn of the computer using the front panel.

It was then that I unplugged my external hard drive from the computer.

I turned on the computer and let it come up to the desktop. It was then that something about my Windows not being activated came up. I ignored it, for the time being, and quickly opened up Firefox. In doing so I found out that if I opened a program quickly enough it would load before the virus and the virus wouldn't be able to stop me from using it.
I tried running some virus scanners using Firefox, but I kept getting redirected to weird places.

So I rebooted the computer and, before the virus could stop me, I used system restore to set the computer back to October 31st.

The restore was successful and the strange icon is gone from the taskbar. However there are still some things that aren't right. I can't use Firefox at all. Clicking on it does absolutely nothing. Windows keeps telling me that I have 3 days to validate my copy of windows and a box is on the bottom right-hand corner of the screen that says my copy of windows is not activated. Also Internet Explorer had started redirecting me to strange websites and bombards me with pop ups about antivirus programs.

So now for the malware removal steps...

Step 1: Add or Remove Programs
There's nothing suspicious looking in there.

Step 2: House Cleaning
Ran CCleaner.

Step 3: SUPERAntiSpyware
The program found two infections.
The log is attached to this post.

Step 4: Malwarebytes' Anti-Malware (MBAM)
The program found nothing.

Step 5: Update Your Java (JRE)
Java Updated

Step 6: HijackThis
Log attached to post.

Also I should add that ever since this incident
(http://www.computerhope.com/forum/index.php/topic,93488.0.html) I have been unable to use Safe Mode. So any solution that involves it will most likely not work.


[Saving space, attachment deleted by admin]

Last night I ran Trend Micro's Housecall and it found a Trojan of some sort. Unfortunately I didn't have enough foresight to write down the name of what it found, but the program said that it was removed.

Still getting those pop ups...

So this morning I googled Antivirus System PRO and found that BleepingComputer had a guide to removing it. I followed the guide and ran a program called rkill. rkill is supposed to stop all the processes that belong to Antivirus System PRO.
Once it finished running I ran another scan with Malwarebytes, as the guide instructed, and it found nothing.
(The log is attached to this post.)

And I'm still getting the pop ups.

I've run two other programs that have presented me with logs: DDS and Rootrepeal. I was going to post them on bleepingcomputer.com, but I found out that they do not condone having two threads on two different sites about the same problem. So their logs have been attached to this post as well.

As for the Windows Activation part of this, is it part of the infection or is it genuine?
It's claiming that I only have 3 days to validate Windows. Now I'm pretty sure that activating it involves a key, which unless it's already in the computer, I don't have. I bought my computer used with Windows already installed several years ago. I don't even have an XP disk.

[Saving space, attachment deleted by admin]

[Malware Removal Specialist]

If you already have ComboFix be sure to delete it and download a new copy.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

Combofix log attached.

[Saving space, attachment deleted by admin]

[Malware Removal Specialist]

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

MBR::


3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

I ran combofix. During reboot I recieved a blue screen with the following message:

STOP: c0000212a {Fatal System Error}
The Windows Logon Process System Process terminated (word was cut off by screen)
with a status of 0x80000007 (0x00000000 0x00000000).
The system has been shut down.

It froze on that screen and I had to turn of the computer using the front panel. However, when it rebooted combofix resumed and I did get a log which is attached to this post.

Also now there seems to be a problem with typing. When I try typing something it often won't type, types incorrect letters, or stalls in typing. It took me a long time to type out this post, because it keeps changing what I type.

[Saving space, attachment deleted by admin]

[Malware Removal Specialist]

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. 
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

----------

Download Dr.Web CureIt and save it to your desktop.

 Scan with DrWeb-CureIt as follows:

• Double-click on drweb-cureit.exe and then click Start
  
• An information notice will appear, click OK.
  
• This starts a short scan that will scan the files currently running in memory.
• If you get a prompt to buy the full version just exit out of the window. The scanner will still work without buying the full version
  
• If or when something is found, click the Yes button when it asks you if you want to cure it.

• Once the short scan has finished, Click Settings > Change Settings
  
• Under the Scanning tab UNcheck Heuristic analysis and click OK
  
• Back at the main window, select the Complete scan button and then click the Green Arrow Start Scanning button on the right and the scan will start.
  
• Click Yes to all if it asks if you want to cure/move any file(s).
  
• When the scan is done.
• In the Dr.Web CureIt menu on top left, click File and choose Save report list.
  
• Save the DrWeb.csv report to your Desktop.
  
• Exit Dr.Web Cureit.
• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

* After reboot, Right-click the Dr.Web log on the desktop and choose Open With > Notepad
* Copy and paste that log in the next reply

Dr Web Log:

Process in memory: C:\WINDOWS\system32\svchost.exe:172;;BackDoor.Tdss.565;Eradicated.;

[Malware Removal Specialist]

How is the computer running now?

I'm still getting the pop ups and redirections while browsing and today it has started freezing. Apparently I also only have one day to re-activate Windows.

However it is running faster.

[Malware Removal Specialist]

Download and save AVPFind.bat to your PC (save it anywhere you can find it. The Desktop is fine). Then doube click on it to run it.


It should take a couple minutes to run. You will see a black command prompt window while it is running and it should close when it is finished. Once it finishes, attach the c:\avplog.txt


Now download and Run exeHelper

• Please download exeHelper to your desktop.
  
• Double-click on exeHelper.com to run the fix.
  
• A black window should pop up, press any key to close once the fix is completed.
• Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)

.
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file)

Add the below logs when finished with all of the above:
.

• C:\avplog.txt - from AVPfind
  
• log.txt - from exeHelper

Logs attached.

[Saving space, attachment deleted by admin]

[Malware Removal Specialist]

If you already have ComboFix be sure to delete it and download a new copy.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

ComboFix log attached. It found a rootkit of some sort.

[Saving space, attachment deleted by admin]

[Malware Removal Specialist]

That's what I needed to see. Are the redirects still happening?