system security 2009 - can't run programs and can't start in safe mode

[stepper459]

I have an HP pavilion a1310n desktop with Windows MCE 2005, modified to be able to join a domain. I have a program called "System Security 2009" which I have read all kinds of bad things about on the internet... anyway I can't run any of my programs I would like to use to clean this up, like malwarebytes anti-malware, ccleaner, or hijackthis, let alone any programs at all for that matter. I have tried to restart and boot into safe mode, but I get a blue screen of death. Any help or advice is appreciated.

Thanks!

[luck of the irish]

http://www.2-spyware.com/remove-system-security-2009.html

[stepper459]

I looked at that page, and using Bart's PE I looked into the registry and didn't see any of those entries. Did I miss something, or can I not do that through Bart's PE?

[luck of the irish]

what kind of anti-virus do you have?

[stepper459]

I have trend micro, on a server through a network at my workplace; I'm bascially the administrator of the network, so I have no one else to go to here. I can't run the trend micro scanner (though it did detect this early on but was unable to clean it)...

[luck of the irish]

why can't you? Because of the case I think it would be better if we waited for Quantos to come, I am sure he will be able to help you better than I am, honestly the only way to remove it is to use an anti-spyware ...

Have found this link http://www.bleepingcomputer.com/virus-removal/remove-system-security try that.

[Karnac]

You have to get a rescue disc, to allow you to boot. Burn a copy of the rescue disc and boot from it.....you'll be able to run a scan and possibly remove malicious content.
......Remember to change the boot order from HDD to CD.....

http://www.free-av.com/en/products/12/avira_antivir_rescue_system.html

[stepper459]

using a combination of manual removal instructions I found, I was able to delete various suspicious files and registry entries, to the point where I could run MBAM and HijackThis in windows... it was looking good when I left work and had to shut the computer down. Thanks for your help, I'll let you all know if the problem persists...

[stepper459]

Okay so the computer works now... but every time I run MBAM I get 10-20 more infections, and it can't clean them. I have used HijackThis to attempt to get rid of some suspicious entries, but they keep coming back! I am posting the HijackThis log and the MBAM log, any help is appreciated!

Hijack This:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:46:04 AM, on 7/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Microsoft SQL Server\MSSQL$HONDAEPC\Binn\sqlservr.exe
C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spnsrvnt.exe
d:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
d:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$HONDAEPC\Binn\sqlagent.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PCS\PcsPrint\pcsprn.exe
D:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\CAPM5RSK.EXE
d:\Program Files\Trend Micro\OfficeScan Client\Pop3Trap.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\DOCUMENTS AND SETTINGS\HP_ADMINISTRATOR\DESKTOP\PROCEXP.EXE
C:\WINDOWS\system32\3361\services.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F3 - REG:win.ini: load=C:\WINDOWS\system32\mssas.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\msswgtoq.exe
O4 - HKLM\..\Run: [PCSPrn] C:\PCS\PcsPrint\pcsprn.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "d:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PCSMenu] N:\FOXPRO\PCSMENU.EXE
O4 - HKLM\..\Policies\Explorer\Run: [exec] C:\WINDOWS\system32\mswcgvd.exe
O4 - HKUS\S-1-5-21-1038429887-3795459445-4233314246-1008\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1038429887-3795459445-4233314246-1008\..\Run: [PCSMenu] N:\FOXPRO\PCSMENU.EXE (User '?')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O15 - Trusted Zone: *.164.109.25.72
O15 - Trusted Zone: *.207.130.86.35
O15 - Trusted Zone: *.acura.com
O15 - Trusted Zone: *.ahm-ownerlink.com
O15 - Trusted Zone: *.ahmdealer.com
O15 - Trusted Zone: *.edcor.com
O15 - Trusted Zone: *.in.honda.com
O15 - Trusted Zone: in.honda.com
O15 - Trusted Zone: *.honda.com
O15 - Trusted Zone: *.hondacars.com
O15 - Trusted Zone: *.hondapqr.com
O15 - Trusted Zone: *.jdpower.com
O15 - Trusted Zone: *.xmradio.com
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://www.in.honda.com/rraaapps/rraasec/codebase/rraainax/RYXAINAX_LandscapePrintingActiveX.cab
O16 - DPF: {297DE2B6-509A-4B36-93C5-A65276606900} (RRAAINAX_02.RRAAINAX) - http://www.in.honda.com/rraaapps/rraasec/codebase/RRAAINAX/RraainAX.CAB
O16 - DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} (Bl_camera Control) - http://192.168.2.253/bl_camera.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = RiveredgeMarina.local
O17 - HKLM\Software\..\Telephony: DomainName = RiveredgeMarina.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{5AF707BF-F6A7-49F5-B00A-F13DC73AB7BE}: NameServer = 192.168.2.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = RiveredgeMarina.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = RiveredgeMarina.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = RiveredgeMarina.local
O18 - Protocol: a5res - (no CLSID) - (no file)
O18 - Protocol: XBasic - (no CLSID) - (no file)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Unknown owner - C:\Program Files\Symantec\pcAnywhere\awhost32.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Droppix Service - Droppix - C:\Program Files\Common Files\Droppix\DxService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - d:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - d:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: PowerPanel Personal Edition Service (ppped) - Unknown owner - C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: PCSSecDevServer (SuperProServer) - Unknown owner - C:\WINDOWS\system32\spnsrvnt.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - d:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

--
End of file - 6563 bytes



and MBAM log:


Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 3

7/1/2009 8:45:41 AM
mbam-log-2009-07-01 (08-44-59).txt

Scan type: Quick Scan
Objects scanned: 131655
Time elapsed: 10 minute(s), 45 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 4
Folders Infected: 1
Files Infected: 5

Memory Processes Infected:
C:\WINDOWS\system32\3361\services.exe (Trojan.Downloader) -> No action taken.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run (Trojan.Agent) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CLASSES_ROOT\.bat\(default) (Hijacked.BatFile) -> Bad: (csfile) Good: (batfile) -> No action taken.
HKEY_CLASSES_ROOT\.com\(default) (Hijacked.ComFile) -> Bad: (csfile) Good: (comfile) -> No action taken.
HKEY_CLASSES_ROOT\.exe\(default) (Hijacked.exeFile) -> Bad: (csfile) Good: (exefile) -> No action taken.

Folders Infected:
C:\WINDOWS\system32\3361 (Trojan.Downloader) -> No action taken.

Files Infected:
c:\WINDOWS\system32\3361\services.exe (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\lsass.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\svchost.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\winexec.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\winres.dll (Trojan.Agent) -> No action taken.





Thank you in advance for any help you may be able to give!

[stepper459]

Also - I just restarted the computer after running another MBAM scan and now I can't run any programs again, it asks "what program would you like to use to open this type of file?" for an .exe file. AND I still get the blue screen of death when I try to start in safe mode.

[luck of the irish]

AND I still get the blue screen of death when I try to start in safe mode.

Well the BSOD appears with a fault, but because safe mode doesn't work (correct me if I am wrong) it sounds like the hdd has become faulty.

[stepper459]

I can start windows in regular mode, though, and I can't run any programs because of the error ("choose the program you want to use to open this file")

[luck of the irish]

OK

Run -> cmd -> fsutil dirty query C: and post back the results.

[stepper459]

"Volume - c: is NOT dirty" came back from that.
I found that I could run a program by selecting it from the list of "choose the program..." i.e. to run MBAM I selected mbam.exe when asked to choose a program to run mbam.exe. Anyway after running MBAM and CCleaner a few times, I am now able (after restarting) to run programs again, so it's another round of MBAM. It's finding "Trojan.Agent" still, and a few other things, every time I run it!

[luck of the irish]

http://www.computerhope.com/forum/index.php/topic,46313.0.html did you go here, also if you have original CD, then try running

sfc/scannow