"Application cannot be executed" virus

[actionjackson]

A couple days ago I got the "Application cannot be executed" virus  It's a nasty one. 

Now when I click on any file, the error message pops up and says"Application cannot be executed. The file [filename] is infected. Do you want to activate your antivirus software now?"  It even happens when I press ctrl+alt+del.  The task manager is also blocked.

I can't open any program unless Windows is in safe mode.  But running Malwarebytes, Superantispyware, and Avast while in Windows safe mode still does not kill the virus.

In a previous topic http://www.computerhope.com/forum/index.php?topic=109403.0, one of the first posts to this thread says to download and run one of the files: Rkill.exe, Rkill.com, Rkill.scr, Rkill.pif.  However, I am not able to download these from the links.  Is this still the prefered method to kill this virus and if so, are those links still good?  Please help.  Thanks.

[Jmckeeco84]

Your comment has been removed. Please do not post malware advice, or post here in the malware forum, unless you need help.

[actionjackson]

Yes, Combofix killed the virus!  I had to do this in Windows safe mode.  Tried running your suggestions is Windows normal mode first but no application could open and it blocked all websites except the ones it directs you to for a sale. 

Avast gave an error while installing, either because it doesn't like Windows safe mode or because it required internet connection.

When I was desperate, before I started this topic, the only thing I could think of was to delete files updated recently.  So I may have deleted a few Windows files.  Because I got a warning while running Combofix that said I didn't have Windows Recovery Consule.  I'll paste the output in another post.

Thank you so much for helping me out.  Just as there are evil people in this world who create these viruses, there are also good people like you who help to defeat them.

[actionjackson]

Here is the output from Combofix.  I believe the virus was called 'rootkit', but not totally sure.

I uninstalled Malwarebytes and Superantispyware before running Combofix but looks like there were a few left-over files.

Thanks again.

------------------------------------------------------------------------------------------------

ComboFix 10-09-14.01 - T 09/14/2010  22:49:50.1.1 - x86 MINIMAL
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.494.296 [GMT -7:00]
Running from: E:\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\T\LOCALS~1\Temp\SAS2.tmp
c:\docume~1\T\LOCALS~1\Temp\SAS3.tmp
c:\documents and settings\T\Local Settings\Application Data\{BAC4E0D1-FD81-498D-9BB0-CB07B3EF4D5A}
c:\documents and settings\T\Local Settings\Application Data\{BAC4E0D1-FD81-498D-9BB0-CB07B3EF4D5A}\chrome.manifest
c:\documents and settings\T\Local Settings\Application Data\{BAC4E0D1-FD81-498D-9BB0-CB07B3EF4D5A}\chrome\content\_cfg.js
c:\documents and settings\T\Local Settings\Application Data\{BAC4E0D1-FD81-498D-9BB0-CB07B3EF4D5A}\chrome\content\overlay.xul
c:\documents and settings\T\Local Settings\Application Data\{BAC4E0D1-FD81-498D-9BB0-CB07B3EF4D5A}\install.rdf
c:\documents and settings\T\Local Settings\Application Data\mdwwdwwew
c:\documents and settings\T\Local Settings\Application Data\mdwwdwwew\wbgccamuqiw.exe
c:\documents and settings\T\Local Settings\Temp\SAS2.tmp
c:\documents and settings\T\Local Settings\Temp\SAS3.tmp
c:\windows\eyiyimaxeqayofi.dll
c:\windows\ibd2uELf.dll
c:\windows\ucepiyepeteroq.dll
c:\windows\uzebukaqibiyov.dll

.
(((((((((((((((((((((((((   Files Created from 2010-08-15 to 2010-09-15  )))))))))))))))))))))))))))))))
.

2010-09-14 01:57 . 2010-09-14 01:57   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-09-13 03:30 . 2010-09-13 03:30   2838   ----a-w-   c:\windows\Vkenogiceyi.dat
2010-09-13 01:38 . 2010-09-13 01:38   --------   d--h--w-   c:\windows\system32\WLANProfiles
2010-09-13 01:38 . 2010-09-13 01:38   --------   d-----w-   C:\WLANProfiles
2010-09-13 01:38 . 2010-09-13 01:38   --------   d-----w-   C:\Settings

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-15 05:25 . 2010-03-02 07:04   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-05-20 1957888]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_05\bin\jusched.exe" [2005-08-27 36975]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-14 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-14 536576]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 53248]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-10-18 278528]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-01-07 155648]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-04-17 98616]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-6-30 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 21:08   110592   ----a-w-   c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Shareaza\\Shareaza.exe"=
"c:\\Program Files\\Kazaa Lite\\Kazaa.kpp"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

S2 SSIPDDP;SSIPDDP;c:\windows\system32\drivers\ssipddp.sys [8/27/2007 10:23 PM 54272]
S4 civu;civu;c:\windows\system32\drivers\cyrlqu.sys --> c:\windows\system32\drivers\cyrlqu.sys [?]
S4 jjkyah;jjkyah;c:\windows\system32\drivers\uuwgh.sys --> c:\windows\system32\drivers\uuwgh.sys [?]
S4 pkxxfx;pkxxfx;c:\windows\system32\drivers\slrnbxx.sys --> c:\windows\system32\drivers\slrnbxx.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:6092
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-PhotoShow Deluxe Media Manager - c:\progra~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
HKCU-Run-TomTomHOME.exe - c:\program files\TomTom HOME 2\TomTomHOMERunner.exe
HKCU-Run-isaasxpy - c:\documents and settings\T\Local Settings\Application Data\mdwwdwwew\wbgccamuqiw.exe
HKCU-Run-Yheduxekuvaya - c:\windows\ibd2uELf.dll
HKLM-Run-ISUSPM Startup - c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
HKLM-Run-isaasxpy - c:\documents and settings\T\Local Settings\Application Data\mdwwdwwew\wbgccamuqiw.exe
HKLM-Run-Imohuga - c:\windows\eyiyimaxeqayofi.dll
HKLM-Run-Malwarebytes Anti-Malware (rootkit-scan) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
AddRemove-Nero - Burning Rom!UninstallKey - c:\program files\Ahead\nero\uninstall\UNNERO.exe
AddRemove-Rainbow Sentinel Driver - c:\windows\SYSTEM32\RNBOSENT\SETUPX86.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-14 22:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(204)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
Completion time: 2010-09-14  23:04:41
ComboFix-quarantined-files.txt  2010-09-15 06:04

Pre-Run: 8,720,621,568 bytes free
Post-Run: 9,323,302,912 bytes free

- - End Of File - - 015ECBDA51E4D0AE97CDF67427316109

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.

Please do not follow the advice from anyone except the specialist on this forum. Can you now boot in Normal Mode and do you access to the internet?

[actionjackson]

SuperDave,

I was already able to kill the virus using Combofix, as mentioned in my earlier message.  Thanks.

[SuperDave]

Download

Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.

******************************************

P2P - I see you have P2P software installed on your machine Shareaza and Kazaa Lite. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.
***************************************
ComboFix should be running from your desktop. There are some things I need to fix and I can't do it when it's installed on your E: drive. Please delete your copy, download another copy and follow the instructions for installation. Please post another log.

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console[/list]

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you.  Please include the contents of C:\ComboFix.txt in your next reply.

If you have problems with ComboFix usage, see How to use ComboFix