Please help remove "application cannot be executed" virus

[chrisski]

I cannot run any programs. Whenever I click on anything it is blocked. I can't open Superantispyware or malwarebytes or anything for that matter. I read the sticky at the top of this page, but I couldn't even complete the very first step of checking my windows service pack, because when I clicked on "system" in the control panel that same fateful message appeared. "Application cannot be executed. The file .... is infected" I don't know a lot about computers, but have been competent enough to download and remove spyware with SAS and MB in the past. Currently, the only thing I have been able to do was launch Superantispyware out of my quick launch panel, however I am blocked from updating it. I also tried manually updating on its site and it doesn't work. Unfortanuatley my SAS hasn't been updated in about 8 months. Please help. Thanks in advance.

Heres a little more info. My computer is a windows xp, about 5 years old.
The fake program that is up is called "Antivirus Live"
Renaming the file doesn't work.

[harry 48]

Hello and welcome to Computer Hope Forum. The first thing I will need you to do is to go to this link and follow the directions precisely. If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line. If you can't run any step, just jump to the next one. Please let me know how you are doing or have any questions. Initially, We will need the SuperAntiSpyware, MBAM and HJT logs. Please post any logs that you can generate.

[chrisski]

I was able to open task manager just as the system started and delete the system guard file, therefore allowing me to open and run .exe files. I proceeded to run the HJT, SAS, and MB. Here are my logs.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/15/2010 at 05:54 PM

Application Version : 4.22.1014

Core Rules Database Version : 4482
Trace Rules Database Version: 2300

Scan type       : Complete Scan
Total Scan Time : 02:45:44

Memory items scanned      : 618
Memory threats detected   : 0
Registry items scanned    : 6305
Registry threats detected : 39
File items scanned        : 26590
File threats detected     : 3

Adware.SysGuard/FakeAlert
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\Software\Microsoft\Windows\CurrentVersion\Run#LowRiskFileTypes [ C:\WINDOWS\sysguard.exe ]

Rogue.Agent/Gen
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#aazalirt
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#skaaanret
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#jungertab
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#zibaglertz
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#iddqdops
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#ronitfst
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#tobmygers
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#jikglond
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#tobykke
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#klopnidret
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#jiklagka
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#salrtybek
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#seeukluba
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#jrjakdsd
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#krkdkdkee
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#dkewiizkjdks
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#dkekkrkska
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#rkaskssd
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#kuruhccdsdd
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#krujmmwlrra
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#kkwknrbsggeg
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#ktknamwerr
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#iqmcnoeqz
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#ienotas
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#krkmahejdk
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#otpeppggq
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#krtawefg
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#oranerkka
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#kitiiwhaas
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#otowjdseww
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#otnnbektre
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#oropbbsee
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#irprokwks
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#ooorjaas
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#id
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#ready
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#knkd

Trojan.Agent/Gen
   C:\Program Files\DRV

Trojan.Agent/Gen-FakeSpy[Broad]
   C:\DOCUMENTS AND SETTINGS\CHRISTIAN\LOCAL SETTINGS\APPLICATION DATA\DUOESN\KXOUSYSGUARD.EXE

Trojan.Dropper/Gen-C
   C:\DOCUMENTS AND SETTINGS\CHRISTIAN\LOCAL SETTINGS\TEMP\E.EXE


Malwarebytes' Anti-Malware 1.44
Database version: 3570
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

1/15/2010 10:30:35 PM
mbam-log-2010-01-15 (22-30-35).txt

Scan type: Full Scan (C:\|)
Objects scanned: 280759
Time elapsed: 3 hour(s), 51 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8567edfa-408c-43e9-b929-4c25c04f5003} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lolvdynw (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lolvdynw (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\drv (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Christian\Local Settings\Application Data\duoesn\kxousysguard.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\fdvjfx.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\gklrwl.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\jsrtadqg.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\kkfwg.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\010112010146118114.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\0101120101464849.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\934fdfg34fgjf23 (Worm.KoobFace) -> Quarantined and deleted successfully.



I have to go to work, but will update my java and post hijack this logs when I return. Also, I am not really comfortable running cc cleaner if that is alright. I have numerous vital passwords and bookmarks and if even one were accidentally deleted I would be in huge trouble.

[chrisski]

You have got to be kidding. Guess what just popped up. Internet security 2010! Its pretty much the same thing as my antivirus live virus, with a different name. Was this virus just dormant for 12 hours, or did I get a new one. It popped up right as I logged on to vtunnel. I use vtunnel to search google for the sake of anonymity. I thought that it was a pretty big site and can't imagine that it is giving me the virus, but who knows. I will go ahead and rerun SAS and MB just incase, as well as run HJT. Any input would be appreciated.

[harry 48]

re-name hjt to snipper.exe and run

ccleaner is for clearing out rubbish , it will do no harm what so ever

you should keep sas , mbam and ccleaner , keep up to date and run them weekly

[chrisski]

I ran CCleaner and now none of my browsers work. I am connected to the internet, but they display a blank screen. What do I do? (I will post my updated logs here soon)

[rdav]

 
I just spent a day working on this!  At times, my XP system would not run regedit, windows task manager, or any virus removal software!  I went back and forth in safe mode and ran everything I could find on this forum.

Finally, I ran combofix which seems to have removed the malware and now I am running malwarebytes' Anti-Malware.  It is now doing a full scan without finding any infections!

Hooray and thanks so much for this forum!

[email protected]

[harry 48]

please post all the logs to be looked at for a check

[rdav]

ComboFix 10-01-17.02 - HP_Administrator 01/18/2010   7:29.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1982.1449 [GMT -8:00]
Running from: n:\mware\ComboFix.exe
AV: a-squared Anti-Malware *On-access scanning enabled* (Outdated) {0F8591BB-342B-4493-91C3-4E948ED21255}
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\HP_Administrator\Favorites\Online Security Test.url
c:\program files\PandoBar
c:\program files\PandoBar\bar\1.bin\NPPANDBR.DLL
c:\program files\PandoBar\bar\1.bin\P4FFXTBR.JAR
c:\program files\PandoBar\bar\1.bin\P4FFXTBR.MANIFEST
c:\program files\PandoBar\bar\1.bin\P4HIGHIN.EXE
c:\program files\PandoBar\bar\1.bin\P4NTSTBR.JAR
c:\program files\PandoBar\bar\1.bin\P4NTSTBR.MANIFEST
c:\program files\PandoBar\bar\1.bin\P4PLUGIN.DLL
c:\program files\PandoBar\bar\1.bin\PANDOBAR.DLL
c:\program files\PandoBar\bar\Cache\00A0714D
c:\program files\PandoBar\bar\Cache\00A077C5.bin
c:\program files\PandoBar\bar\Cache\00A07D24.bin
c:\program files\PandoBar\bar\Cache\00A07F67.bin
c:\program files\PandoBar\bar\Cache\00A0812C.bin
c:\program files\PandoBar\bar\Cache\00A082C2.bin
c:\program files\PandoBar\bar\Cache\00A085DF.bin
c:\program files\PandoBar\bar\Cache\00A08821.bin
c:\program files\PandoBar\bar\Cache\files.ini
c:\program files\PandoBar\bar\History\search2
c:\program files\PandoBar\bar\Settings\prevcfg2.htm
c:\program files\video activex object
c:\program files\video activex object\ot.ico
c:\program files\video activex object\ts.ico
c:\recycler\S-1-5-21-527237240-179605362-725345543-500
c:\windows\kb913800.exe
c:\windows\system32\drivers\H8SRTrebdnolfum.sys
c:\windows\system32\h8srtkrl32mainweq.dll
c:\windows\system32\H8SRTmxmjvawjhu.dll
c:\windows\system32\H8SRTnnspkrddtj.dat
c:\windows\system32\H8SRTrmetlypffu.dll
c:\windows\system32\H8SRTrsdwjxiodl.dll
c:\windows\system32\h8srtshsyst.dll
c:\windows\system32\H8SRTxirpruxnrn.log
c:\windows\system32\H8SRTxujghgkkah.dll
c:\windows\Temp\tmp3.tmp
Z:\Autorun.inf

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_H8SRTd.sys
-------\Legacy_H8SRTd.sys


(((((((((((((((((((((((((   Files Created from 2009-12-18 to 2010-01-18  )))))))))))))))))))))))))))))))
.

2010-01-18 13:07 . 2010-01-18 13:07   --------   d-----w-   c:\program files\SAS
2010-01-18 06:04 . 2010-01-18 14:34   --------   d-----w-   c:\documents and settings\HP_Administrator\Local Settings\Application Data\wonehw
2010-01-18 01:06 . 2010-01-18 01:06   --------   d-----w-   c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2010-01-18 01:01 . 2010-01-08 00:07   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-18 01:01 . 2010-01-18 01:01   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-18 01:01 . 2010-01-08 00:07   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-01-18 01:00 . 2010-01-18 01:00   --------   d-----w-   C:\MWare
2010-01-17 23:26 . 2010-01-17 23:26   --------   d-----w-   c:\documents and settings\HP_Administrator\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2010-01-17 23:08 . 2010-01-17 23:08   --------   d-----w-   c:\program files\Common Files\Adobe AIR
2010-01-17 23:07 . 2010-01-17 23:14   --------   d-----w-   c:\documents and settings\All Users\Application Data\NOS
2010-01-17 23:07 . 2010-01-17 23:07   --------   d-----w-   c:\program files\NOS
2010-01-17 18:41 . 2010-01-18 13:53   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-01-16 22:08 . 2010-01-18 13:20   --------   d-----w-   c:\program files\a-squared Anti-Malware
2010-01-16 20:14 . 2010-01-16 20:14   --------   d-----w-   c:\documents and settings\HP_Administrator\Application Data\Windows Search

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-18 15:47 . 2009-12-11 20:10   --------   d-----w-   c:\documents and settings\HP_Administrator\Application Data\Dropbox
2010-01-18 15:46 . 2008-12-14 13:42   7   ----a-w-   c:\windows\sbacknt.bin
2010-01-18 15:13 . 2007-03-30 02:26   --------   d-----w-   c:\documents and settings\HP_Administrator\Application Data\U3
2010-01-18 14:08 . 2006-11-01 01:14   89000   ----a-w-   c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-18 13:07 . 2008-05-20 23:24   --------   d-----w-   c:\program files\0-360 UnWrapper 3.2
2010-01-18 12:51 . 2006-11-05 03:26   --------   d-----w-   c:\program files\Google
2010-01-18 06:03 . 2007-05-21 07:31   664   ----a-w-   c:\windows\system32\d3d9caps.dat
2010-01-18 00:16 . 2007-03-01 15:15   --------   d-----w-   c:\documents and settings\All Users\Application Data\Borland
2010-01-18 00:10 . 2006-11-01 01:34   --------   d-----w-   c:\program files\Symantec
2010-01-18 00:10 . 2006-11-01 01:34   --------   d-----w-   c:\program files\Common Files\Symantec Shared
2010-01-17 23:10 . 2007-01-17 00:14   --------   d-----w-   c:\program files\Common Files\Adobe
2010-01-17 18:48 . 2009-09-30 11:56   --------   d-----w-   c:\documents and settings\HP_Administrator\Application Data\vlc
2010-01-16 21:56 . 2008-05-26 19:49   --------   d-----w-   c:\documents and settings\All Users\Application Data\avg8
2009-12-15 12:33 . 2007-03-24 18:49   --------   d-----w-   c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-15 12:23 . 2006-11-01 01:16   --------   d-----w-   c:\program files\Microsoft Works
2009-12-10 21:02 . 2009-12-10 20:46   --------   d-----w-   c:\program files\Boxee
2009-12-10 20:47 . 2009-12-10 20:47   --------   d-----w-   c:\documents and settings\HP_Administrator\Application Data\BOXEE
2009-12-10 20:41 . 2009-06-29 16:49   --------   d-----w-   c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-12-09 22:59 . 2006-11-07 20:32   --------   d-----w-   c:\program files\DivX
2009-12-09 22:58 . 2009-06-04 22:23   --------   d-----w-   c:\program files\Common Files\DivX Shared
2009-12-07 05:04 . 2009-12-07 05:04   --------   d-----w-   c:\program files\MovieToolbox
2009-12-06 21:23 . 2009-12-06 21:23   --------   d-----w-   c:\program files\Microsoft Silverlight
2009-12-06 15:49 . 2009-12-06 15:49   --------   d-----w-   c:\program files\Ask.com
2009-12-06 05:06 . 2009-12-06 05:05   --------   d-----w-   c:\program files\iTunes
2009-12-06 05:05 . 2009-12-06 05:05   --------   d-----w-   c:\program files\iPod
2009-12-06 05:05 . 2007-07-06 23:34   --------   d-----w-   c:\program files\Common Files\Apple
2009-12-06 05:01 . 2006-11-11 18:48   --------   d-----w-   c:\program files\QuickTime
2009-12-06 04:48 . 2009-12-06 04:47   --------   d-----w-   c:\program files\Microsoft IntelliPoint
2009-12-06 04:46 . 2009-12-06 04:46   --------   d-----w-   c:\program files\Microsoft IntelliType Pro
2009-12-05 14:46 . 2007-03-19 19:09   --------   d-----w-   c:\program files\palmOne
2009-12-05 14:41 . 2006-11-08 02:01   --------   d-----w-   c:\program files\DYMO Label
2009-12-05 14:24 . 2008-12-13 14:06   --------   d-----w-   c:\program files\Xobni
2009-12-04 06:24 . 2009-12-04 06:23   --------   d-----w-   c:\documents and settings\HP_Administrator\Application Data\HpUpdate
2009-11-14 00:47 . 2009-11-14 00:47   856064   ----a-w-   c:\windows\system32\divx_xx0c.dll
2009-11-14 00:47 . 2009-11-14 00:47   856064   ----a-w-   c:\windows\system32\divx_xx07.dll
2009-11-14 00:47 . 2009-11-14 00:47   847872   ----a-w-   c:\windows\system32\divx_xx0a.dll
2009-11-14 00:47 . 2009-11-14 00:47   843776   ----a-w-   c:\windows\system32\divx_xx16.dll
2009-11-14 00:47 . 2009-11-14 00:47   839680   ----a-w-   c:\windows\system32\divx_xx11.dll
2009-11-14 00:47 . 2009-11-14 00:47   696320   ----a-w-   c:\windows\system32\DivX.dll
2009-10-29 07:46 . 2004-08-09 21:00   832512   ----a-w-   c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-09 21:00   78336   ----a-w-   c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-09 21:00   17408   ----a-w-   c:\windows\system32\corpol.dll
2006-11-04 02:27 . 2006-11-04 02:21   45465133   ----a-w-   c:\program files\PartitionMagic805AllWin_English.ZIP
2006-11-04 02:25 . 2006-11-04 02:25   0   ----a-w-   c:\program files\PM801EI1-371501.txt
2006-11-04 00:01 . 2006-11-04 00:01   22   --sha-w-   c:\windows\SMINST\HPCD.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-06-17 01:22   1144712   ----a-w-   c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-06-17 1144712]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-10-08 21:18   77824   ----a-w-   c:\documents and settings\HP_Administrator\Application Data\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-13 16239616]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 155648]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-17 81920]
"WD Button Manager"="WDBtnMgr.exe" [2008-06-30 364544]
"DISCover"="c:\program files\DISC\DISCover.exe" [2007-10-31 1095256]
"Babylon Client"="c:\program files\Babylon\Babylon-Pro\Babylon.exe" [2008-02-27 3551456]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-11 2043160]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2008-04-10 2595792]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2008-04-10 909208]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2008-04-10 136472]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-06-28 198160]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-05-21 1501064]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-05-26 1468296]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-13 141600]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 69632]
"a-squared"="c:\program files\a-squared Anti-Malware\a2guard.exe" [2010-01-02 3280712]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-17 221184]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-10-31 27136]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-10-31 27136]

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\
Data\Dropbox\bin\Dropbox.exe [2009-10-8 26805255]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Audible Download Manager.lnk - d:\audible downloads\Bin\AudibleDownloadHelper.exe [2007-4-11 845408]
Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-10-31 36903]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-17 16:31   11952   ----a-w-   c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\NETGEAR\\sph101\\WiFiPhone Update.exe"=
"c:\\Program Files\\yProxy\\yProxy.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Participatory Culture Foundation\\Miro\\xulrunner\\python\\Miro_Downloader.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Pando Networks\\Pando\\Pando.exe"=
"c:\\Program Files\\Boxee\\BOXEE.exe"=

R0 hotcore2;hotcore2;c:\windows\system32\drivers\hotcore2.sys [3/3/2007 2:15 PM 30808]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/26/2008 11:49 AM 335240]
R2 a2AntiMalware;a-squared Anti-Malware Service;c:\program files\a-squared Anti-Malware\a2service.exe [1/16/2010 2:08 PM 1858144]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/29/2009 8:48 AM 297752]
R2 XobniService;XobniService;c:\program files\Xobni\XobniService.exe [11/20/2008 11:30 AM 46824]
R3 MusCAudio;MusCAudio;c:\windows\system32\drivers\MusCAudio.sys [7/3/2009 9:55 AM 23096]
R3 MusCVideo;MusCVideo;c:\windows\system32\drivers\MusCVideo.sys [7/3/2009 9:55 AM 3768]
S2 gupdate1c9e56327c9c6c0;Google Update Service (gupdate1c9e56327c9c6c0);c:\program files\Google\Update\GoogleUpdate.exe [6/4/2009 2:23 PM 133104]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt [3/3/2007 11:42 AM 20760]
S3 SMServer;SMServer;c:\windows\system32\snmvtsvc.exe [7/3/2009 9:55 AM 245760]
S3 STVqx3;Intel Play QX3 Microscope;c:\windows\system32\drivers\STVqx3.SYS [4/12/2009 10:24 AM 131776]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [9/7/2006 8:16 PM 11520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper   REG_MULTI_SZ      getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-01-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 19:34]

2010-01-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-04 22:23]

2010-01-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-04 22:23]

2009-12-06 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2009-05-26 19:16]

2010-01-18 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2009-06-17 01:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Translate with &Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
Trusted Zone: trymedia.com
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\fcjiuckp.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.nytimes.com//?oref=login
FF - component: c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\fcjiuckp.default\extensions\{16f796dd-a279-4548-9b3a-393d1eef31df}\platform\WINNT\components\imageassistant.dll
FF - component: c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\fcjiuckp.default\extensions\[email protected]\components\coolirisstub.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\fcjiuckp.default\extensions\[email protected]\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\HP_Administrator\Application Data\Mozilla\plugins\npcoolirisplugin.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPPandBr.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-StatBar - c:\program files\Globe Software\StatBar\StatBar.exe
HKCU-Run-LClock - c:\program files\LClock\LClock.exe
HKCU-Run-btgujnod - c:\documents and settings\HP_Administrator\Local Settings\Application Data\wonehw\rfupsysguard.exe
HKLM-Run-PCDrProfiler - (no file)
HKLM-Run-DeskMateAutoUpdate - c:\program files\DeskMates\DeskMateAutoUpdate.exe
HKLM-Run-btgujnod - c:\documents and settings\HP_Administrator\Local Settings\Application Data\wonehw\rfupsysguard.exe
AddRemove-AudibleDownloadManager - d:\audible downloads\Audible\Bin\AudibleDM_iTunesSetup(3).exe
AddRemove-AudibleManager - d:\audible downloads\Audible\Bin\Upgrade.exe
AddRemove-Internet Explorer Security Plugin 2006 - c:\program files\Video ActiveX Object\iesuninst.exe
AddRemove-Internet Security Add-On - c:\program files\Video ActiveX Object\isauninst.exe
AddRemove-Public Messenger ver 2.03 - c:\program files\Video ActiveX Object\pmuninst.exe
AddRemove-Safety Alerter 2006 - c:\docume~1\HP_ADM~1\LOCALS~1\Temp\lafB77.tmp
AddRemove-{E2883E8F-472F-4fb0-9522-AC9BF37916A7} - c:\program files\NOS\bin\getPlus_Helper.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-18 07:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  StatBar = c:\program files\Globe Software\StatBar\StatBar.exe???

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\EverestDriver]
"ImagePath"="\??\c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(944)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1004)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(5812)
c:\windows\system32\WININET.dll
c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll
c:\program files\ScanSoft\OmniPageSE4.0\OpHookSE4.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\arservice.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
c:\windows\system32\SearchIndexer.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\ARPWRMSG.EXE
c:\windows\eHome\ehmsas.exe
c:\windows\system32\WDBtnMgr.exe
c:\program files\DISC\DiscStreamHub.exe
c:\program files\Microsoft IntelliType Pro\dpupdchk.exe
c:\program files\iPod\bin\iPodService.exe
c:\hp\KBD\KBD.EXE
c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
c:\program files\Java\jre1.5.0_06\bin\jusched.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2010-01-18  07:56:08 - machine was rebooted
ComboFix-quarantined-files.txt  2010-01-18 15:56

Pre-Run: 12,636,020,736 bytes free
Post-Run: 15,408,369,664 bytes free

- - End Of File - - ED141B32D80D4ACFA96FDD38F4CE020C

[harry 48]

rdav


sorry my mistake , would you start a topic of your own and you will get the log , copy and paste it , looked at you cannot hijack another topic , harry

[chrisski]

I ended up not being able to get my internet to work, so I did a system restore to a time prior to the virus. It fixed my internet, but brought back all the viruses. I re ran MB, SAS, and HJ. The logs follow. My computer seems fine at this point, except for one little thing. I cannot update my JAVA. When I try to do so I get an error 1500 message saying that windows cannot install two programs at once. I've tried rebooting, to no avail. Anyways, thank you so much for the help. Here are my logs.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/18/2010 at 07:02 PM

Application Version : 4.22.1014

Core Rules Database Version : 4489
Trace Rules Database Version: 2304

Scan type       : Complete Scan
Total Scan Time : 02:15:53

Memory items scanned      : 577
Memory threats detected   : 0
Registry items scanned    : 6321
Registry threats detected : 38
File items scanned        : 25189
File threats detected     : 7

Adware.SysGuard/FakeAlert
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\Software\Microsoft\Windows\CurrentVersion\Run#LowRiskFileTypes [ C:\WINDOWS\sysguard.exe ]

Rogue.Agent/Gen
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#aazalirt
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#skaaanret
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#jungertab
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#zibaglertz
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#iddqdops
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#ronitfst
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#tobmygers
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#jikglond
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#tobykke
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#klopnidret
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#jiklagka
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#salrtybek
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#seeukluba
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#jrjakdsd
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#krkdkdkee
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#dkewiizkjdks
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#dkekkrkska
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#rkaskssd
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#kuruhccdsdd
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#krujmmwlrra
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#kkwknrbsggeg
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#ktknamwerr
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#iqmcnoeqz
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#ienotas
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#krkmahejdk
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#otpeppggq
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#krtawefg
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#oranerkka
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#kitiiwhaas
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#otowjdseww
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#otnnbektre
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#oropbbsee
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#irprokwks
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#ooorjaas
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#id
   HKU\S-1-5-21-3380271927-570995959-4140874652-1005\SOFTWARE\AVSCAN#ready

Trojan.Agent/Gen
   C:\WINDOWS\system32\lowsec\local.ds
   C:\WINDOWS\system32\lowsec\user.ds
   C:\WINDOWS\system32\lowsec
   C:\Program Files\DRV

Rogue.InternetSecurity2010
   C:\Documents and Settings\Christian\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security 2010.lnk
   C:\Documents and Settings\Christian\Start Menu\Internet Security 2010.lnk

Trojan.Agent/Gen-SDRA
   C:\WINDOWS\SYSTEM32\SDRA64.EXE


Malwarebytes' Anti-Malware 1.44
Database version: 3595
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

1/18/2010 9:41:04 PM
mbam-log-2010-01-18 (21-41-04).txt

Scan type: Full Scan (C:\|)
Objects scanned: 273074
Time elapsed: 2 hour(s), 42 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8567edfa-408c-43e9-b929-4c25c04f5003} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lowriskfiletypes (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\drv (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Quarantined and deleted successfully.
C:\Documents and Settings\Christian\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security 2010.lnk (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Christian\Start Menu\Internet Security 2010.lnk (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.
C:\fdvjfx.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\gklrwl.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\jsrtadqg.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\kkfwg.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sdra64.exe (Spyware.Zbot) -> Quarantined and deleted successfully.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:04:25 PM, on 1/18/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\lxdpcoms.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\MsiExec.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\dla\DLACTRLW.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Lexmark Z2300 Series\lxdpmon.exe
C:\Program Files\Lexmark Z2300 Series\ezprint.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Documents and Settings\Christian\My Documents\Christian\Replace\Blue\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
O1 - Hosts: ::1 localhost
O1 - Hosts: 209.44.111.62 surety.microsoft.com
O1 - Hosts: 209.44.111.62 aware-protect.com
O1 - Hosts: 209.44.111.62 www.aware-protect.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [tdispVol] TDispVol.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\DLACTRLW.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [x3watch] C:\Program Files\X3watch\x3watch.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [lxdpmon.exe] "C:\Program Files\Lexmark Z2300 Series\lxdpmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark Z2300 Series\ezprint.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup:  WinCinema Manager.lnk = C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: PokerTime - {00000000-0000-0000-0000-000000000000} - C:\MicroGaming\Poker\PokerTimeMPP\MPPoker.exe (file missing) (HKCU)
O9 - Extra button: UB - {1FBA04EE-3024-11d2-8F1F-0000F87ABD16} - C:\Documents and Settings\Christian\Start Menu\Programs\UB\UB.lnk (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: UB - {1FBA04EE-3024-11d2-8F1F-0000F87ABD16} - C:\Documents and Settings\Christian\Start Menu\Programs\UB\UB.lnk (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/download/tgctlcm.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Documents and Settings\Christian\My Documents\Christian\Replace\Blue\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxdpCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdpserv.exe
O23 - Service: lxdp_device -   - C:\WINDOWS\system32\lxdpcoms.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

--
End of file - 13045 bytes

[chrisski]

As an additional note to my above logs, I do not think that I am completely clear of malware/trojans. About a third of the time that I click on a web page using google I am redirected to a random site.

[chrisski]

And it turns out that one of the webpages I get redirected to gives me the Internet Security 2010 Trojan...Again.

I almost to the point of throwing this computer out the window and buying a new one. I imagine I need to rerun SAS, MB, and HJT, but I am going to wait to do so until you have a chance to take a look at the previous logs and respond. 

[harry 48]

i'm not a malware expert , but if you want to , copy and paste your hjt log and run it in the hjt process tool , i think you have been hijacked

it says take out " hosts " which would normally happen you have 4

try it and see , the tool is 3rd on the main page where your post is , harry

[chrisski]

i'm not a malware expert , but if you want to , copy and paste your hjt log and run it in the hjt process tool , i think you have been hijacked

it says take out " hosts " which would normally happen you have 4

try it and see , the tool is 3rd on the main page where your post is , harry

I don't understand where the tool is?