Application cannot be executed.

[chrisandcami]

I too have contracted the virus that pops up with the box "Application cannot be executed.  The file ****.exe is infected.  Do you want to activate your antivirus software now?" The file name changes depending on what program I'm trying to open.

I'm running Windows XP Media Edition, service pack 3.  I know enough about computers to get around my machine, but am no Guru for sure.  So I was very relieved to find your website, which is AMAZING!  Thank you for all the incredible advice!!!  I have followed every step in the "Before Requesting Malware Removal" section.  I did everything in Safe Mode.  The only thing I was unable to do was update my Java, even when I rebooted into regular mode.  The version I'm on is very current, but not the latest.  So I tried to download and install the latest version.  Download went fine.  But when I go to install it tells me "The download cannot proceed with the current Internet Connection settings."  In addition, I am unable to access the internet via IE.  So I'm writing this via Firefox. 

Other than that, the symptoms of the virus seem to be less.  I still can't get online via IE.  But the error message doesn't come up and I don't get redirected to some random gambling website.  But as you so kindly point out, just because the symptoms are gone, doesn't mean there still isn't an issue in the background.  So I'm continueing to follow your recommendations to the letter and will post the data from the three logs I've generated. 

THANK YOU, THANK YOU, THANK YOU in advance for all your help!!!

[chrisandcami]

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/25/2010 at 10:54 PM

Application Version : 4.41.1000

Core Rules Database Version : 5242
Trace Rules Database Version: 3054

Scan type       : Complete Scan
Total Scan Time : 04:19:26

Memory items scanned      : 221
Memory threats detected   : 0
Registry items scanned    : 9078
Registry threats detected : 5
File items scanned        : 459438
File threats detected     : 7

Trojan.DNSChanger-Codec
   HKU\S-1-5-21-822617210-363415911-2972290931-1007\Software\uninstall

Trojan.Hugipon
   HKLM\System\CURRENTCONTROLSET\SERVICES\6TO4\Parameters
   HKLM\System\CURRENTCONTROLSET\SERVICES\6TO4\Parameters#ServiceDll

SuperAntiSpyware Log:

Adware.AdRotator
   HKU\S-1-5-21-822617210-363415911-2972290931-1007\Software\Sky-Banners
   HKU\S-1-5-21-822617210-363415911-2972290931-1007\Software\Street-Ads

Adware.Tracking Cookie
   .avgtechnologies.112.2o7.net [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4gs1zwt5.default\cookies.sqlite ]
   C:\Documents and Settings\Administrator\Cookies\administrator@adbrite[2].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@admarketplace[1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@advertise[1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt
   C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@revsci[1].txt

[chrisandcami]

Malwarebytes' Anti-Malware Log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4478

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 7.0.5730.13

8/26/2010 8:28:04 AM
mbam-log-2010-08-26 (08-28-04).txt

Scan type: Full scan (C:\|E:\|)
Objects scanned: 602359
Time elapsed: 2 hour(s), 18 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{fe4c2c37-edc8-4c00-b864-3c38cf3ba834} (Adware.Adshot) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[chrisandcami]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:57:40 AM, on 8/26/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17080)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe
C:\Program Files\Silicon Image\3132-W-I32-R SATARAID5\SATARaid5ConfigService.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\Sniper.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6522
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

[chrisandcami]

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [SM1BG] "C:\WINDOWS\SM1BG.EXE"
O4 - HKLM\..\Run: [PtiuPbmd] "C:\WINDOWS\system32\Rundll32.exe" ulutil2.dll,SetWriteBack
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
O4 - S-1-5-18 Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)

[lenr]

Try Malwarebytes Anti Malware.
You can find it here   http://www.malwarebytes.org/mbam.php

After you install it, update it, and then run a  'full scan'
It does a real good job of finding and deleting viruses.

[chrisandcami]

Hi Lenr.  As per the "before you request help" instructions, I've run Malwarebytes, SuperAntiSypware, CCleaner, and HijackThis.  Seems to have fixed the issue but I posted the log files to see if there's something lurking that I've missed.  Thanks for the advice though, it was an excellent program indeed.

[chrisandcami]

Virus is dead!  Performing all the tasks described in the "before you request help" section seems to have eradicated the virus from my machine.  I found that a proxy address had been planted in my IE settings.  Once I cleared that, everything's been running perfectly.  THANK YOU Computer Hope for your well written, step-by-step procedures!!!

[2x3i5x]

Virus is dead!  Performing all the tasks described in the "before you request help" section seems to have eradicated the virus from my machine.  I found that a proxy address had been planted in my IE settings.  Once I cleared that, everything's been running perfectly.  THANK YOU Computer Hope for your well written, step-by-step procedures!!!

I would still have a malware specialist do a double check to be sure your computer is completely clean of said virus 

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.

*****************************************************

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6522
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)

Important: Close all open windows except for HijackThis and then click Fix checked.
Once completed, exit HijackThis.

********************************************

It appears that the complete HJT log was not posted. Please run another scan after doing the above and post the log.

Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
********************************************
Download ComboFix by sUBs from one of the below links. 

Important! You MUST save ComboFix to your desktop

link # 1
Link # 2

Temporarily disable your Anti-virus and any Antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click on ComboFix.exe & follow the prompts.

Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)

Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

When the scan completes it will open a text window.
 
Post the contents of that log in your next reply.

Remember to re-enable your Anti-virus and Antispyware protection when ComboFix is complete.