Malware Popups - Security Warning - Application cannot be executed...

[bigthx]

A big Thank You in advance to ComputerHope folks for assisting all of us less knowledgeable users.

I have an issue similar to other threads read on your boards.  I have reviewed the "Before Requesting Help" post and have a few questions before proceeding further.


ISSUE DESCRIPTION

Continual popups about false security alerts:

"Security Warning - Application cannot be executed.  The file wuauclt.exe [or other file name] is infected.  Do you want to activate your antivirus software now?"

~~~~~~~~~~~~~~~

"Antivirus software alert!

Infiltration alert
Your computer is being attacked by an Internet Virus.  It could be a password-stealing attack, a trojan - dropper or similar.

Details
Attack from:  [IP address -- which changes], port [port number -- which changes]
Attacked port:  [port number -- which changes]
Threat:  Win32/Nuqel.E  [or sometimes BankerFox.a]
Do you want to block this attack?"

~~~~~~~~~~~~~~~

"Spyware Alert!

Vulnerabilities found... [cannot read the rest because it is covered by another popup]

Activate Your anitivirus software
Stay unprotected

~~~~~~~~~~~~~~

also what looks like a Java message:

C:\PROGRA~2\Java\jre6\bin\ssvagent.exe

"The remote procedure call failed to execute"

~~~~~~~~~~~~~~



SYSTEM DETAILS and CURRENT STATUS

Windows Vista Home Premium

Norton Internet Security 2010 - subscription current, definitions updated yesterday, scan run after infection and no issues reported

Programs List - 3 unfamiliar items:
* Atheros Driver Installation Program - Atheros - 6/15/2009
* VirtuaGirl HD - [no publisher] - 12/15/2009
* WorkForce 30 Series Info Center - [no publisher] - 10/27/2009

After getting infected, a friend had me turn off Network Connectivity using Control Panel.  Internet Explorer continues to try to connect.  I cannot close the IE window (have tried clicking the window X, also rightclicking and selecting Close).  I am able to start Task Manager,  but it just flashes briefly and then disappears.

I have not shut down and rebooted system since infection, because of concern that might exacerbate the current issues.


NEXT STEPS please

- should I turn Connectivity back on and try to download CCleaner, SUPERAntiSpyware, MBAM, etc. -- or does this put information on my PC at more risk due to the infection?  (and could this potentially spread the infection to other computers on my home network?)   As an alternative, I could download these programs to a clean PC, burn to CD, and then put on the infected PC

- I'm not sure I can run CCleaner since the requirement is to close all browser windows and I cannot currently shut down IE -- should I try rebooting, or will this cause additional issues?

- should I try to close the Java message window?

Stuck at this point.  Again, thanks very much for your help.

[Dr Jay]

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix when you've accomplished that.

[bigthx]

Thank you Jay -  I'm assuming I can run ComboFix even if unable to close all windows (ex. IE), as advised to do in the ComboFix instructions?   Am currently at work, but will run this evening and post the log results.

much appreciated!

[Dr Jay]

Ok. Post when ready.

[bigthx]

Jay, I was unable to run ComboFix as my OS is Windows Vista, and ComboFix gave an error saying it was for Windows XP only.

Instead, I completed the recommended Malware Removal Steps.  The immediate issue with endless popups appears to now be corrected, but here are the results and log files, for any additional cleanup you would recommend.

Step1:  Add/Remove Programs -- 3 unfamiliar programs:
             * Atheros Driver Installation Program - Atheros - 6/15/2009
             * VirtuaGirl HD - [no publisher] - 12/15/2009
             * WorkForce 30 Series Info Center - [no publisher] - 10/27/2009

Step 2:  CCleaner -- completed
Step 3:  SuperAntiSpyware -- log attached
Step 4:  MBAM -- log attached
Step 5:  JavaRa and CCleaner -- completed
Step 6:  HiJackThis -- log attached

Thanks in advance for your help!




[Saving space, attachment deleted by admin]

[Dr Jay]

Do you have a 64 bit computer?

Please paste the contents of the logs.

[bigthx]

Yes, it is a 64 bit machine with Windows Vista Home Premium, SP1.

Here are the contents of the logs -- sorry about that!  thanks

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/28/2010 at 11:11 PM

Application Version : 4.33.1000

Core Rules Database Version : 4531
Trace Rules Database Version: 2343

Scan type       : Complete Scan
Total Scan Time : 01:12:49

Memory items scanned      : 448
Memory threats detected   : 0
Registry items scanned    : 6196
Registry threats detected : 39
File items scanned        : 159968
File threats detected     : 3

Trojan.Agent/Gen-FakeSpy[Broad]
   [mybkmbrq] C:\USERS\<USERNAME>\APPDATA\LOCAL\JKEGOV\QFGOSYSGUARD.EXE
   C:\USERS\<USERNAME>\APPDATA\LOCAL\JKEGOV\QFGOSYSGUARD.EXE

Adware.Tracking Cookie
   C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Cookies\<username>@atdmt[2].txt
   C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Cookies\Low\<username>@microsoftwlcashback.112.2o7[1].txt

Rogue.Agent/Gen
   HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN
   HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#knkd
   HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#aazalirt
   HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#skaaanret
   HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#jungertab
   HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#zibaglertz
   HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#iddqdops
   HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#ronitfst
   HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#tobmygers
   HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#jikglond
   HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#tobykke
   HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#klopnidret
   HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#jiklagka
   HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#salrtybek
   HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#seeukluba
   HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#jrjakdsd
   HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#krkdkdkee
   HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#dkewiizkjdks
   HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#dkekkrkska
   HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#rkaskssd
   HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#kuruhccdsdd
   HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#krujmmwlrra
   HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#kkwknrbsggeg
   HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#ktknamwerr
   HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#iqmcnoeqz
   HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#ienotas
   HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#krkmahejdk
   HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#otpeppggq
   HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#krtawefg
   HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#oranerkka
   HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#kitiiwhaas
   HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#otowjdseww
   HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#otnnbektre
   HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#oropbbsee
   HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#irprokwks
   HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#ooorjaas
   HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#id
   HKU\S-1-5-21-4224598723-424280943-4064166680-1000\SOFTWARE\AVSCAN#ready

~~~~~~~~~~~~~~~~~~~~~~~~~~

Malwarebytes' Anti-Malware 1.44
Database version: 3655
Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

1/28/2010 11:31:39 PM
mbam-log-2010-01-28 (23-31-39).txt

Scan type: Quick Scan
Objects scanned: 102962
Time elapsed: 2 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:50:13 PM, on 1/28/2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18294)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
C:\Windows\SysWOW64\polawweb.exe
C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files (x86)\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files (x86)\Hp\QuickPlay\QPService.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files (x86)\Hp\HP Software Update\hpwuSchd2.exe
C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files (x86)\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files (x86)\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files (x86)\Trend Micro\HijackThis\sniper.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\16.7.2.11\IPSBHO.DLL
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Microsoft Live Search Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files (x86)\MSN\Toolbar\3.0.0541.0\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll
O3 - Toolbar: Microsoft Live Search Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files (x86)\MSN\Toolbar\3.0.0541.0\msneshellx.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [QPService] "C:\Program Files (x86)\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [UpdateLBPShortCut] "C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"
O4 - HKLM\..\Run: [UpdatePSTShortCut] "C:\Program Files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0"
O4 - HKLM\..\Run: [QlbCtrl.exe] "C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start
O4 - HKLM\..\Run: [UpdateP2GoShortCut] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
O4 - HKLM\..\Run: [UpdatePDIRShortCut] "C:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0"
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [lightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [EPSON WorkForce 30 Series] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIEEA.EXE /FU "C:\Windows\TEMP\E_SF886.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files (x86)\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files (x86)\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files (x86)\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files (x86)\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files (x86)\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Program Files (x86)\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: XAudioService - Unknown owner - C:\Windows\system32\DRIVERS\xaudio64.exe (file missing)

--
End of file - 11937 bytes

[Dr Jay]

Oh ok. ComboFix does not run on 64-bit machines. Lol.

Download LockSearch to your desktop

• A window will pop up, Press 2 and then Enter. A scan will start, let it run uninterrupted. It should only take a few minutes.
• A log will appear when it is finished, it will also be saved in the same location as LockSearch, which should be on your desktop. Post the contents of the log in your reply
  

==

Please download Runscanner to your desktop and run it.

• When the first page comes up select Beginner Mode
  
• On the next page  select Save a binary .Run file (Recommended) then click Start full scan at the top.
  
• At this time Runscanner.exe may request access to the Internet through your firewall please allow it to do so, it will then run for two or three minutes.
  
• On completion it will ask for a location to save the file and a name. It will do this for both the .run file and the log file
  
• Call the .run file "redScan" and save it to your desktop. You will see the .run file on your desktop. Open Notepad, then click File > Open - locate the redScan file and open it in Notepad. Finally, copy all the results, and paste them here in your next reply.

==

Please download V-Tool, and save to your Desktop.

• Double-click on vtool.zip, and extract the file to your Desktop.
• Double-click on vtool.cmd to start.
• !! IMPORTANT !!::: At each prompt ("Press any key to continue..."), wait 10 seconds before pressing a key. This tool needs time to process each prompt.
  
• It will finish eventually and launch a log. Do NOT exit the tool. Allow it to finish. (vtool.txt)
• Post the contents of it in your next reply.

==

Please make sure to post the contents of those logs (LockSearch, RunScanner, and V-Tool) in your next reply.

[bigthx]

Thanks - will run these when I return from work.

Question please -- from the logs provided previously, could you advise if you consider the state of the machine usable at this point?  I am no longer receiving the endless popups. 

I'll definitely finish whatever additional steps you suggest, but would appreciate any feedback on what has been done thus far.

thanks

[Dr Jay]

It is usable, and feel free to use it. But, be careful until we get your computer clean. Not sure if it is fully clean yet, but at least it is good news the popups are gone.

Post those logs when ready, no hurry.

[bigthx]

Hello again -- here are the requested logs for LockSearch and VTool.  Unfortunately could not run RunScanner -- apparently it is not supported on 64bit systems.

Thanks for your help

~~~~~~~~~~~~~~~~

LockSearch by jpshortstuff (05.11.09.1)
Log created at 21:06 on 29/01/2010 (<username.)
Scanning C:\


C:\hiberfil.sys
-------------------------


C:\pagefile.sys
-------------------------

-=E.O.F=-

~~~~~~~~~~~~~~~~~~~~~~~~~~

V-Tool by DragonMaster Jay
 
Microsoft® Windows Vista™ Home Premium   6.0.6001.1.1252.1.1033.18.3998.2354 [GMT -5:00]
 
Username: <snipped> - Date: 01/29/2010 - Time: 21:36:31 - Number of processors: 2 - Arch.: AMD64 SF: 
 
 
((((( Security Software information )))))
 
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
 
((((( System File Verify )))))
 
c:\windows\system32\eventlog.dll is missing! (If XP or lower)
c:\windows\system32\drivers\beep.sys is missing!
 
((((( System File Enumeration )))))
 
 Volume in drive C has no label.
 Volume Serial Number is 4CD2-5B84

 Directory of C:\WINDOWS\System32

scecli.dll     netlogon.dll   cngaudit.dll   
               3 File(s)        967,168 bytes

 Directory of C:\WINDOWS\System32\drivers

atapi.sys   
               1 File(s)         22,584 bytes

 Directory of C:\WINDOWS\System32\DriverStore\FileRepository\mshdc.inf_1a9e8abf

atapi.sys   
               1 File(s)         22,584 bytes

 Directory of C:\WINDOWS\System32\DriverStore\FileRepository\mshdc.inf_1d87dda2

atapi.sys   
               1 File(s)         22,584 bytes

 Directory of C:\WINDOWS\System32\DriverStore\FileRepository\mshdc.inf_95f5a2e9

atapi.sys   
               1 File(s)         22,584 bytes

 Directory of C:\WINDOWS\System32\DriverStore\FileRepository\mshdc.inf_f8cccc79

atapi.sys   
               1 File(s)         20,072 bytes

 Directory of C:\WINDOWS\SysWOW64

scecli.dll     netlogon.dll   cngaudit.dll   
               3 File(s)        781,312 bytes

 Directory of C:\WINDOWS\winsxs\amd64_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_424bc4aceb06de1c

cngaudit.dll   
               1 File(s)         14,848 bytes

 Directory of C:\WINDOWS\winsxs\amd64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_942c7ddf9178e048

scecli.dll   
               1 File(s)        235,520 bytes

 Directory of C:\WINDOWS\winsxs\amd64_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_59d652c6f057598d

netlogon.dll   
               1 File(s)        716,800 bytes

 Directory of C:\WINDOWS\winsxs\amd64_mshdc.inf_31bf3856ad364e35_6.0.6000.20847_none_37d5e5fef5f86cf7

atapi.sys   
               1 File(s)         22,584 bytes

 Directory of C:\WINDOWS\winsxs\amd64_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_3956c39dd9e73fd2

atapi.sys   
               1 File(s)         22,584 bytes

 Directory of C:\WINDOWS\winsxs\amd64_mshdc.inf_31bf3856ad364e35_6.0.6001.22193_none_398211faf34b271a

atapi.sys   
               1 File(s)         22,584 bytes

 Directory of C:\WINDOWS\winsxs\wow64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_9e812831c5d9a243

scecli.dll   
               1 File(s)        177,152 bytes

 Directory of C:\WINDOWS\winsxs\wow64_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_642afd1924b81b88

netlogon.dll   
               1 File(s)        592,384 bytes

 Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6

cngaudit.dll   
               1 File(s)         11,776 bytes

     Total Files Listed:
              20 File(s)      3,675,120 bytes
               0 Dir(s)  163,377,364,992 bytes free
 
-----------------------------
 
+++ End-of-file +++

[Dr Jay]

Please run a free online scan with the ESET Online Scanner

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
• Click Start
  
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, you may close the window
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  
• Copy and paste that log as a reply to this topic

[bigthx]

okay - ESET scanner found and removed:

windows\systems32\dbapmov.dll - variant of win32\Urlbot.NAG trojan

here's the log, although the timestamp looks like it was written at install rather than after the scan was completed:

~~~~~~~~~~~~~~~~~~~

ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK

~~~~~~~~~~~~~~~~~~~

Ready for the next step      thanks

[Dr Jay]

Please download Malwarebytes Anti-Malware from Malwarebytes.org.
Alternate link: BleepingComputer.com.
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• Please save the log to a location you will remember.
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

[bigthx]

Okay, MBAM log below. 

Are MBAM and/or SUPERAntiSpyware something I should run weekly? daily?  Both programs seem to currently be configured to check for updates on boot.

thanks!

~~~~~~~~~~~~~~~~~~~~~

Malwarebytes' Anti-Malware 1.44
Database version: 3662
Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

1/30/2010 2:21:19 PM
mbam-log-2010-01-30 (14-21-19).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 290585
Time elapsed: 1 hour(s), 4 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\32788R22FWJFW\Combo-Fix.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\32788R22FWJFW\pv.com (Trojan.Agent) -> Quarantined and deleted successfully.