I got nailed by a really bad virus.

[foosnik]

So I have gotten nailed with a serious trojan. This thing has hijacked my browser so I keep getting redirected to random websites. It has blocked my computer from contacting, or updating, Kaspersky Security Center. I can't access my control panel or any of the options there. It has blocked me from acessing most helpful websites to help me figure this out, thank god I found this one. I found this in which gave me .reg file to replace the ones that got deleted:

windowsxp.mvps.org/sharedaccess.htm

but it did not help.  Is there a way to manually update Kaspersky so at least it has a better chance to find the malware.  But then again it won't even let me contact the site at all.  It keeps saying "While the site seems valid we cannot make a connection".  Should I try to uninstall service pack 2 and reinstall it or service pack 3?  Oh, and one more wonderful little detail...when I try to restart it into safe mode it gives me the blue screen.  This thing is a monster and I am so frustrated and annoyed with trying to figure it out.     Here is my HijackThis log (by the way, it is pretty impressive that you guys can look at this and figure it out):




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:06:13 PM, on 10/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\VIA\VIAudioi\EnvyADeck\EnMixCPL.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\RCrawler\RCrawler.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\kzajyjuv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.defaulthomepage.info
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [EnvyHFCPL] C:\Program Files\VIA\VIAudioi\EnvyADeck\EnMixCPL.exe 1
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [sysrest32.exe] C:\WINDOWS\system32\sysrest32.exe
O4 - HKLM\..\Run: [Registry Crawler] C:\PROGRA~1\RCrawler\RCrawler.exe -TRAYONLY
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [monchk] C:\WINDOWS\system32\kzajyjuv.exe
O4 - HKLM\..\Policies\Explorer\Run: [lc7fRtr4aR] C:\Documents and Settings\Administrator\Desktop\AdobeFlashPlayerHD.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/Verizon%20High%20Speed%20Internet%20Installer.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by133fd.bay133.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://picture.vzw.com/activex/VerizonWirelessUploadControl.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: WBSYS.DL C:\PROGRA~1\KASPER~1\KASPER~1\MZVKBD.DLL,C:\PROGRA~1\KASPER~1\KASPER~1\MZVKBD3.DLL,C:\PROGRA~1\KASPER~1\KASPER~1\ADIALHK.DLL,C:\PROGRA~1\KASPER~1\KASPER~1\KLOEHK.DLL C:\PROGRA~1\GOOGLE\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll
O21 - SSODL: AplMsgEn - {547E1BBF-035D-53FF-C5E1-07EDDC286C1F} - C:\Program Files\lfutfvf\AplMsgEn.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Google Desktop Manager 5.8.809.8522 (GoogleDesktopManager-090808-172447) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 8825 bytes

[foosnik]

Ok, I have more info for you.  I got the SUPERAntiSpyware log for you but I could not update it first.  I know you provide a link to download it and manually install it but it will not even let me contact that website.  So I cannot do the alternative update method either. 

Also I tried to install  Malwarebytes' Anti-Malware but every time I tried to launch the program it gave me a message saying that it "encountered a problem and has to close."  I have tried uninstalling it and reinstalling it.  Same thing.

Here is the SUPERAntiSpyware log:



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/02/2008 at 10:00 PM

Application Version : 4.20.1046

Core Rules Database Version : 3541
Trace Rules Database Version: 1530

Scan type       : Complete Scan
Total Scan Time : 00:38:01

Memory items scanned      : 463
Memory threats detected   : 1
Registry items scanned    : 6060
Registry threats detected : 7
File items scanned        : 19048
File threats detected     : 52

Trojan.Dropper/Gen
   C:\WINDOWS\SYSTEM32\KZAJYJUV.EXE
   C:\WINDOWS\SYSTEM32\KZAJYJUV.EXE
   [monchk] C:\WINDOWS\SYSTEM32\KZAJYJUV.EXE
   C:\WINDOWS\Prefetch\KZAJYJUV.EXE-14E5325A.pf

Adware.Tracking Cookie
   C:\Documents and Settings\Administrator\Cookies\administrator@youporn[1].txt

Trojan.Unknown Origin
   C:\WINDOWS\mslagent\2_mslagent.dll
   C:\WINDOWS\mslagent\mslagent.exe
   C:\WINDOWS\mslagent\uninstall.exe
   C:\WINDOWS\mslagent
   C:\WINDOWS\system32\smp\msrc.exe
   C:\WINDOWS\system32\smp

Trojan.DNSChanger-Codec
   HKU\S-1-5-21-789336058-1214440339-725345543-500\Software\uninstall

Adware.INetDelivery
   C:\Program Files\akl\akl.dll
   C:\Program Files\akl\akl.exe
   C:\Program Files\akl\uninstall.exe
   C:\Program Files\akl\unsetup.exe
   C:\Program Files\akl

Rogue.PC-Cleaner
   HKU\S-1-5-21-789336058-1214440339-725345543-500\Software\dpcproxy
   HKU\S-1-5-21-789336058-1214440339-725345543-500\Software\fwbd
   HKU\S-1-5-21-789336058-1214440339-725345543-500\Software\HolLol
   HKU\S-1-5-21-789336058-1214440339-725345543-500\Software\mwc
   HKU\S-1-5-21-789336058-1214440339-725345543-500\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#SystemCheck2

Trojan.Fake-Drop/Gen
   C:\WINDOWS\A.BAT
   C:\WINDOWS\BDN.COM
   C:\WINDOWS\FVPROTECT.EXE
   C:\WINDOWS\ITUNESMUSIC.EXE
   C:\WINDOWS\MSSECU.EXE
   C:\WINDOWS\SYSTEM32\AKTTZN.EXE
   C:\WINDOWS\SYSTEM32\ANTICIPATOR.DLL
   C:\WINDOWS\SYSTEM32\AWTOOLB.DLL
   C:\WINDOWS\SYSTEM32\BDN.COM
   C:\WINDOWS\SYSTEM32\BSVA-EGIHSG52.EXE
   C:\WINDOWS\SYSTEM32\H@TKEYSH@@K.DLL
   C:\WINDOWS\SYSTEM32\HOPROXY.DLL
   C:\WINDOWS\SYSTEM32\HXIWLGPM.DAT
   C:\WINDOWS\SYSTEM32\HXIWLGPM.EXE
   C:\WINDOWS\SYSTEM32\MSGP.EXE
   C:\WINDOWS\SYSTEM32\MSNBHO.DLL
   C:\WINDOWS\SYSTEM32\MSSECU.EXE
   C:\WINDOWS\SYSTEM32\MSVCHOST.EXE
   C:\WINDOWS\SYSTEM32\MTR2.EXE
   C:\WINDOWS\SYSTEM32\MWIN32.EXE
   C:\WINDOWS\SYSTEM32\NETODE.EXE
   C:\WINDOWS\SYSTEM32\NEWSD32.EXE
   C:\WINDOWS\SYSTEM32\PS1.EXE
   C:\WINDOWS\SYSTEM32\REGC64.DLL
   C:\WINDOWS\SYSTEM32\REGM64.DLL
   C:\WINDOWS\SYSTEM32\RUNDL1.EXE
   C:\WINDOWS\SYSTEM32\SSURF022.DLL
   C:\WINDOWS\SYSTEM32\SSVCHOST.COM
   C:\WINDOWS\SYSTEM32\SSVCHOST.EXE
   C:\WINDOWS\SYSTEM32\SYSREQ.EXE
   C:\WINDOWS\SYSTEM32\TAACK.DAT
   C:\WINDOWS\SYSTEM32\TAACK.EXE
   C:\WINDOWS\USERCONFIG9X.DLL
   C:\WINDOWS\WINSYSTEM.EXE

Dpcproxy
   C:\WINDOWS\SYSTEM32\DPCPROXY.EXE

Unclassified.Unknown Origin/System
   C:\WINDOWS\SYSTEM32\PSOF1.EXE

Adware.Pacer D
   C:\WINDOWS\SYSTEM32\PSOFT1.EXE

Trojan.Dluca-I
   C:\WINDOWS\SYSTEM32\SNCNTR.EXE

[foosnik]

anybody have any response at all for me?  you guys are my only hope.

[evilfantasy]

Please print these instructions as they will be needed later when Internet access is not available.
 
Download SDFix by AndyManchesta and save it to your desktop. http://rapidshare.com/files/149534018/SDFix.exe.html
 
When using this tool, you must use the Administrator's account or an account with Administrative rights

• Double click SDFix.exe and it will extract the files to %systemdrive%
  
• (this is the drive that contains the Windows Directory, typically C:\SDFix).
  
• DO NOT use it just yet.

.Reboot your computer in Safe Mode using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".
 
Open the SDFix folder and double click RunThis.bat to start the script.

• Type Y to begin the cleanup process.
  
• It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
  
• When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  
• Copy and paste the contents of the results file Report.txt in your nrxt reply.

.
----------

Now run a new HijackThis scan and post that log also.

[foosnik]

When I try to reboot in safe mode it gives me the blue screen saying the video drivers could not be activated. 

[evilfantasy]

Download Malwarebytes' Anti-Malware (MBAM) http://rapidshare.com/files/150037339/mbam-setup.exe.html

• Double-click mbam-setup.exe and follow the prompts to install the program.
  
• At the end, be sure a checkmark is placed next to the following:
• Update Malwarebytes' Anti-Malware
  
• Launch Malwarebytes' Anti-Malware

• Then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and Paste the entire report in your next reply.

.
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

----------

Now run a new HijackThis scan and post that log also.

[foosnik]

When I try to intstall Malwarebytes' Anti-Malware (MBAM) it nearly completes the istallation and then windows says it has encountered a problem and has to close.  Every time I try to launch it it does the same.   

I seriously appreciate your help. 

[evilfantasy]

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

- O4 - HKLM\..\Run: [sysrest32.exe] C:\WINDOWS\system32\sysrest32.exe
- O4 - HKCU\..\Run: [monchk] C:\WINDOWS\system32\kzajyjuv.exe
- O4 - HKLM\..\Policies\Explorer\Run: [lc7fRtr4aR] C:\Documents and Settings\Administrator\Desktop\AdobeFlashPlayerHD.exe
- O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
- O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
- O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
- O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
- O21 - SSODL: AplMsgEn - {547E1BBF-035D-53FF-C5E1-07EDDC286C1F} - C:\Program Files\lfutfvf\AplMsgEn.dll

Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis.

----------

Download OTMoveIt2 by OldTimer and save it to your Desktop.

Note: If you are running on Vista, right-click on OTMoveIt2.exe and choose Run As Administrator.

1. Double-click OTMoveIt2.exe to run it.
2. Copy the lines in the codebox below.

Code: [Select]

[kill explorer]
C:\WINDOWS\system32\sysrest32.exe
C:\WINDOWS\system32\kzajyjuv.exe
C:\Documents and Settings\Administrator\Desktop\AdobeFlashPlayerHD.exe
C:\Program Files\lfutfvf\AplMsgEn.dll
EmptyTemp
[start explorer]
3. Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste
4. Click the red Moveit! button.
5. Copy everything in the Results window (under the green bar) and paste it in your next reply.
6. Close OTMoveIt2

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

----------

Now try to install and run MalwareBytes again.

[foosnik]

It won't let me contact the site to download OTMoveIt2 by OldTimer.  RapidShare works but it has blocked me from contacting many, many sites.  Download.com works.  FileHippo works as well.

But I did do what you said with HijackThis...probably won't help but here is the new log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:06:28 PM, on 10/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\VIA\VIAudioi\EnvyADeck\EnMixCPL.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\RCrawler\RCrawler.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.defaulthomepage.info
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [EnvyHFCPL] C:\Program Files\VIA\VIAudioi\EnvyADeck\EnMixCPL.exe 1
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Registry Crawler] C:\PROGRA~1\RCrawler\RCrawler.exe -TRAYONLY
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/Verizon%20High%20Speed%20Internet%20Installer.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by133fd.bay133.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://picture.vzw.com/activex/VerizonWirelessUploadControl.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: WBSYS.DL C:\PROGRA~1\KASPER~1\KASPER~1\MZVKBD.DLL,C:\PROGRA~1\KASPER~1\KASPER~1\MZVKBD3.DLL,C:\PROGRA~1\KASPER~1\KASPER~1\ADIALHK.DLL,C:\PROGRA~1\KASPER~1\KASPER~1\KLOEHK.DLL C:\PROGRA~1\GOOGLE\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Google Desktop Manager 5.8.809.8522 (GoogleDesktopManager-090808-172447) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 8353 bytes

[evilfantasy]

Get OTMoveIt2 here and do the instructions. http://rapidshare.com/files/150639580/OTMoveIt2.exe

Then run HostsXpert and try to download/run MBAM again.

Download HostsXpert http://rapidshare.com/files/150146135/HostsXpert.zip.html

    * Unzip HostXpert to your Desktop
    * Open up the HostXpert program.
    * Make sure that the "Make Hosts Writable?" button in the upper right corner is enabled.
    * Click Create Back Up
    * Then click on Restore Microsoft's Host Files
    * Close the HostXpert program

.
Note: if you use SpywareBlaster, Spybot and/or IE-SPYAD, it will be necessary to re-install the protection they afford. For SpywareBlaster, run the program and select Enable all protection. For Spybot run the program and select Immunize. For IE-SPYAD, run the batch file and reinstall the protection.

[foosnik]

ok...so I ran the OTMoveIt2, rebooted and it said it moved the files successfully. 

Then I ran HostsXpert and it gave me this error:

Error: Cannot create file  C:Windows\system32\Drivers\ETC\hosts

I then tried to run MBAM again with the same results.  There was an error and it had to close.

Man is this thing a really bad one, or what?

[evilfantasy]

In HostsXpert did you make sure that the "Make Hosts Writable?" button in the upper right corner was enabled?

[foosnik]

This is what I am seeing:



I am guessing you mean the upper left corner.  The way you see it is the way I ran it.  I tried clicking it and it just asks me another question which is:  Make files readable?  So I clicked it back to this again.  Did I do something wrong?

[evilfantasy]

You need to click Make Hosts Writable. It shouldn't be highlighted in red.

[foosnik]

Ok, this is what I see when that is done:



I then closed this, used Revo Uninstaller to unistall MBMA, rebooted and tried to install it again.  I still got the same error message.  Error and had to close.