please help - Antivirus Live/Antivirus System Pro

so my computer has been running great since you started helping me, but for some reason last night, the virus came back. Now my desktop background also changes to some different colors and has a big security warning in the middle of it. When i log in to my computer, i get a warning saying my computer has a worm called netsky or something. I wasnt able to do the security check, and i didnt want to do anything before making sure it was ok first. I was able to get a hijack this log if it helps. I also have a question, since i have to run hijack this before the virus kicks in, will it be missing anything important in the log?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:35:38 AM, on 12/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\winlogon86.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\FastNetSrv.exe
C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\winupdate86.exe
C:\Documents and Settings\Anthony\Local Settings\Application Data\pdvqtj\civssysguard.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\DOCUME~1\Anthony\LOCALS~1\Temp\smss.exe
C:\DOCUME~1\Anthony\LOCALS~1\Temp\kzffyy23nw.exe
C:\Documents and Settings\Anthony\Local Settings\Application Data\pdvqtj\civssysguard.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Documents and Settings\Anthony\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: (no name) - - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon86.exe
O2 - BHO: C:\WINDOWS\system32\md2092f86.dll - {C5B24B16-23F2-41AD-F4E4-00ABC39C0004} - C:\WINDOWS\system32\md2092f86.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.0\masqform.exe -UpdateCurrentUser
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [Ulead Photo Express Calendar Checker] C:\Program Files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VirusScannerPro] C:\PROGRA~1\AVANQU~1\Fix-It\MemCheck.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [notepad] rundll32.exe C:\WINDOWS\system32\notepad.dll,_IWMPEvents@0
O4 - HKLM\..\Run: [winupdate86.exe] C:\WINDOWS\system32\winupdate86.exe
O4 - HKLM\..\Run: [StartServiceNMDECMPM] C:\Documents and Settings\Anthony\Local Settings\Application Data\NMDECMPM\StartService.exe
O4 - HKLM\..\Run: [ngqbbvca] C:\Documents and Settings\Anthony\Local Settings\Application Data\pdvqtj\civssysguard.exe
O4 - HKLM\..\Run: [pafulomip] Rundll32.exe "c:\windows\system32\tipifipo.dll",a
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [notepad] rundll32.exe C:\DOCUME~1\Anthony\ntload.dll,_IWMPEvents@0
O4 - HKCU\..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\DOCUME~1\Anthony\LOCALS~1\Temp\smss.exe
O4 - HKCU\..\Run: [ygua8e7yhuiesfha876yfauy8fe] C:\DOCUME~1\Anthony\LOCALS~1\Temp\kzffyy23nw.exe
O4 - HKCU\..\Run: [ngqbbvca] C:\Documents and Settings\Anthony\Local Settings\Application Data\pdvqtj\civssysguard.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {22492231-AEF0-49FC-9180-CE8969AB1273} (F-Secure Online Scanner Launcher) - http://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - https://a248.e.akamai.net/f/248/5462/2h/www.symantecstore.com/v2.0-img/operations/symbizpr/xcontrol/SymDlBrg.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B5CE61BE-37D9-4C95-8031-F02ABCFDCCB3}: NameServer = 193.104.110.38,4.2.2.1,192.168.1.254
O20 - AppInit_DLLs: busareki.dll
O20 - Winlogon Notify: kbupdate - C:\WINDOWS\SYSTEM32\kbupdate.dll
O21 - SSODL: tofikovif - {0f0303d7-b313-46f0-a824-7da248cc9dea} - c:\windows\system32\tipifipo.dll
O22 - SharedTaskScheduler: gar873hruefrh87w3hjinhef87w3h7dfd - {C5B24B16-23F2-41AD-F4E4-00ABC39C0004} - C:\WINDOWS\system32\md2092f86.dll
O22 - SharedTaskScheduler: jugezatag - {0f0303d7-b313-46f0-a824-7da248cc9dea} - c:\windows\system32\tipifipo.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: fastnetsrv Service (fastnetsrv) - Netopsystems A - C:\WINDOWS\system32\FastNetSrv.exe
O23 - Service: Fix-It Task Manager - Avanquest Software USA, Inc. - C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 10231 bytes

Please download the Kaspersky AVP Tool from Kaspersky-labs.com.

• Save it to your desktop.
  
• Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).
  
• Double click the setup file to run it.
  
• Click Next to continue.
  
• It will by default install it to your desktop folder.Click Next.
  
• Hit ok at the prompt for scanning in Safe Mode.
  
• It will then open a box There will be a tab that says Automatic scan.
  
• Under Automatic scan make sure these are checked:
  
  
  • System Memory
    
  • Startup Objects
    
  • Disk Boot Sectors.
    
  • My Computer.
    
  • Also any other drives (Removable that you may have)

After that click on Security level then choose Customize then click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then choose ok.
Then choose OK again then you are back to the main screen.

• Then click on Scan at the to right hand Corner.
  
• It will automatically Neutralize any objects found.
  
• If some objects are left un-neutralized then click the button that says Neutralize all
  
• If it says it cannot be Neutralized then chooose The delete option when prompted.
  
• After that is done click on the reports button at the bottom and save it to file name it Kas.
  
• Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

Note: This tool will self uninstall when you close it so please save the log before closing it.

i got the kapersky tool on the desktop but my computer wont run in safe mode. When i choose to, i get a blue screen that says a problem has been detected and windows has been shut down to protect my computer

Please download the latest version of Kaspersky GetSystemInfo (GSI) from Kaspersky and save it to your Desktop.
Please close all other applications running on your system.

Please double click GetSystemInfo.exe to open it.

Click the Settings button.



Set it to Maximum



IMPORTANT! Then please click Customize - choose Driver / Ports tab and uncheck Scan Ports.


Click Create Report to run it.

It will create a zip folder called GetSystemInfo_XXXXXXXXXXXXXX.zip on your Desktop. Please upload the folder to Kaspersky GSI Parser and click the Submit button.

Please copy and paste the url of the GSI Parser report (not the log) in your next reply.

Here is the url of the report. Also, when i turned my computer, Anti-virus Pro or whatever was gone and i was able to run programs for some reason. My desktop was still changed though and i was getting some bad pop-ups.

http://www.getsysteminfo.com/read.php?file=dc8c70b4e5b3019410cc4f7116951c40

Please download Cheetah Anti-Rogue: Malware Removal Tool, by me, and save to your Desktop: randomly named DOWNLOAD: KillASP.bat from MediaFire.

Once on the Desktop, double-click it to run. It will complete its process shortly, and may take 1-3 minutes. The screen will be black, and will not look like it is doing anything - this is normal. It will launch a Notepad file: Cheetah.txt.

Please post the results of it in your next reply.

Hey, I downloaded and ran the file, but my screen didnt turn black or anything, and the text file that came up wasn't called cheetah.txt, so im not sure if this is the log, but here it is.

I was thinking that i didnt do the right thing, so i tried again and got this

Cheetah Anti-Rogue: Malware Removal Tool

Microsoft Windows XP [Version 5.1.2600]
Mon 12/14/2009 0:17:48.68


-- Objects infected --

C:\Documents and Settings\Anthony\Local Settings\temp\781.exe (Heuristic.Virus.781)
C:\Documents and Settings\Anthony\Local Settings\temp\753570442.exe (AntivirusSystemPro.RGE)
C:\Documents and Settings\Anthony\Local Settings\temp\724820442.exe (AntivirusSystemPro.RGE)
C:\Documents and Settings\Anthony\Local Settings\temp\624976692.exe (AntivirusSystemPro.RGE)
C:\Documents and Settings\Anthony\Local Settings\temp\3827476692.exe (AntivirusSystemPro.RGE)
C:\Documents and Settings\Anthony\Local Settings\temp\0.7055475.exe (AntivirusSystemPro.Trj-Downloader)
C:\Documents and Settings\Anthony\Local Settings\temp\kzffyy23nw.exe (AntivirusLive.RGE)
C:\WINDOWS\Temp\4278726692.exe (AntivirusSystemPro.RGE)
C:\WINDOWS\system32\BtwSrv.dll (Trj.BTWSRV)
C:\WINDOWS\system32\crt4.dll (Trj.FakeAV and Adw.SaveNow)
C:\WINDOWS\system32\winlogon86.exe (HEUR:::Trj.FakeAV)
C:\WINDOWS\system32\winupdate86.exe (HEUR:::Trj.FakeAV)
C:\WINDOWS\system32\xm1985.dll (Trj.MsWerr)
C:\WINDOWS\bnetunin.exe (HEUR:::AntivirusSystemPro.RGE)
C:\WINDOWS\system32\lsm32.sys (Trj.VB)
C:\WINDOWS\Temp\debug.exe (Trj.FakeAlert)
C:\WINDOWS\Temp\spoolsv.exe (Trj.FakeAlert)
C:\WINDOWS\Temp\smss.exe (Trj.FakeAlert)
C:\WINDOWS\system32\wewusigo.dll (AntivirusSystemPro.RGE)
C:\WINDOWS\system32\penipure.dll (AntivirusSystemPro.RGE)
C:\WINDOWS\system32\sonosuje.dll (AntivirusSystemPro.RGE)
C:\WINDOWS\diabswun.exe (Trj.FakeAV)


-- Objects removed --

C:\WINDOWS\system32\BtwSrv.dll
C:\WINDOWS\system32\crt4.dll
C:\WINDOWS\system32\winlogon86.exe
C:\WINDOWS\system32\winupdate86.exe


-- Trojan Orphans removed --

C:\WINDOWS\system32\6to4v32.dll


EOF

Please re-run Kaspersky Get System Info as above, and post a new URL. I need to do a final check of those files, and see what is up.

here is the url for the new report.

http://www.getsysteminfo.com/read.php?file=290d8f29a4a1c44e0557fa28e4580cd6

Please run Trend Micro Housecall online scan.

• Click Scan now.
  
• Read and put a Check next to Yes I accept the terms of use.
  
• Click the Launching HouseCall>> button.
  
• If confirmed that HouseCall can run on your system, under Using Java-based HouseCall kernel click the Starting HouseCall>> button.
  
• You may receive a Security Warning about the TrendMicro Java applet, click YES.
  
• Under Scan complete computer for malware, grayware, and vulnerabilities click the Next>> button.
  
• Please be patient while it installs, updates, and scans your system.
  
• Once the scan is complete, it will take you to the summary page.
  
• Under Cleanup options, choose clean all detected infections automatically.
  
• Click the Clean now>> button.
  
• If anything was found you may be prompted to run the scan again, you can just close the browser window.

i cant run the online scan because my computer wont let me run internet explorer. I can get to the site, but by the time i get there, the antivirus pro blocks me from doing anything else. should i run combofix again? because the last time i did, everything seemed to be normal and i was able to access the internet

Go ahead, and post a new log.

alright, i ran combofix and it went through everything fine. after it rebooted my computer, an error message popped up saying that notepad.dll couldnt run because it could not be found. My screen is showing the blue command box saying not to run any programs until combofix is finished, and it has been like this for about ten minutes. what should i do?

Download Notepad ++ from here: http://notepad-plus.sourceforge.net/uk/download.php

Use the Binary file, download and install.

Then, follow the information on how to replace Notepad.

Lastly, run ComboFix again, and see if that error message pops up.