"Application has been executed" problem.

[Dr Jay]

Hi again. Please do these steps in order.

1. Please download TFC by OldTimer to your desktop

• Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• It will close all programs when run, so make sure you have saved all your work before you begin.
  
• Click the Start
  button to begin the process. Depending on how often you clean temp
  files, execution time should be anywhere from a few seconds to a minute
  or two. Let it run uninterrupted to completion.
  
• Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

2. Please download Malwarebytes Anti-Malware from Malwarebytes.org.
Alternate link: BleepingComputer.com.
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• Please save the log to a location you will remember.
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

3. Please visit this webpage for instructions for downloading and running SUPERAntiSpyware (SAS) to scan and remove malware from your computer:

http://www.bleepingcomputer.com/virus-removal/how-to-use-superantispyware-tutorial

Post the log from SUPERAntiSpyware when you've accomplished that.

4. Please run a free online scan with the ESET Online Scanner

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
• Click Start
  
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, you may close the window
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  
• Copy and paste that log as a reply to this topic

5. Post the following in your next reply:

• MBAM log
• SAS log
• ESET log

And, please tell me how your computer is doing.

[csturgill]

Here are the logs you requested.  My computer is doing much better.  None of those pop-ups anymore.  However, my computer seems to be running just a tad slower.  Is this normal??  What have you seen in all the logs??  Were there some nasty viruses??  Also, when I am totally done running all these programs should I uninstall all of them??  Thanks.

Malwarebytes' Anti-Malware 1.44
Database version: 3740
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/14/2010 11:02:01 PM
mbam-log-2010-02-14 (23-02-01).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 186732
Time elapsed: 52 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 9
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Program Files\Windows Live\Messenger\msimg32.dll (Adware.MyWebSearch) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servises (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\(default) (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Start Menu\TSC (Rogue.Total.Security) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Windows Live\Messenger\msimg32.dll (Adware.MyWebSearch) -> Delete on reboot.
C:\Program Files\Windows Live\Messenger\riched20.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.




SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/15/2010 at 00:08 AM

Application Version : 4.33.1000

Core Rules Database Version : 4584
Trace Rules Database Version: 2396

Scan type       : Complete Scan
Total Scan Time : 00:32:09

Memory items scanned      : 657
Memory threats detected   : 0
Registry items scanned    : 5687
Registry threats detected : 0
File items scanned        : 20536
File threats detected     : 70

Adware.Tracking Cookie
   C:\Documents and Settings\Christina\Cookies\christina@atdmt[2].txt
   C:\Documents and Settings\Christina\Cookies\christina@atdmt[1].txt
   C:\Documents and Settings\Christina\Cookies\[email protected][1].txt
   C:\Documents and Settings\Joe\Cookies\joe@interclick[2].txt
   C:\Documents and Settings\Joe\Cookies\joe@collective-media[2].txt
   C:\Documents and Settings\Joe\Cookies\[email protected][3].txt
   C:\Documents and Settings\Joe\Cookies\[email protected][2].txt
   C:\Documents and Settings\Joe\Cookies\[email protected][1].txt
   C:\Documents and Settings\Joe\Cookies\[email protected][2].txt
   C:\Documents and Settings\Joe\Cookies\joe@adrevolver[2].txt
   C:\Documents and Settings\Joe\Cookies\[email protected][1].txt
   C:\Documents and Settings\Joe\Cookies\joe@revsci[2].txt
   C:\Documents and Settings\Joe\Cookies\joe@realmedia[2].txt
   C:\Documents and Settings\Joe\Cookies\joe@advertising[1].txt
   C:\Documents and Settings\Joe\Cookies\[email protected][2].txt
   C:\Documents and Settings\Joe\Cookies\[email protected][5].txt
   C:\Documents and Settings\Joe\Cookies\joe@casalemedia[2].txt
   C:\Documents and Settings\Joe\Cookies\joe@adinterax[1].txt
   C:\Documents and Settings\Joe\Cookies\joe@adlegend[1].txt
   C:\Documents and Settings\Joe\Cookies\joe@247realmedia[2].txt
   C:\Documents and Settings\Joe\Cookies\joe@2o7[2].txt
   C:\Documents and Settings\Joe\Cookies\[email protected][1].txt
   C:\Documents and Settings\Joe\Cookies\[email protected][1].txt
   C:\Documents and Settings\Joe\Cookies\[email protected][1].txt
   C:\Documents and Settings\Joe\Cookies\[email protected][1].txt
   C:\Documents and Settings\Joe\Cookies\[email protected][1].txt
   C:\Documents and Settings\Joe\Cookies\[email protected][1].txt
   C:\Documents and Settings\Joe\Cookies\joe@apmebf[1].txt
   C:\Documents and Settings\Joe\Cookies\joe@atdmt[1].txt
   C:\Documents and Settings\Joe\Cookies\joe@atwola[2].txt
   C:\Documents and Settings\Joe\Cookies\joe@bluestreak[1].txt
   C:\Documents and Settings\Joe\Cookies\[email protected][2].txt
   C:\Documents and Settings\Joe\Cookies\[email protected][1].txt
   C:\Documents and Settings\Joe\Cookies\[email protected][1].txt
   C:\Documents and Settings\Joe\Cookies\[email protected][1].txt
   C:\Documents and Settings\Joe\Cookies\[email protected][1].txt
   C:\Documents and Settings\Joe\Cookies\joe@doubleclick[2].txt
   C:\Documents and Settings\Joe\Cookies\[email protected][2].txt
   C:\Documents and Settings\Joe\Cookies\[email protected][2].txt
   C:\Documents and Settings\Joe\Cookies\[email protected][1].txt
   C:\Documents and Settings\Joe\Cookies\[email protected][1].txt
   C:\Documents and Settings\Joe\Cookies\joe@fastclick[2].txt
   C:\Documents and Settings\Joe\Cookies\joe@focalex[1].txt
   C:\Documents and Settings\Joe\Cookies\joe@imrworldwide[2].txt
   C:\Documents and Settings\Joe\Cookies\joe@hitbox[2].txt
   C:\Documents and Settings\Joe\Cookies\joe@hypertracker[1].txt
   C:\Documents and Settings\Joe\Cookies\[email protected][1].txt
   C:\Documents and Settings\Joe\Cookies\[email protected][1].txt
   C:\Documents and Settings\Joe\Cookies\joe@insightexpressai[1].txt
   C:\Documents and Settings\Joe\Cookies\[email protected][1].txt
   C:\Documents and Settings\Joe\Cookies\joe@mediaplex[2].txt
   C:\Documents and Settings\Joe\Cookies\[email protected][1].txt
   C:\Documents and Settings\Joe\Cookies\[email protected][1].txt
   C:\Documents and Settings\Joe\Cookies\joe@overture[1].txt
   C:\Documents and Settings\Joe\Cookies\joe@partner2profit[1].txt
   C:\Documents and Settings\Joe\Cookies\[email protected][1].txt
   C:\Documents and Settings\Joe\Cookies\joe@questionmarket[2].txt
   C:\Documents and Settings\Joe\Cookies\joe@revenue[2].txt
   C:\Documents and Settings\Joe\Cookies\[email protected][2].txt
   C:\Documents and Settings\Joe\Cookies\joe@serving-sys[2].txt
   C:\Documents and Settings\Joe\Cookies\joe@specificclick[2].txt
   C:\Documents and Settings\Joe\Cookies\joe@statcounter[1].txt
   C:\Documents and Settings\Joe\Cookies\[email protected][1].txt
   C:\Documents and Settings\Joe\Cookies\joe@tacoda[2].txt
   C:\Documents and Settings\Joe\Cookies\joe@tribalfusion[2].txt
   C:\Documents and Settings\Joe\Cookies\[email protected][2].txt
   C:\Documents and Settings\Joe\Cookies\[email protected][1].txt
   C:\Documents and Settings\Joe\Cookies\joe@zedo[2].txt

Trojan.Agent/Gen-Nullo[Short]
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{0A785EFC-2893-439D-8A85-C3921561E687}\RP721\A0068457.DLL
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{0A785EFC-2893-439D-8A85-C3921561E687}\RP721\A0068461.DLL



ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=effe4d0f2ac1f740a1f09cee273455ca
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-02-15 01:48:48
# local_time=2010-02-15 08:48:48 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=5121 16776613 100 96 6693075 18247393 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=56071
# found=0
# cleaned=0
# scan_time=3058

[Dr Jay]

We will get it cleaned up afterward. There is probably still a little adware left.

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan. Remove selected, and post the log in your next reply.

[csturgill]

Here is the log:

Malwarebytes' Anti-Malware 1.44
Database version: 3743
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/15/2010 7:18:47 PM
mbam-log-2010-02-15 (19-18-47).txt

Scan type: Quick Scan
Objects scanned: 121511
Time elapsed: 5 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[csturgill]

Have I completed the correct Scan??  I posted the log but have not heard back what to do next.

[Dr Jay]

Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:

• Select Start > All Programs > Accessories > System tools > System Restore.
  
• On the dialogue box that appears select Create a Restore Point
  
• Click NEXT
  
• Enter a name e.g. Clean
• Click CREATE

You now have a clean restore point, to get rid of the bad ones:

• Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  
• In the Drop down box that appears select your main drive e.g. C
• Click OK
  
• The System will do some calculation and the display a dialogue box with TABS
  
• Select the More Options Tab.
  
• At the bottom will be a system restore box with a CLEANUP button click this
  
• Accept the Warning and select OK again, the program will close and you are done
  

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:

• Save it to your Desktop.
  
• Double click OTC.exe.
  
• Click the CleanUp! button.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

==

Please download TFC by OldTimer to your desktop

• Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• It will close all programs when run, so make sure you have saved all your work before you begin.
  
• Click the Start
  button to begin the process. Depending on how often you clean temp
  files, execution time should be anywhere from a few seconds to a minute
  or two. Let it run uninterrupted to completion.
  
• Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

==

Download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

[csturgill]

Ok.  I did everything you asked me to do.  I had one question though, my computer is still very slow and all the desktop icons are still there.  Here is the log:

 Results of screen317's Security Check version 0.99.1    
 Windows XP Service Pack 3 
``````````````````````````````
Antivirus/Firewall Check:
 Windows Firewall Disabled! 
 ESET Online Scanner v3   
 McAfee SecurityCenter     
 McAfee Virtual Technician   
 Antivirus up to date! 
``````````````````````````````
Anti-malware/Other Utilities Check:
 SUPERAntiSpyware Free Edition   
 HijackThis 2.0.2   
 CCleaner     
 Java(TM) 6 Update 15 
 Java(TM) 6 Update 7 
 Out of date Java installed!
 Adobe Flash Player 10 
Adobe Reader 8.1.7
Out of date Adobe Reader installed!
``````````````````````````````
Process Check: 
objlist.exe by Laurent
 McAfee VIRUSS~1 mcshield.exe 
 McAfee VIRUSS~1 mcsysmon.exe 
``````````````````````````````
DNS Vulnerability Check:
 GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

[Dr Jay]

What desktop items? Please be more specific on that note.

Now, TFC is known to slow the computer down at first.

Also, let me know about any other issues that are happening.

[csturgill]

sniper.exe, Shortcut to SUPERAntiSpyware, Shortcut to mbam-setup, Shortcut to HijackThisInstaller, mbam-setup, HijackThis, esetsmartinstaller_enu, HijackThisInstaller, Shortcut to TFC and a few more I believe.  Other than my computer being really slow it has been running fine.

[Dr Jay]

Please do a scan with Kaspersky Online Scanner

Click on the Accept button and install any components it needs.

• The program will install and then begin downloading the latest definition files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run.
• Once the scan is complete, click on View scan report
  
• Now, click on the Save Report as button.
  
• Save the file to your desktop.
• Copy and paste that information in your next post.

[csturgill]

It is saying "Invalid File Signature" every time I try to Run Kapersky.  I've tried twice now to Run it.

[csturgill]

Ok I was able to get Kapersky to Run.  However when it finished scanning it said no threats were found but it never generated a report for me.  When I click on reports nothing was there.

[Dr Jay]

Ok. Delete those shortcuts that you do not need off of your Desktop, then do this final check, please:

Please download <a href="http://www.helpmyos.com/Cheetah-php-h15.htm?cheetah.zip" target="_blank">Cheetah-Anti-Rogue[/url], and save to your Desktop.

• Double-click on Cheetah-Anti-Rogue.zip, and extract the file to your Desktop.
• Double-click on Cheetah-Anti-Rogue.cmd to start.
• It will finish quickly and launch a log.
• Post the contents of it in your next reply.

[csturgill]

Cheetah-Anti-Rogue v1.3.1
by DragonMaster Jay

Microsoft Windows XP [Version 5.1.2600]
Date: 02/19/2010 - Time: 19:59:43 - Arch.: x86
 
 
-- Malware removal tools check --
Trend Micro HijackThis 2.0.2
 
 
-- Known infection --
 
 
 
Extra message: Detection only.
 
 
EOF

[Dr Jay]

Hi. The tool has just been updated. Please delete the version you have and download a new one. Then, please post a log after its run.