System Security won't let anything run

Hello. I browsed around and tried many of the suggestions for ridding my computer of the System Security virus. I downloaded IceSword, malwarebytes, and Hijack This, but was unable to run any of these programs. I am running XP. The virus won't let me run any programs whatsoever - task manager, regedit, and I cannot start up in safe mode, no matter how I try.

Any suggestions? Please and thank you!

Okay, quick update:

I was able to extract IceSword. When I ran it, I followed the prompts to registry, HKEY_LOCAL_MACHINE, all the way through to "Run," where I was supposed to find 2 run commands of random numbers. Instead, I found only one entry of random numbers, and I deleted that. Then I closed IceSword. System Security is still running on my computer.

After continuing to follow advice given to users with my same problem, I rebooted after the IceSword, and downloaded HijackThis, which worked this time. The following is the text I think you asked to see for some others, maybe it will be helpful for me too.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:49:20 PM, on 6/15/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\websrvx\websrvx.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\windows\ld08.exe
C:\windows\mstre19.exe
C:\windows\freddy46.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\windows\romeo15.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iConcepts Music Express\MEAutoDetect.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
c:\windows\romeo15.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [sysldtray] C:\windows\ld08.exe
O4 - HKLM\..\Run: [pp] C:\windows\pp10.exe
O4 - HKLM\..\Run: [sysmstray] C:\windows\mstre19.exe
O4 - HKLM\..\Run: [sysfbtray] C:\windows\freddy46.exe
O4 - HKLM\..\Run: [sysberay2] C:\windows\romeo15.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [systgray2] c:\windows\tag12.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Auto Detect.lnk = C:\Program Files\iConcepts Music Express\MEAutoDetect.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/CursorManiaInitialSetup1.0.1.1.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: websrvx - Unknown owner - C:\Program Files\websrvx\websrvx.exe

--
End of file - 7158 bytes

Hello.

• Open HijackThis
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
  O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
  O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
  O4 - HKLM\..\Run: [sysldtray] C:\windows\ld08.exe
  O4 - HKLM\..\Run: [pp] C:\windows\pp10.exe
  O4 - HKLM\..\Run: [sysmstray] C:\windows\mstre19.exe
  O4 - HKLM\..\Run: [sysfbtray] C:\windows\freddy46.exe
  O4 - HKLM\..\Run: [sysberay2] C:\windows\romeo15.exe
  O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
  O4 - HKLM\..\Run: [systgray2] c:\windows\tag12.exe
  O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
  O23 - Service: websrvx - Unknown owner - C:\Program Files\websrvx\websrvx.exe
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

Thank you! I did what you said, and I will be posting the log of the MBAM in just a few moments. However, in the meantime, my computer told me that I was running very low on free disk space, so I went to "Add or Remove Programs" to try to delete those that we don't use much. I found an enormous program that is over 1,000 MB big, a game of some kind that my brother installed. I tried to uninstall it, but I get an error that says:

>SetupDLL/SetupDLL.cpp (439)
pAPP:Magic: The Gathering - Battlegrounds
PVENDOR:Atari
PGUID:0C88C4A1-A9D7-4C28-8F06-4C2048765193
$7.1.100.1248
@Windows XP Service Pack 2 (2600) IE 7.0.6000.16791

Setup has experienced an error. Please do the following:
-Close any running programs
-Empty your temporary folder
-Check your Internet connection (Internet-based setups)
Then try to run the Setup again.
Error code: -5001


Do you happen to know what I could do to fix that while I'm letting this malwarebytes scan?

Malwarebytes' Anti-Malware 1.37
Database version: 2285
Windows 5.1.2600 Service Pack 2

6/15/2009 7:38:42 PM
mbam-log-2009-06-15 (19-38-42).txt

Scan type: Quick Scan
Objects scanned: 138419
Time elapsed: 29 minute(s), 4 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 44
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 11
Files Infected: 45

Memory Processes Infected:
C:\Program Files\websrvx\websrvx.exe (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
c:\program files\podmena\podmena.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\podmena (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\podmena (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\podmena (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\clientax.clientinstaller (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\clientax.requiredcomponent (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\clientax.zangoclientax (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\lmgr180.wmdrmax (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2b0eceac-f597-4858-a542-d966b49055b9} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6c092742-10fe-4db2-988d-fc71948de70c} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7fa8976f-d00c-4e98-8729-a66569233fb5} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a16650a9-b065-40ec-bbd1-f8d370d17fb1} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{bdddf1a5-51a9-4f51-b38d-4cd0ad831b31} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ddea2e1d-8555-45e5-af09-ec9aa4ea27ad} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e43dfaa6-8c16-4519-b022-8792408505a4} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f1f1e775-1b21-454d-8d38-7c16519969e5} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{5b6689b5-c2d4-4dc7-bfd1-24ac17e5fcda} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\websrvx (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\websrvx (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\websrvx (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\podmenadrv (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\podmenadrv (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\podmenadrv (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SystemSecurity2009 (Rogue.SystemSecurity) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\podmena (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\8085:tcp (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Zango (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\funwebproducts\ScreenSaver (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\funwebproducts\screensaver\Images (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\funwebproducts\Shared (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\websrvx (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\podmena (Trojan.Downloader) -> Delete on reboot.

Files Infected:
c:\program files\podmena\podmena.dll (Trojan.Agent) -> Delete on reboot.
c:\WINDOWS\tag12.exe (Worm.Koobface) -> Quarantined and deleted successfully.
c:\WINDOWS\pp10.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\documents and settings\anna.white-0vw8yoglu\local settings\Temp\ron_1244690230.exe (Worm.Koobface) -> Quarantined and deleted successfully.
c:\documents and settings\alex.white-0vw8yoglu\local settings\temporary internet files\Content.IE5\61N56WB7\pp.10[1].exe (Worm.Koobface) -> Quarantined and deleted successfully.
c:\documents and settings\alex.white-0vw8yoglu\local settings\temporary internet files\Content.IE5\BRBG1F5T\install[2].exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
c:\documents and settings\rachel.white-0vw8yoglu\local settings\temporary internet files\Content.IE5\MDF26XPA\pp.10[1].exe (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\documents and settings\rachel.white-0vw8yoglu\local settings\temporary internet files\Content.IE5\V07EIXPK\pp.10[1].exe (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\program files\Zango\zangoau.dat (Adware.180Solutions) -> Quarantined and deleted successfully.
c:\program files\Zango\zango_gdf.dat (Adware.180Solutions) -> Quarantined and deleted successfully.
c:\program files\Zango\zango_hpk.dat (Adware.180Solutions) -> Quarantined and deleted successfully.
c:\program files\Zango\zango_kyf_update.dat (Adware.180Solutions) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\History\search3 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\mywebsearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\funwebproducts\screensaver\Images\0043122A.urr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\websrvx\websrvx.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\program files\podmena\podmena.sys (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\freddy46.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\msmark2.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\ld08.exe (Worm.Koobface) -> Quarantined and deleted successfully.
c:\WINDOWS\romeo15.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\9g2234wesdf3dfgjf23 (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\mstre19.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\f23567.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\tgmark2.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\b4657.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\run_1244260023.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\run_1244512209.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\run_1245114762.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\ro122361.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\ro122366.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\ro122378.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\ro122390.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\ro122458.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\ro122710.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\ro122715.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\ro122739.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\ro122807.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\ro122849.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\ro123173.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\ro123193.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\ro123198.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\ro123222.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\ro123290.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\dk39fi4fe.dat (Worm.KoobFace) -> Quarantined and deleted successfully.

Hello.

• Download combofix from here
  Link 1
  Link 2
  
  1. If you are using Firefox, make sure that your download settings are as follows:
  
  * Tools->Options->Main tab
  * Set to "Always ask me where to Save the files".
  
  2. During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  3. It is important you rename Combofix during the download, but not after.
  4. Please do not rename Combofix to other names, but only to the one indicated.
  5. Close any open browsers.
  6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
  
• We need to disable your local AV (Anti-virus) before running Combofix.
  
• See HERE for how to disable your AV. (Symantec)
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will then get this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

I tried to disable auto protect on symantec, and I'm pretty sure that's what I did, but combo fix warned me that the scanner is still actively running and that this is at my own risk. I went to the website you instructed, and the only information for Symantec AntiVirus Corporate Edition was to disable auto protect, which I have done. Is my computer going to die when I press okay for combo fix to continue running?

Can you do the following in Safe Mode with Networking, (as the computer is booting press and hold your "F8 Key" which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press your Enter key.

Note: With some computers if you press and hold a key as the computer is booting you will get a stuck key message. If this occurs, instead of pressing and holding the "F8 key", tap the "F8 key" continuously until you get the startup menu.) Once in the start up menu, select "Safe Mode with Networking", then in this mode, run Combofix, Symantec won't intefere (even if CF says it's still active)

Should I just "x" out of the warning!! box from combo-fix and then restart my computer? Or not touch the box and just try to restart in safe mode?

Press the X and close it, then reboot to safe mode and run it again in safe mode.

No, I cannot run in safe mode with networking. I get a long string of white letters on a black background, with the last one reading:

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS\System32\Drivers\Mup.sys

Yeah, that's what usually happens. You need to give it a minute or so, mup.sys is a pretty big driver.

It's been stuck on mup for almost 5 minutes now (I'm typing this from my laptop, the sick computer is a desktop). Should I continue to give it time?

Mup.sys is still the last line of white letters when trying to boot in safe mode with networking, almost 20 minutes later.

Okay, try running it with Symantec not disabled in normal mode.

Won't that destroy my computer? It made a terrible beeping sound when the warning came up earlier...

New idea, don't run Combofix, we'll use this instead.
Just a scanner, doesn't do anything. I just want to check there is no rootkit, your MBAM log was looking pretty bad.

• Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
  Link 1
  Link 2
  
• Double click DDS.scr to run.
  
• When complete, two logs will open. Save both of the report to your Desktop.
  
• Copy and paste DDS.txt back here, I don't need to see attach.txt.
  

DDS (Ver_09-05-14.01) - NTFSx86
Run by Anna at 21:13:58.10 on Mon 06/15/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.766.349 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iConcepts Music Express\MEAutoDetect.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Anna.WHITE-0VW8YOGLU\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = iexplore
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6]
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\docume~1\anna~1.whi\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autode~1.lnk - c:\program files\iconcepts music express\MEAutoDetect.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-us\local\search.html
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
Notify: igfxcui - igfxsrvc.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2004-2-9 301200]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-6-9 255096]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-6-9 242808]
R2 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2004-2-9 37008]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2004-8-2 1267024]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090403.004\naveng.sys [2009-4-3 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090403.004\navex15.sys [2009-4-3 876144]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-6-9 87160]
S3 gtermddo;gtermddo;\??\c:\docume~1\alex~1.whi\locals~1\temp\gtermddo.sys --> c:\docume~1\alex~1.whi\locals~1\temp\gtermddo.sys [?]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys --> c:\windows\system32\drivers\wg111v2.sys [?]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2004-8-2 173392]
S3 SjyPkt;SjyPkt;\??\c:\windows\system32\drivers\sjypkt.sys --> c:\windows\system32\drivers\SjyPkt.sys [?]

=============== Created Last 30 ================

2009-06-15 20:36 161,792 a------- c:\windows\SWREG.exe
2009-06-15 20:36 155,136 a------- c:\windows\PEV.exe
2009-06-15 20:36 98,816 a------- c:\windows\sed.exe
2009-06-15 20:35 388,608 a------- c:\windows\system32\CF27140.exe
2009-06-15 20:35 --ds---- C:\Combo-Fix
2009-06-15 19:03 --d----- c:\docume~1\anna~1.whi\applic~1\Malwarebytes
2009-06-15 19:03 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-15 19:03 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-15 19:03 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-15 19:03 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-15 16:48 --d----- c:\program files\Trend Micro
2009-06-11 21:45 --d----- c:\docume~1\alluse~1\applic~1\11840934

==================== Find3M ====================

2009-05-07 11:44 344,064 a------- c:\windows\system32\localspl.dll
2009-04-17 05:58 1,846,656 a------- c:\windows\system32\win32k.sys
2009-04-15 11:26 583,168 a------- c:\windows\system32\rpcrt4.dll
2009-03-26 15:23 1,900,544 a------- c:\windows\system32\usbaaplrc.dll

============= FINISH: 21:14:46.60 ===============

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

• Double-click the launch.exe or cureit.exe file and Allow to run the express scan
  
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  
• Once the short scan has finished, just let it cure whatever it finds...
  o Now, go to Settings >> Change Settings
  o Go to Actions tab >> under Objects section, change the settings to below
  Infected objects - Cure
  Incurable objects - Report
  Suspicious objects - Report
  o Don't change any other settings
  
• Start the scan again. This time, choose Complete Scan
  
• Click the green arrow button at the right, and the scan will start.
  
• After the scan finished, click Select all
  
• Click on Cure and choose Report incurable (means take no actions.. Don't "move", or "rename" or "delete")
  
• When the scan has finished, in the menu, click File and choose Save report list
  
• Save the report to your Desktop. The report will be called DrWeb.csv
  
• Post DrWeb.csv in your next reply (Open it as Notepad).. Do NOT reboot the computer yet..
  

The Complete scan is still running - however, at one point I got a popup box that asked me if I wanted to move an object, and I pressed yes on instinct because all the other pop up boxes had asked me if I wanted to "cure?". Am I in trouble?

No, some items Dr.web can cure, some of them it can't.
The log came out pretty good, no rootkits, just a folder that is leftover from system security infection. We can delete that now.

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE or HERE.

• Click on Avenger.zip to open the file
  
• Extract avenger.exe to your desktop
  

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to delete:
gtermddo

Folders to delete:
c:\docume~1\alluse~1\applic~1\11840934

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Input script here:", paste in the script from the quote box above.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

4. Please copy/paste the content of c:\avenger.txt into your reply.

Should I do this while my Dr.Web complete scan is running or should I wait until it's finished? It looks like it's only about a quarter of the way finished with the scan, and so far it has found 15 things.

Surprisingly, it just "moved" Combo-Fox.exe

Combo-Fix.exe, I'm sorry

Yeah, some parts inside Combo-Fix are used to stop processes, like malicious processes, etc, so some scanners find parts of Combofix as a "RsikTool" or "HackTool", this is a false claim, false positive.

Oh okay. Should I keep the complete scan running or go ahead and stop it to do the Avenger program?

Let it run first, then when it finishes, do the avenger script.

The Complete scan is still running, almost 5 hours after I started it. Can I stop it before it's completely done? It has scanned over 620000 files

Yes, it if takes too long, stop it.

Hmm, okay, I stopped the scan, and I pressed "cure" as instructed by Origin above, but there is no option for "Report incurable", there are only the 3 he told me not to press.

Okay, leave that and do my avenger script.

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "gtermddo" deleted successfully.
Folder "c:\docume~1\alluse~1\applic~1\11840934" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Good.
This should be fine now.

Great, thank you so much! I will post my other question about a program that refuses to uninstall in the software forum.

Can I now delete/uninstall all of the programs I downloaded to kill the virus (MBAM, IceSword, HijackThis, Avenger, Combo-Fix)?

Yes, delete or uninstall them.