Help with this nasty infection....

[southern_boy1975]

 Hi, my girlfriend uses my laptop a lot and I am not really sure what she has picked up but I am having trouble running or installing just about everything. It does have windows xp with service pack 3. I did go through my programs and removed a few that I did not recognize earlier before I figured out I needed help with this. I have run CCleaner several times already this evening. When this first started I could not run AVG 8.5 or Superantispyware which were already installed on my laptop. After I cleaned up a few programs out of the control panel I was able to re-install AVG and have it do a scan. I have since tried to re-install superantispyware but with not much luck. I have also tried to install Malwarebytes and Hijackthis with no luck as well. Seems everything I was trying to get rid of earlier has just come back again, like when I pull up explorer it just takes me to a warning page to buy some 2009 spyware protect, and I do have a constant (windows security alert) window that will not stop popping up too. I am really just not sure where to begin since I am so limited with everything.

Thanks for any help in advance....

[BatchFileBasics]

start here:
http://www.computerhope.com/forum/index.php/topic,46313.0.html

after your posts, a computer hope virus specialist will take action

[southern_boy1975]

I would but I can not install anything to create a log with. I have everything downloaded but they will not install or run. All I can do at this point is run ccleaner and avg which seems to not help any. It seems to stop me from doing about everything I need to. I tried most of the list except hijackthis before coming to the forum since I have had such bad luck with one of these before.

[Karnac]

Copy the necessary programs to a flash drve and run them from the infected machines desktop in Safe Mode.

[southern_boy1975]

Ok, still can not get superantispyware to run. It is installed but comes up as a application has encountered a problem and needs to close error... I have been able to create a log with hijackthis and here it is.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:48:10 PM, on 5/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\SUPERAntiSpyware 2.exe
C:\WINDOWS\system32\MSIEXEC.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\MsiExec.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\This\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O1 - Hosts: ::1 localhost
O1 - Hosts: 94.232.248.66 browser-security.microsoft.com
O1 - Hosts: 94.232.248.66 antivirprotection.com
O1 - Hosts: 94.232.248.66 www.antivirprotection.com
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: BHO - {BBD4551A-9B23-41cd-9BCD-818AA2DA7B63} - C:\WINDOWS\system32\iehelper.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [system tool] C:\WINDOWS\sysguard.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/oas/ActiveX/MSDcode.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/ZwinkyInitialSetup1.0.1.1.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1144010057572
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187393486500
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {7589EEE6-E336-11D4-8A7E-EE1D971D9B47} - http://secure.aconti.net/acontix/goodthinxx.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - http://vsp.closetmaid.com/vsp/cmaidctl_vsp.closetmaid.com_downloader.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 10112 bytes

[evilfantasy]

D:\SUPERAntiSpyware 2.exe

Take SUPERAntiSpyware and put it on your C drive desktop then try to install it.

[4everyone]

Hi ,

you have these many number of infected entries.  If u can fix these, your issue is fixed. If you find any issues in fixing these, let us know.


<mod edit>

[evilfantasy]

Hello 4everyone.

We have a strict set of guidelines here at Computer Hope about advising on malware removal. Please see here http://www.computerhope.com/forum/index.php/topic,57605.0.html

If u can fix these, your issue is fixed.

This is not true. HijackThis is a diagnostics tool and removes some forms of browser hijackers and adware. It is no substitute for an antivirus or antimalware scanner.

[Helpmeh]

Hello 4everyone.

We have a strict set of guidelines here at Computer Hope about advising on malware removal. Please see here http://www.computerhope.com/forum/index.php/topic,57605.0.html

And also about giving possibly wrong removal tips. You need to be a Malware Removal Specialist so there is no chance of daming the system further.

[southern_boy1975]

Hi, ok I just did... I am getting a (has encountered a problem and needs to close error/ Send or Don't send option) at start up still. Still not sure how to get superantispyware up and running.

[evilfantasy]

Try this please.

Try the renamer download for Malwarbytes.

http://kixhelp.com/wr/files/mb/randmbam.exe

The randmbam.exe will try to create random names and shortcuts for Malwarebytes Anti Malware (MBAM) if you have it installed already.

If it installs then use this link to download the updates.

Download Malwarebytes' Anti-Malware Database - GT500.org

Just download it to the desktop and run the exe.

Now scan and post the log from Malwarebytes.

• Select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy & Paste the entire report in your next reply along with a fresh HijackThis log.

.
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.[/list]

[southern_boy1975]

Hi, I have been unable to install MBAM as well. I tried before my first post and just tried several times again. The renamer works but since I can not install MBAM, it finds nothing.

[evilfantasy]

The renamer works but since I can not install MBAM, it finds nothing.

It works but it doesn't work?

Click Start > Control Panel > System > Hardware > Device Manager > View > Show Hidden Devices.

* Scroll down to Non-plug and Play Drivers and click the plus icon to open those drivers.
* Search for any of the following:
* Important! The letters can appear in either upper case or lower case letters.

- UACd.sys <- Or anything beginning with UAC
- gaopdxserv.sys <- Or anything beginning with gaopd
- gxvxcserv.sys <- Or anything beginning with gxvx
- Seneka.sys <- Or anything beginning with Seneka
- clbdriver.sys <- Or anything beginning with clbdriver
- TDSSserv.sys <- Or anything beginning with TDSS
- ovfst.sys <- Or anything beginning with ovfst

* If you do find it, right click on it, and select Disable. Do not try to uninstall them.
* Now restart the computer and see if you can run the scans that would not run.
* Let me know if you found them or not.

[southern_boy1975]

Hi sorry, it worked to the point of this message

Error: Unable to locate the Malwarbytes program
You may need to try to download and install it again from a known good source.

I did not see any of what you listed under Non-plug and play driver as well

[evilfantasy]

Try this please.

Download ComboFix by sUBs from one of the below links.

Link #1
Link #2

Combofix MUST be saved to the desktop.
 
Close all other browser windows.
 
Go to Start > Run and copy/paste in the following blue text:

"%userprofile%\desktop\combofix.exe" /killall

Press Enter and ComboFix will begin to run.
 
When finished, it will produce a log file located at C:\ComboFix.txt
 
Post the contents of that log in your next reply.

Note: Do not mouseclick comboFix's window while it is running. That may cause your system to stall.