Personal Antivirus- can't run Malwarebyte's Anti-Malware

My Dad somehow picked up the PAV hijacker. Probably came from a Facebook page.

Trying to remove it long-distance was an exercise in frustration. I found the instructions here on how to remove it, and could not accomplish anything.

When he first downloaded Malwarebytes Anti-Malware he was able to save it, but when he clicked on the file mbam-setup.exe file he only got as far as the Microsoft Warning- "Do you want to run this file?". Clicked Run- then nothing.

I had him boot into safe mode, tried to install again, nothing. Had him go to Download.com and download it again (still in safe mode), this time instead of saving it I had him Run the program. It looked like it installed correctly, and it put the Malwarebytes icon on his desktop. But trying to run the actual program does nothing (neither clicking the desktop icon nor clicking directly on mbam.exe in the c:\program files\malwarebytes' anti-malware\ folder).

In summary, Anti-Malware program will not install from the drive in either safe or regular mode.
Anti-Malware when installed will not run- safe or regular mode.

He is using XP home, was running AVG Anti-virus. Please don't ask me to have him do a Hi-jack This! logfile. His computer skills are barely adequate for a 73 year old.

I was going to have him do CTRL-ALT-DEL and look for a running app named pav.exe and try shutting it down, then try to run Anti-Malware again.

After that I have him take the damn pc in to a computer store.

Any help greatly appreciated.

Here is the dds.txt file from my Dad's pc.


DDS (Ver_09-07-30.01) - NTFSx86
Run by Don at 16:09:26.23 on Tue 08/18/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.76 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\PersonalAV\pav.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Don\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://finance.yahoo.com/p?k=pf_2
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
BHO: : {a77d3539-581d-450c-9e44-a84c415a6172} - c:\windows\system32\msxmlm.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [Yahoo! Pager] 1
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [BJCFD] c:\program files\broadjump\client foundation\CFD.exe
mRun: [Motive SmartBridge] c:\progra~1\sbcsel~1\smartb~1\MotiveSB.exe
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [PersonalAV] c:\program files\personalav\pav.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: aol.com\free
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1248916099859
DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://games.pogo.com/online2/pogo/bejeweled2/popcaploader_v6.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\don\applic~1\mozilla\firefox\profiles\22abejhk.default\
FF - prefs.js: browser.startup.homepage - hxxp://finance.yahoo.com/p?k=pf_2
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJPI150_11.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdjvu.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPAdbESD.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npdjvu.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npdrmv2.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npdsplay.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPMAsst41.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npnul32.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPSWF32.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npwmsdrm.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-30 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2006-12-24 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-5-30 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-5-30 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-5-30 297752]
S2 gupdate1c9a5b8adef35e;Google Update Service (gupdate1c9a5b8adef35e);c:\program files\google\update\GoogleUpdate.exe [2009-3-15 133104]

=============== Created Last 30 ================

2009-08-14 14:09 61,440 a------- c:\windows\system32\ndisapi.dll
2009-08-14 14:09 24,576 a------- c:\windows\system32\drivers\ndisrd.sys
2009-08-14 13:03 378,880 a------- c:\windows\system32\msxmlm.dll
2009-08-14 13:03 --d----- c:\program files\common files\Uninstall
2009-08-14 13:02 --d----- c:\program files\PersonalAV
2009-08-01 19:42 560,640 a------- C:\Incredible-1.pps
2009-08-01 18:40 --dsh--- c:\documents and settings\don\IECompatCache
2009-07-29 19:09 --dsh--- c:\documents and settings\don\PrivacIE
2009-07-29 19:07 --dsh--- c:\documents and settings\don\IETldCache
2009-07-29 18:58 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-07-29 18:58 594,432 -------- c:\windows\system32\dllcache\msfeeds.dll
2009-07-29 18:58 55,296 -------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-29 18:58 1,985,536 -------- c:\windows\system32\dllcache\iertutil.dll
2009-07-29 18:58 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-07-29 18:58 11,067,392 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-29 18:58 --d----- c:\windows\ie8updates
2009-07-29 18:57 101,376 -------- c:\windows\system32\dllcache\iecompat.dll
2009-07-29 18:56 -cd-h--- c:\windows\ie8
2009-07-29 18:20 333,952 -------- c:\windows\system32\dllcache\srv.sys
2009-07-29 18:18 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2009-07-29 18:18 1,106,944 -------- c:\windows\system32\dllcache\msxml3.dll
2009-07-29 18:18 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2009-07-29 18:18 331,776 -------- c:\windows\system32\dllcache\msadce.dll
2009-07-29 18:17 691,712 -------- c:\windows\system32\dllcache\inetcomm.dll
2009-07-29 18:16 272,128 -------- c:\windows\system32\dllcache\bthport.sys
2009-07-29 18:16 203,136 -------- c:\windows\system32\dllcache\rmcast.sys
2009-07-29 18:09 23,576 a------- c:\windows\system32\wuapi.dll.mui

==================== Find3M ====================

2009-08-15 12:16 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-15 12:16 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-14 18:14 1,682 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-08-05 10:50 4,212 ----h--- c:\windows\system32\zllictbl.dat
2009-07-19 06:18 5,937,152 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-18 09:05 1,509,888 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-07-03 10:09 915,456 a------- c:\windows\system32\wininet.dll
2009-07-03 10:09 915,456 -------- c:\windows\system32\dllcache\wininet.dll
2009-07-03 10:09 1,208,832 -------- c:\windows\system32\dllcache\urlmon.dll
2009-07-03 10:09 206,848 -------- c:\windows\system32\dllcache\occache.dll
2009-07-03 10:09 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-07-03 10:09 184,320 -------- c:\windows\system32\dllcache\iepeers.dll
2009-07-03 10:09 386,048 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-07-03 04:01 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-26 09:50 81,920 -------- c:\windows\system32\ieencode.dll
2009-06-26 09:50 81,920 -------- c:\windows\system32\dllcache\ieencode.dll
2009-06-16 07:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 07:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 07:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 07:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-03 12:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 12:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll

============= FINISH: 16:10:06.04 ===============

Please download the current version of HijackThis from HERE

• Double click and run the installer.
  
• It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  
• After installing, you should get the user agreement, press accept and Hijack This will run.
  
• Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.
  

I posted this in the first place-

NO INSTALLER WORKS. CANNOT RUN MALWAREBYTES and apparently can't run Hijack This either. (Can't install).

DDS.SCR worked and surely the info you need was there.

Any other ideas? Why didn't you ask for this in the first place? Could have saved a day and another day of frustration trying to deal with my father working on this.

Please download the OTMoveIt by OldTimer.

• Save it to your desktop.
  
• Please double-click OTM.exe to run it.
  
• Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  :files
  c:\program files\PersonalAV
  c:\windows\system32\msxmlm.dll
  c:\program files\common files\Uninstall
  
  :reg
  [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a77d3539-581d-450c-9e44-a84c415a6172}]
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "PersonalAV"=-
  
  
  
• Return to OTMoveIt, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  
• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTMoveIt
  

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.