Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

Author Topic: Virus Removal: Application Cannot Be Executed  (Read 6989 times)

0 Members and 1 Guest are viewing this topic.

RueSauvage

    Topic Starter


    Starter

    Virus Removal: Application Cannot Be Executed
    « on: August 16, 2010, 07:02:49 PM »
    Hi! I ran into this problem on Saturday, ran Malware Bytes' Anti-Malware and the issue returned Sunday. Sunday, my computer went to a blank screen after the initial Dell splash page (Inspiron Mini 1010). Some how, some way I managed to get my Windows loading screen back and login. At this time, I can use the computer okay, however, I'm afraid this thing is lurking somewhere. Unfortunately for me, I'm a freelance writer. I'm sure that explains it.

    Anyhoo, I ran and installed the suggested tools in the "Computer Hope Virus and Spyware section Guidelines" post. Following are the requested logs:


    Malwarebytes' Anti-Malware

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4438

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    8/16/2010 8:44:59 PM
    mbam-log-2010-08-16 (20-44-59).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 243050
    Time elapsed: 1 hour(s), 41 minute(s), 27 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 2
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5801e436-4e3f-4cb4-b1c0-0d06c213d118} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{5801e436-4e3f-4cb4-b1c0-0d06c213d118} (Trojan.BHO) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lmhohjyu (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 08/16/2010 at 05:42 PM

    Application Version : 4.41.1000

    Core Rules Database Version : 5364
    Trace Rules Database Version: 3176

    Scan type       : Quick Scan
    Total Scan Time : 01:03:19

    Memory items scanned      : 596
    Memory threats detected   : 0
    Registry items scanned    : 1795
    Registry threats detected : 0
    File items scanned        : 42549
    File threats detected     : 36

    Adware.Tracking Cookie
       .dmtracker.com [ C:\Documents and Settings\Aleta Sanders\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
       .doubleclick.net [ C:\Documents and Settings\Aleta Sanders\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
       cdn4.specificclick.net [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\TEV4ZLMF ]
       media.mtvnservices.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\TEV4ZLMF ]
       media.scanscout.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\TEV4ZLMF ]
       objects.tremormedia.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\TEV4ZLMF ]
       secure-us.imrworldwide.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\TEV4ZLMF ]
       C:\Documents and Settings\NetworkService\Cookies\system@247realmedia[1].txt
       C:\Documents and Settings\NetworkService\Cookies\system@2o7[1].txt
       C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
       C:\Documents and Settings\NetworkService\Cookies\system@adbrite[2].txt
       C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
       C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
       C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
       C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
       C:\Documents and Settings\NetworkService\Cookies\system@advertise[1].txt
       C:\Documents and Settings\NetworkService\Cookies\system@advertise[2].txt
       C:\Documents and Settings\NetworkService\Cookies\system@advertising[2].txt
       C:\Documents and Settings\NetworkService\Cookies\system@apmebf[1].txt
       C:\Documents and Settings\NetworkService\Cookies\system@burstnet[1].txt
       C:\Documents and Settings\NetworkService\Cookies\system@casalemedia[1].txt
       C:\Documents and Settings\NetworkService\Cookies\system@collective-media[1].txt
       C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
       C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
       C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
       C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[1].txt
       C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[2].txt
       C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
       C:\Documents and Settings\NetworkService\Cookies\system@fastclick[1].txt
       C:\Documents and Settings\NetworkService\Cookies\system@mediaplex[2].txt
       C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
       C:\Documents and Settings\NetworkService\Cookies\system@pointroll[2].txt
       C:\Documents and Settings\NetworkService\Cookies\system@tribalfusion[2].txt
       C:\Documents and Settings\NetworkService\Cookies\system@tribalfusion[3].txt
       C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
       C:\Documents and Settings\NetworkService\Cookies\system@zedo[1].txt

    HiJackThis Log File
    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 9:04:41 PM, on 8/16/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\iWin Games\iWinTrusted.exe
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    C:\Program Files\PC Tools Firewall Plus\FWService.exe
    C:\Program Files\WSED\WSED.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\rpcnet.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Dell\PlayMovie\PMVService.exe
    C:\WINDOWS\system32\PersistenceThread.exe
    C:\Program Files\Dell\Media Experience\PCMAgent.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\Dell\Media Experience\Kernel\CLML\CLMLSvc.exe
    C:\Program Files\Battery Meter\BTMeter.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
    C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Cricket Broadband Connect\AvqAutoRun.exe
    C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
    C:\Program Files\Spyware Doctor\pctsTray.exe
    C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Aleta Sanders\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
    C:\Program Files\Cricket Broadband Connect\mPhonetools.exe
    C:\Program Files\Cricket Broadband Connect\Bytemobile\bmctl.exe
    C:\Documents and Settings\Aleta Sanders\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Aleta Sanders\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Aleta Sanders\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Aleta Sanders\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Aleta Sanders\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Aleta Sanders\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Aleta Sanders\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Aleta Sanders\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Aleta Sanders\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Aleta Sanders\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Aleta Sanders\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Aleta Sanders\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\WINDOWS\system32\SearchProtocolHost.exe
    C:\Program Files\Trend Micro\HiJackThis\sniper.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: (no name) - {465E08E7-F005-4389-980F-1D8764B3486C} - (no file)
    O2 - BHO: iWin Toolbar - {ce0c2586-da36-452b-acdb-320d9bcb19bf} - C:\Program Files\iWin\tbiWin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: iWin Toolbar - {ce0c2586-da36-452b-acdb-320d9bcb19bf} - C:\Program Files\iWin\tbiWin.dll
    O4 - HKLM\..\Run: [WSED] C:\Program Files\WSED\WSED.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [PlayMovie] "C:\Program Files\Dell\PlayMovie\PMVService.exe"
    O4 - HKLM\..\Run: [PersistenceThread] C:\WINDOWS\system32\PersistenceThread.exe
    O4 - HKLM\..\Run: [PCMAgent] "C:\Program Files\Dell\Media Experience\PCMAgent.exe"
    O4 - HKLM\..\Run: [LoJackForLaptops] C:\Program Files\LFLInstall\InstallManager.exe /d60 /dd1 /bd0
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
    O4 - HKLM\..\Run: [Dell Webcam Central] "C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" /mode2
    O4 - HKLM\..\Run: [CLMLServer] "C:\Program Files\Dell\Media Experience\Kernel\CLML\CLMLSvc.exe"
    O4 - HKLM\..\Run: [BTMeter] C:\Program Files\Battery Meter\BTMeter.exe
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
    O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [{F9AA8FE2-E89A-E99B-E8b8-E9AE9B9ABA99}] "C:\Program Files\Cricket Broadband Connect\AvqAutoRun.exe" "C:\Program Files\Cricket Broadband Connect\mPhonetools.exe" /OnPlug=%s
    O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
    O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
    O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Aleta Sanders\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: Google Chrome.lnk = C:\Documents and Settings\Aleta Sanders\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Aleta Sanders\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Mystery%20P.I.%20-%20Lost%20in%20Los%20Angeles/Images/stg_drm.ocx
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
    O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Women's Murder Club - A Darker Shade of Grey\Images\armhelper.ocx
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7D0DA0B3-63C2-48C1-A339-6180107E969E}: NameServer = 172.28.221.53 172.28.221.54
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iWinTrusted - iWin Inc. - C:\Program Files\iWin Games\iWinTrusted.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
    O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - Unknown owner - C:\Program Files\PC Tools Firewall Plus\FWService.exe
    O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

    --
    End of file - 12104 bytes





    Any help would be greatly appreciated.

    Dr Jay

    • Malware Removal Specialist


    • Specialist
    • Moderator emeritus
    • Thanked: 119
    • Experience: Guru
    • OS: Windows 10
    Re: Virus Removal: Application Cannot Be Executed
    « Reply #1 on: August 16, 2010, 10:41:26 PM »
    Hello, and welcome to Computer Hope.

    Please note the following information about the malware forum:
    • Only the Malware Specialist Team is allowed to give advice on removing malware from your computer.
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by the staff I noted above.
    • Please do not attach logs or post them in Quote/Code boxes unless requested.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, reply to this topic with the word BUMP
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

    Please visit this webpage for a tutorial on downloading and running ComboFix:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    See the area: Using ComboFix, and when done, post the log back here.
    ~Dr Jay

    RueSauvage

      Topic Starter


      Starter

      Re: Virus Removal: Application Cannot Be Executed
      « Reply #2 on: August 18, 2010, 01:27:36 AM »
      I'm really sorry for the late reply and thank you for your assistance. Using ComboFix has taken two days for various reasons. Anyhoo, here's the log file:




      ComboFix 10-08-17.02 - Aleta Sanders 08/17/2010  23:12:53.1.2 - x86
      Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1014.325 [GMT -4:00]
      Running from: c:\documents and settings\Aleta Sanders\My Documents\Downloads\ComboFix.exe
      AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
      FW: PC Tools Firewall Plus *enabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}
      .

      (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
      .

      c:\documents and settings\Aleta Sanders\Application Data\install.dat
      c:\documents and settings\Aleta Sanders\Local Settings\Application Data\{6BBAA482-5D0E-4771-814E-21BCDAAB341E}
      c:\documents and settings\Aleta Sanders\Local Settings\Application Data\{6BBAA482-5D0E-4771-814E-21BCDAAB341E}\chrome.manifest
      c:\documents and settings\Aleta Sanders\Local Settings\Application Data\{6BBAA482-5D0E-4771-814E-21BCDAAB341E}\chrome\content\_cfg.js
      c:\documents and settings\Aleta Sanders\Local Settings\Application Data\{6BBAA482-5D0E-4771-814E-21BCDAAB341E}\chrome\content\overlay.xul
      c:\documents and settings\Aleta Sanders\Local Settings\Application Data\{6BBAA482-5D0E-4771-814E-21BCDAAB341E}\install.rdf
      c:\documents and settings\Aleta Sanders\Local Settings\Application Data\Windows Server
      c:\documents and settings\Aleta Sanders\Local Settings\Application Data\Windows Server\server.dat
      c:\documents and settings\All Users\Application Data\hpe3A.dll
      c:\documents and settings\Ezana\Application Data\install.dat
      c:\documents and settings\Sabah\Application Data\install.dat
      C:\install.exe
      c:\program files\iWin\tbiWi1.dll
      c:\windows\system32\config\system~1\applic~1\install.dat
      c:\windows\system32\drivers\edparwo.sys
      c:\windows\system32\Thumbs.db

      c:\windows\system32\winlogon.exe . . . is infected!!

      c:\windows\explorer.exe . . . is infected!!

      Infected copy of c:\windows\system32\drivers\i8042prt.sys was found and disinfected
      Restored copy from - Kitty had a snack :p
      .
      (((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
      .

      -------\Legacy_OSPPSVC
      -------\Service_osppsvc


      (((((((((((((((((((((((((   Files Created from 2010-07-18 to 2010-08-18  )))))))))))))))))))))))))))))))
      .

      2010-08-18 07:20 . 2010-08-18 07:21   --------   d-----w-   c:\documents and settings\Sabah\Application Data\PCToolsFirewallPlus
      2010-08-17 01:01 . 2010-08-17 01:01   388096   ----a-r-   c:\documents and settings\Aleta Sanders\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
      2010-08-17 01:01 . 2010-08-17 01:01   --------   d-----w-   c:\program files\Trend Micro
      2010-08-17 00:52 . 2010-08-17 00:53   --------   d-----w-   c:\documents and settings\Aleta Sanders\Application Data\PCToolsFirewallPlus
      2010-08-17 00:46 . 2010-01-12 13:34   70664   ----a-w-   c:\windows\system32\drivers\pctNdis-PacketFilter.sys
      2010-08-17 00:46 . 2010-01-07 15:35   58816   ----a-w-   c:\windows\system32\drivers\pctNdis.sys
      2010-08-17 00:46 . 2010-01-07 15:35   32680   ----a-w-   c:\windows\system32\drivers\pctNdis-DNS.sys
      2010-08-17 00:45 . 2010-01-13 12:59   115216   ----a-w-   c:\windows\system32\drivers\pctplfw.sys
      2010-08-17 00:45 . 2010-08-17 00:55   --------   d-----w-   c:\program files\PC Tools Firewall Plus
      2010-08-16 22:55 . 2010-04-29 19:39   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
      2010-08-16 22:55 . 2010-04-29 19:39   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
      2010-08-16 22:55 . 2010-08-16 22:55   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
      2010-08-16 20:29 . 2010-08-16 20:30   --------   d-----w-   c:\program files\SUPERAntiSpyware
      2010-08-16 20:23 . 2010-07-17 09:00   423656   ----a-w-   c:\windows\system32\deployJava1.dll
      2010-08-16 20:00 . 2010-08-16 20:00   --------   d-----w-   c:\program files\CCleaner
      2010-08-16 19:28 . 2010-02-05 13:17   233136   ----a-w-   c:\windows\system32\drivers\pctgntdi.sys
      2010-08-16 19:28 . 2010-03-29 14:06   218592   ----a-w-   c:\windows\system32\drivers\PCTCore.sys
      2010-08-16 19:28 . 2009-11-23 17:54   88040   ----a-w-   c:\windows\system32\drivers\PCTAppEvent.sys
      2010-08-16 19:28 . 2010-04-08 18:29   63360   ----a-w-   c:\windows\system32\drivers\pctplsg.sys
      2010-08-16 19:27 . 2010-08-17 00:46   --------   d-----w-   c:\program files\Common Files\PC Tools
      2010-08-16 19:27 . 2010-08-16 19:28   --------   d-----w-   c:\program files\Spyware Doctor
      2010-08-16 19:27 . 2010-08-16 19:27   --------   d-----w-   c:\documents and settings\All Users\Application Data\PC Tools
      2010-08-16 19:27 . 2010-08-16 19:27   --------   d-----w-   c:\documents and settings\Aleta Sanders\Application Data\PC Tools
      2010-08-16 15:49 . 2010-06-28 20:32   17744   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
      2010-08-16 15:49 . 2010-06-28 20:37   165456   ----a-w-   c:\windows\system32\drivers\aswSP.sys
      2010-08-16 15:49 . 2010-06-28 20:33   23376   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
      2010-08-16 15:49 . 2010-06-28 20:37   46672   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
      2010-08-16 15:48 . 2010-06-28 20:32   100176   ----a-w-   c:\windows\system32\drivers\aswmon2.sys
      2010-08-16 15:48 . 2010-06-28 20:32   94544   ----a-w-   c:\windows\system32\drivers\aswmon.sys
      2010-08-16 15:48 . 2010-06-28 20:32   28880   ----a-w-   c:\windows\system32\drivers\aavmker4.sys
      2010-08-16 15:48 . 2010-06-28 20:57   38848   ----a-w-   c:\windows\avastSS.scr
      2010-08-16 15:47 . 2010-06-28 20:57   165032   ----a-w-   c:\windows\system32\aswBoot.exe
      2010-08-16 15:47 . 2010-08-16 15:47   --------   d-----w-   c:\documents and settings\All Users\Application Data\Alwil Software
      2010-08-16 15:47 . 2010-08-16 15:47   --------   d-----w-   c:\program files\Alwil Software
      2010-08-15 19:13 . 2010-08-16 06:13   --------   d-----w-   c:\documents and settings\Aleta Sanders\Local Settings\Application Data\ckgyknepn
      2010-08-15 19:12 . 2010-08-15 19:12   0   ----a-w-   c:\windows\Rcoyoheyevalana.bin
      2010-08-15 19:12 . 2010-08-15 19:12   120   ----a-w-   c:\windows\Mkiga.dat
      2010-08-15 19:09 . 2010-08-16 04:22   --------   d-----w-   c:\documents and settings\Aleta Sanders\Application Data\6139FD3F43EFFA39E0446AA163992656
      2010-08-15 08:47 . 2010-08-15 08:47   --------   d-sh--w-   c:\documents and settings\NetworkService\IETldCache
      2010-08-15 08:09 . 2010-08-15 08:33   2928402903   ----a-w-   c:\documents and settings\Aleta Sanders\My Documents.zip
      2010-08-14 15:35 . 2010-08-16 20:32   63488   ----a-w-   c:\documents and settings\Aleta Sanders\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
      2010-08-14 15:35 . 2010-08-14 15:35   52224   ----a-w-   c:\documents and settings\Aleta Sanders\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
      2010-08-14 15:35 . 2010-08-16 20:32   117760   ----a-w-   c:\documents and settings\Aleta Sanders\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
      2010-08-14 15:31 . 2010-08-14 15:31   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
      2010-08-14 15:31 . 2010-08-14 15:31   --------   d-----w-   c:\documents and settings\Aleta Sanders\Application Data\SUPERAntiSpyware.com
      2010-08-13 16:27 . 2010-08-14 18:03   --------   d-----w-   c:\documents and settings\Aleta Sanders\Local Settings\Application Data\duivsjuhj
      2010-08-06 03:49 . 2010-08-06 03:49   503808   ----a-w-   c:\documents and settings\Aleta Sanders\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5becc8b2-n\msvcp71.dll
      2010-08-06 03:49 . 2010-08-06 03:49   348160   ----a-w-   c:\documents and settings\Aleta Sanders\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5becc8b2-n\msvcr71.dll
      2010-08-06 03:49 . 2010-08-06 03:49   499712   ----a-w-   c:\documents and settings\Aleta Sanders\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5becc8b2-n\jmc.dll
      2010-08-06 03:49 . 2010-08-06 03:49   61440   ----a-w-   c:\documents and settings\Aleta Sanders\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-36e18519-n\decora-sse.dll
      2010-08-06 03:49 . 2010-08-06 03:49   12800   ----a-w-   c:\documents and settings\Aleta Sanders\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-36e18519-n\decora-d3d.dll
      2010-08-05 03:04 . 2010-08-05 11:54   --------   d-----w-   c:\documents and settings\Aleta Sanders\Local Settings\Application Data\Deployment
      2010-08-04 19:02 . 2010-07-23 21:22   1496064   ----a-w-   c:\documents and settings\Aleta Sanders\Application Data\Mozilla\Firefox\Profiles\oy3t2c2p.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
      2010-08-04 19:02 . 2010-07-23 21:22   43008   ----a-w-   c:\documents and settings\Aleta Sanders\Application Data\Mozilla\Firefox\Profiles\oy3t2c2p.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
      2010-08-04 19:02 . 2010-07-23 21:22   338944   ----a-w-   c:\documents and settings\Aleta Sanders\Application Data\Mozilla\Firefox\Profiles\oy3t2c2p.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
      2010-08-04 19:02 . 2010-07-23 21:22   346112   ----a-w-   c:\documents and settings\Aleta Sanders\Application Data\Mozilla\Firefox\Profiles\oy3t2c2p.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
      2010-07-31 03:27 . 2010-07-31 03:27   --------   d-sh--w-   c:\documents and settings\Sabah\PrivacIE
      2010-07-31 03:27 . 2010-07-31 03:27   --------   d-----w-   c:\documents and settings\Sabah\Application Data\StumbleUpon
      2010-07-31 03:27 . 2010-07-31 03:27   --------   d-----w-   c:\documents and settings\Sabah\Local Settings\Application Data\Conduit
      2010-07-31 03:27 . 2010-07-31 03:27   --------   d-----w-   c:\documents and settings\Sabah\Local Settings\Application Data\iWin
      2010-07-31 03:27 . 2010-07-31 03:27   --------   d-----w-   c:\documents and settings\Sabah\Local Settings\Application Data\Google
      2010-07-30 14:22 . 2010-07-30 14:22   --------   d-----w-   c:\documents and settings\Ezana\Local Settings\Application Data\BVRP Software
      2010-07-23 11:56 . 2010-07-23 11:56   --------   d-----w-   c:\documents and settings\Aleta Sanders\Application Data\com.focusboosterapp.focusbooster.8E5F79C899747AD22E21DB62AA496926DA6BBC64.1
      2010-07-23 11:56 . 2010-07-23 11:56   --------   d-----w-   c:\program files\Focus Booster
      2010-07-23 11:29 . 2010-07-23 11:29   61440   ----a-w-   c:\documents and settings\Aleta Sanders\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5ad18a6e-n\decora-sse.dll
      2010-07-23 11:29 . 2010-07-23 11:29   503808   ----a-w-   c:\documents and settings\Aleta Sanders\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6c063074-n\msvcp71.dll
      2010-07-23 11:29 . 2010-07-23 11:29   348160   ----a-w-   c:\documents and settings\Aleta Sanders\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6c063074-n\msvcr71.dll
      2010-07-23 11:29 . 2010-07-23 11:29   12800   ----a-w-   c:\documents and settings\Aleta Sanders\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5ad18a6e-n\decora-d3d.dll
      2010-07-23 11:29 . 2010-07-23 11:29   499712   ----a-w-   c:\documents and settings\Aleta Sanders\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6c063074-n\jmc.dll

      .
      ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
      .
      2010-08-18 07:31 . 2009-03-03 22:32   --------   d---a-w-   c:\documents and settings\All Users\Application Data\Temp
      2010-08-18 07:28 . 2009-04-30 10:48   17408   ----a-w-   c:\windows\system32\rpcnetp.exe
      2010-08-18 07:28 . 2009-04-10 03:40   57752   ----a-w-   c:\windows\system32\rpcnet.dll
      2010-08-18 03:31 . 2009-05-04 03:29   --------   d-----w-   c:\program files\iWin
      2010-08-17 11:05 . 2010-04-09 15:49   --------   d-----w-   c:\documents and settings\Aleta Sanders\Application Data\SoftGrid Client
      2010-08-16 20:23 . 2009-03-03 22:27   --------   d-----w-   c:\program files\Java
      2010-08-16 18:50 . 2009-10-14 21:29   126008   ----a-w-   c:\documents and settings\Aleta Sanders\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
      2010-08-16 18:48 . 2009-11-27 21:27   --------   d-----w-   c:\program files\Common Files\TXText
      2010-08-16 18:48 . 2009-11-27 21:26   --------   d-----w-   c:\program files\Broderbund
      2010-08-16 18:42 . 2009-03-03 22:42   --------   d-----w-   c:\program files\Dell Webcam
      2010-08-16 18:42 . 2009-03-03 22:30   --------   d--h--w-   c:\program files\InstallShield Installation Information
      2010-08-16 18:41 . 2009-03-03 22:43   --------   d-----w-   c:\program files\Creative
      2010-08-16 18:37 . 2009-11-04 00:06   --------   d-----w-   c:\program files\Brother
      2010-08-16 18:34 . 2009-05-04 03:34   --------   d-----w-   c:\program files\iWin.com
      2010-08-16 05:05 . 2009-04-30 10:48   17408   -c--a-w-   c:\windows\system32\rpcnetp.dll
      2010-08-14 18:21 . 2010-07-11 04:53   --------   d-----w-   c:\documents and settings\All Users\Application Data\Speedbit
      2010-08-14 18:03 . 2010-07-10 13:27   --------   d-----w-   c:\program files\iWin Games
      2010-08-13 14:23 . 2010-08-16 02:32   183886   ----a-w-   c:\windows\pchealth\helpctr\Config\Cache\Personal_32_1033.dat
      2010-08-12 05:23 . 2009-10-26 21:58   --------   d-----w-   c:\documents and settings\Aleta Sanders\Application Data\PrimoPDF
      2010-08-11 07:33 . 2009-03-03 22:40   --------   d-----w-   c:\program files\Microsoft Works
      2010-08-09 11:30 . 2009-10-29 00:57   --------   d-----w-   c:\program files\RingCentral
      2010-08-09 11:30 . 2009-10-29 00:56   --------   d-----w-   c:\documents and settings\All Users\Application Data\RingCentral
      2010-08-08 21:16 . 2009-10-14 21:27   55620   ----a-w-   c:\documents and settings\Aleta Sanders\Application Data\wklnhst.dat
      2010-08-05 12:15 . 2010-02-07 01:17   --------   d-----w-   c:\program files\Google
      2010-08-05 12:12 . 2010-02-15 18:21   --------   d-----w-   c:\documents and settings\Sabah\Application Data\Teleca
      2010-08-05 12:12 . 2010-02-15 17:19   --------   d-----w-   c:\documents and settings\Ezana\Application Data\Teleca
      2010-08-05 12:12 . 2010-06-26 23:17   --------   d-----w-   c:\program files\Common Files\Teleca Shared
      2010-08-05 12:09 . 2009-12-24 17:42   --------   d-----w-   c:\program files\HTC
      2010-08-05 12:06 . 2009-11-26 05:27   --------   d-----w-   c:\program files\Encore
      2010-08-05 11:49 . 2010-06-22 16:18   --------   d-----w-   c:\documents and settings\All Users\Application Data\BVRP Software
      2010-07-03 14:59 . 2009-10-14 21:01   664   ----a-w-   c:\documents and settings\Aleta Sanders\Local Settings\Application Data\d3d9caps.dat
      2010-07-03 01:11 . 2010-03-03 21:16   439816   ----a-w-   c:\documents and settings\Aleta Sanders\Application Data\Real\Update\setup3.10\setup.exe
      2010-06-30 12:31 . 2008-04-25 20:33   149504   ----a-w-   c:\windows\system32\schannel.dll
      2010-06-26 23:20 . 2009-12-24 17:46   --------   d-----w-   c:\documents and settings\Aleta Sanders\Application Data\Teleca
      2010-06-24 12:22 . 2008-04-25 20:33   916480   ----a-w-   c:\windows\system32\wininet.dll
      2010-06-24 02:18 . 2010-06-22 16:18   --------   d-----w-   c:\program files\Cricket Broadband Connect
      2010-06-23 13:44 . 2008-04-25 20:33   1851904   ----a-w-   c:\windows\system32\win32k.sys
      2010-06-23 02:48 . 2010-06-23 02:48   --------   d-----w-   c:\documents and settings\Aleta Sanders\Application Data\Alawar
      2010-06-22 16:19 . 2010-06-22 16:19   --------   d-----w-   c:\program files\PANTECH
      2010-06-22 16:18 . 2010-06-22 16:18   --------   d-----w-   c:\program files\Common Files\Avanquest software Shared
      2010-06-21 15:27 . 2008-04-25 20:33   354304   ----a-w-   c:\windows\system32\drivers\srv.sys
      2010-06-17 14:03 . 2008-04-25 20:33   80384   ----a-w-   c:\windows\system32\iccvid.dll
      2010-06-14 14:31 . 2008-04-26 01:44   744448   ----a-w-   c:\windows\pchealth\helpctr\binaries\helpsvc.exe
      2010-06-14 07:41 . 2008-04-25 20:33   1172480   ----a-w-   c:\windows\system32\msxml3.dll
      2009-12-29 23:22 . 2009-12-17 19:16   119312   ----a-w-   c:\program files\mozilla firefox\components\affdfcbadbfead.dll
      .

      ------- Sigcheck -------

      [-] 2008-04-14 . CEE3922616FB3E862B28965473E241CF . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

      [-] 2008-04-14 . 142E50036F14068A750CD493AA679F99 . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe
      .
      (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
      .
      .
      *Note* empty entries & legit default entries are not shown
      REGEDIT4

      [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "Google Update"="c:\documents and settings\Aleta Sanders\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-12-15 135664]

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "WSED"="c:\program files\WSED\WSED.exe" [2008-12-12 238888]
      "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-12-13 198160]
      "RTHDCPL"="RTHDCPL.EXE" [2008-12-23 18063872]
      "PlayMovie"="c:\program files\Dell\PlayMovie\PMVService.exe" [2008-12-11 177384]
      "PersistenceThread"="c:\windows\system32\PersistenceThread.exe" [2008-12-24 92696]
      "PCMAgent"="c:\program files\Dell\Media Experience\PCMAgent.exe" [2008-12-11 148776]
      "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-12-24 137752]
      "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-12-24 354840]
      "Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" [2008-11-11 442536]
      "CLMLServer"="c:\program files\Dell\Media Experience\Kernel\CLML\CLMLSvc.exe" [2008-12-11 202024]
      "BTMeter"="c:\program files\Battery Meter\BTMeter.exe" [2008-11-05 623912]
      "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-01-06 2289664]
      "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
      "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
      "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
      "IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2008-04-14 44032]
      "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
      "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
      "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
      "Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
      "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
      "{F9AA8FE2-E89A-E99B-E8b8-E9AE9B9ABA99}"="c:\program files\Cricket Broadband Connect\AvqAutoRun.exe" [2009-10-19 73728]
      "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
      "ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2010-05-11 1287120]
      "00PCTFW"="c:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2010-01-12 3168216]

      c:\documents and settings\Aleta Sanders\Start Menu\Programs\Startup\
      Google Chrome.lnk - c:\documents and settings\Aleta Sanders\Local Settings\Application Data\Google\Chrome\Application\chrome.exe [2009-12-14 945720]

      [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
      "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
      "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

      [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
      2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL

      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
      @="Driver"

      [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
      path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
      backup=c:\windows\pss\Windows Search.lnkCommon Startup

      [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
      "DisableMonitoring"=dword:00000001

      [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
      "DisableMonitoring"=dword:00000001

      [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
      "DisableMonitoring"=dword:00000001

      [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
      "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
      "%windir%\\system32\\sessmgr.exe"=
      "c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
      "c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
      "c:\\Program Files\\iWin Games\\iWinGames.exe"=
      "c:\\Program Files\\iWin Games\\WebUpdater.exe"=

      R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [3/3/2009 6:32 PM 14248]
      R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [8/16/2010 3:28 PM 218592]
      R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/16/2010 11:49 AM 165456]
      R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [8/16/2010 3:28 PM 233136]
      R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
      R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
      R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/16/2010 11:49 AM 17744]
      R2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [9/26/2009 7:35 AM 819600]
      R2 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe [7/7/2010 4:50 PM 176408]
      R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [8/16/2010 3:28 PM 88040]
      R2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [9/23/2009 3:04 PM 447832]
      R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [3/3/2009 6:42 PM 135936]
      R3 igd;igd;c:\windows\system32\drivers\igxpmp32.sys [3/3/2009 8:08 PM 5088416]
      R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [3/3/2009 8:08 PM 110080]
      R3 OA012Afx;Provides a software interface to control audio effects of OA012 camera.;c:\windows\system32\drivers\OA012Afx.sys [3/3/2009 8:08 PM 148056]
      R3 OA012Ufd;Creative Camera OA012 Upper Filter Driver;c:\windows\system32\drivers\OA012Ufd.sys [3/3/2009 8:08 PM 133472]
      R3 OA012Vid;Creative Camera OA012 Function Driver;c:\windows\system32\drivers\OA012Vid.sys [3/3/2009 8:08 PM 271328]
      R3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [8/16/2010 8:46 PM 70664]
      R3 pctNDIS;PC Tools Driver;c:\windows\system32\drivers\pctNdis.sys [8/16/2010 8:46 PM 58816]
      R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [8/16/2010 8:45 PM 115216]
      R3 PTUMWBus;PANTECH USB Modem V2 Composite Device Driver;c:\windows\system32\drivers\PTUMWBus.sys [6/22/2010 12:19 PM 54544]
      R3 PTUMWFLT;PTUMWNET Filter Driver;c:\windows\system32\drivers\PTUMWFLT.sys [6/22/2010 12:19 PM 12048]
      R3 PTUMWMdm;PANTECH USB Modem V2 Modem Driver;c:\windows\system32\drivers\PTUMWMdm.sys [6/22/2010 12:19 PM 160400]
      R3 PTUMWNET;PANTECH USB Modem V2 WWAN Driver;c:\windows\system32\drivers\PTUMWNET.sys [6/22/2010 12:19 PM 115216]
      R3 PTUMWVsp;PANTECH USB Modem V2 Diagnostic Port;c:\windows\system32\drivers\PTUMWVsp.sys [6/22/2010 12:19 PM 160400]
      R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [3/3/2009 8:07 PM 157696]
      R3 sftfs;sftfs;c:\program files\Microsoft Application Virtualization Client\drivers\SftFSXP.sys [9/23/2009 3:04 PM 543064]
      R3 sftplay;sftplay;c:\program files\Microsoft Application Virtualization Client\drivers\sftplayxp.sys [9/23/2009 3:04 PM 190312]
      R3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirxp.sys [9/23/2009 3:05 PM 21864]
      R3 sftvol;sftvol;c:\program files\Microsoft Application Virtualization Client\drivers\SftVolXP.sys [9/23/2009 3:04 PM 14680]
      R3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [9/23/2009 3:04 PM 203608]
      S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/6/2010 9:18 PM 135664]
      S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\drivers\ETD.sys [3/3/2009 8:07 PM 129024]
      S3 HTCAND32;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys --> c:\windows\system32\Drivers\ANDROIDUSB.sys [?]
      S3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [12/12/2009 1:39 AM 9472]
      S3 PTUMWCDF;PANTECH USB Modem V2 Installation CD;c:\windows\system32\drivers\PTUMWCDF.sys [6/22/2010 12:19 PM 22032]

      --- Other Services/Drivers In Memory ---

      *Deregistered* - BMLoad
      .
      Contents of the 'Scheduled Tasks' folder

      2010-08-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cac6ae8e7a4a8e.job
      - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 01:18]

      2010-08-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2870019680-4263584670-1697931001-1006Core1cac6ae3f9a9f2c.job
      - c:\documents and settings\Aleta Sanders\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-15 03:23]

      2010-08-18 c:\windows\Tasks\User_Feed_Synchronization-{5E178C74-6EBA-4B70-B8B0-E5C851430BA7}.job
      - c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]

      2010-08-18 c:\windows\Tasks\User_Feed_Synchronization-{A2BDE66F-77B2-46CD-8BCA-B62726FEA3A6}.job
      - c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
      .
      .
      ------- Supplementary Scan -------
      .
      uInternet Connection Wizard,ShellNext = iexplore
      uInternet Settings,ProxyServer = http=127.0.0.1:6522
      uInternet Settings,ProxyOverride = <local>
      uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
      IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
      IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
      IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Aleta Sanders\Start Menu\Programs\IMVU\Run IMVU.lnk
      TCP: {7D0DA0B3-63C2-48C1-A339-6180107E969E} = 172.28.221.53 172.28.221.54
      FF - ProfilePath - c:\documents and settings\Aleta Sanders\Application Data\Mozilla\Firefox\Profiles\oy3t2c2p.default\
      FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
      FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
      FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
      FF - component: c:\documents and settings\Aleta Sanders\Application Data\Mozilla\Firefox\Profiles\oy3t2c2p.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
      FF - component: c:\program files\Mozilla Firefox\components\affdfcbadbfead.dll
      FF - component: c:\program files\Mozilla Firefox\extensions\[email protected]\components\Shim.dll
      FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
      FF - plugin: c:\documents and settings\Aleta Sanders\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
      FF - plugin: c:\progra~1\MICROS~3\Office14\NPSPWRAP.DLL
      FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
      FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
      FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
      FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
      .
      - - - - ORPHANS REMOVED - - - -

      WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
      WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
      HKLM-Run-LoJackForLaptops - c:\program files\LFLInstall\InstallManager.exe
      HKLM-Run-dellsupportcenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
      HKLM-Run-BrMfcWnd - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe



      **************************************************************************

      catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
      Rootkit scan 2010-08-18 03:29
      Windows 5.1.2600 Service Pack 3 NTFS

      scanning hidden processes ... 

      scanning hidden autostart entries ...

      scanning hidden files ... 

      scan completed successfully
      hidden files: 0

      **************************************************************************
      .
      --------------------- LOCKED REGISTRY KEYS ---------------------

      [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
      @DACL=(02 0000)
      "Installed"="1"
      @=""

      [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
      @DACL=(02 0000)
      "NoChange"="1"
      "Installed"="1"
      @=""

      [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
      @DACL=(02 0000)
      "Installed"="1"
      @=""
      .
      --------------------- DLLs Loaded Under Running Processes ---------------------

      - - - - - - - > 'winlogon.exe'(1564)
      c:\program files\SUPERAntiSpyware\SASWINLO.DLL
      c:\windows\system32\WININET.dll
      c:\windows\System32\BCMLogon.dll
      c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\MFC80.DLL
      c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

      - - - - - - - > 'explorer.exe'(3788)
      c:\windows\system32\WININET.dll
      c:\windows\system32\ieframe.dll
      c:\windows\system32\webcheck.dll
      c:\windows\system32\WPDShServiceObj.dll
      c:\windows\system32\PortableDeviceTypes.dll
      c:\windows\system32\PortableDeviceApi.dll
      .
      ------------------------ Other Running Processes ------------------------
      .
      c:\windows\System32\WLTRYSVC.EXE
      c:\windows\System32\bcmwltry.exe
      c:\program files\Alwil Software\Avast5\AvastSvc.exe
      c:\program files\Java\jre6\bin\jqs.exe
      c:\program files\PC Tools Firewall Plus\FWService.exe
      c:\windows\system32\rpcnet.exe
      c:\windows\system32\SearchIndexer.exe
      c:\windows\RTHDCPL.EXE
      c:\windows\system32\igfxsrvc.exe
      .
      **************************************************************************
      .
      Completion time: 2010-08-18  03:38:33 - machine was rebooted
      ComboFix-quarantined-files.txt  2010-08-18 07:38

      Pre-Run: 138,039,341,056 bytes free
      Post-Run: 138,057,777,152 bytes free

      - - End Of File - - D27714A33D38F688E0CB7DFC4B4AEE85





      Thanks!

      Dr Jay

      • Malware Removal Specialist


      • Specialist
      • Moderator emeritus
      • Thanked: 119
      • Experience: Guru
      • OS: Windows 10
      Re: Virus Removal: Application Cannot Be Executed
      « Reply #3 on: August 18, 2010, 12:29:37 PM »
      Please go to: VirusTotal


        • Click the Browse button and search for the following file: c:\windows\system32\winlogon.exe
        • Click Open
        • Then click Send File
        • Please be patient while the file is scanned.
        • Once the scan results appear, please provide them in your next reply.
        If it says already scanned -- click "reanalyze now"

        Please post the results in your next reply.


        Do it for this file as well:
        c:\windows\explorer.exe
        ~Dr Jay

        RueSauvage

          Topic Starter


          Starter

          Re: Virus Removal: Application Cannot Be Executed
          « Reply #4 on: August 18, 2010, 05:08:12 PM »
          Hi,

          I went to VirusTotal; however, I could not get the system to scan the winlogon.exe file. I tried several times with no luck. Attached is the log for the explorer.exe file.

          Please advise.

          [recovering disk space - old attachment deleted by admin]

          Dr Jay

          • Malware Removal Specialist


          • Specialist
          • Moderator emeritus
          • Thanked: 119
          • Experience: Guru
          • OS: Windows 10
          Re: Virus Removal: Application Cannot Be Executed
          « Reply #5 on: August 18, 2010, 11:17:36 PM »
          None of that worked.

          Re-running ComboFix to remove infections:

          • Close any open browsers.
          • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
          • Open notepad and copy/paste the text in the codebox below into it:
          Code: [Select]
          SysRst::
          • Save this as CFScript.txt, in the same location as ComboFix.exe



          • Referring to the picture above, drag CFScript into ComboFix.exe
          • When finished, it shall produce a log for you at C:\ComboFix.txt
          • Please post the contents of the log in your next reply.
          ~Dr Jay