AntiVirus System Pro won't let me run any program

Hi,
I tried to use your guide, but The Antivirus system Pro won't let me:
-kill any process;
-run any program;
-open windows explorer
My Firefox seems to be the only program I can use. Whenever I am trying to run anything else, a popup message says Your file... is infected.
I tried to download HijackThis, it came up as winlogon.scr which is listed as a "screen saver". Don't but know if it's what was meant to be or the virus intercepted the real download. When I try to run it via Start>Run then browse to winlogon.scr nothing happens (no program opens) and their popup says winlogon is infected and can't be executed.
Also, I do have Malwarebytes but it won't let me open it likewise
A help is appreciated.
Lzr

Last edited by lzr on 26th November 2009, 2:00 am; edited 1 time in total (Reason for editing : Providing more detailed info)

Lets try this.

• Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
  Link 1
  Link 2
  
• Double click DDS.scr to run.
  
• When complete, two logs will open. Save both of the report to your Desktop.
  
• Copy and paste BOTH LOGS back here, use more than one post if needed.
  

Hi,
It won't let me run it either- the same "file infected" popup message.
By the way, to be sure I understood you correct: you said to download it to my desktop. I download it to my hard disk and then from My Computer menu dragged the icon to the desktop, is it correct?
Also, I apologize I edited my original message before I noticed your reply.
Thanks for getting replying so quick.
Lzr
P.S.Correction: I've figured how to download it directly to desktop, but the result was the same- it won't let me run it.

Last edited by lzr on 26th November 2009, 2:28 am; edited 1 time in total (Reason for editing : Additional info)

Hi again,
Just wanted to let you know, having done more search, I came across a program rkill.com at http://www.bleepingcomputer.com/virus-removal/remove-antivirus-system-pro that is able to end the Antivirus Pro process while it's running. I downloaded it to my desktop and doubleclicked on it propably half a dozen times- apparently it kills one process at a time. Every time I clicked on rkill.com, the box "file is infected" popped up, but apparently it did not stop this tool. At the end it ended the entire virus program and I then was able to run Malwarebytes that removed the remaining files.

Can you post the MBAM log?

Belahzur wrote:

Can you post the MBAM log?

I have several logs. After I run it for the first time, I updated MBAM and re-run it. Finally, I run it one more time Full scan. Every time something new was found.
1st Log:
Malwarebytes' Anti-Malware 1.40
Database version: 2700
Windows 5.1.2600 Service Pack 3

11/25/2009 10:50:53 PM
mbam-log-2009-11-25 (22-50-53).txt

Scan type: Quick Scan
Objects scanned: 115153
Time elapsed: 14 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\My Downloads\winlogon.scr (Heuristics.Reserved.Word.Exploit) -> Not selected for removal.

2nd Log after updating MBAM:
Malwarebytes' Anti-Malware 1.41
Database version: 3235
Windows 5.1.2600 Service Pack 3

11/25/2009 11:14:13 PM
mbam-log-2009-11-25 (23-14-13).txt

Scan type: Quick Scan
Objects scanned: 129612
Time elapsed: 12 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\poprock (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\My Downloads\winlogon.scr (Heuristics.Reserved.Word.Exploit) -> Not selected for removal.

3rd Log (Full scan):
Malwarebytes' Anti-Malware 1.41
Database version: 3235
Windows 5.1.2600 Service Pack 3

11/26/2009 10:42:17 AM
mbam-log-2009-11-26 (10-42-17).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 217248
Time elapsed: 1 hour(s), 19 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{C54D542A-3C44-4CA3-B6C4-A3019B8A3F78}\RP1129\A0122722.exe (Adware.Mongoose) -> Quarantined and deleted successfully.
C:\My Downloads\winlogon.scr (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

Can you run DDS now?

Belahzur wrote:

Can you run DDS now?

Yes, I've already run it after my first quick MBAM scan:

DDS (Ver_09-11-24.02) - FAT32x86
Run by rozen_l at 22:55:58.30 on 11/25/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.114 [GMT -5:00]

AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {1A1D45B4-C020-4270-A47E-8FC675FFEDD1}

============== Running Processes ===============

C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\S24EvMon.exe
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k eapsvcs
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k dot3svc
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Lotus\Notes\nsd.exe
C:\Lotus\Notes\nslsvice.exe
C:\Lotus\Notes\ntmulti.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\rozen_l\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://finance.yahoo.com/mo?u
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Connection Wizard,ShellNext = hxxp://store.adobe.com/WebObjects/WEC?pageID=RegMp1&awe_301001&platformCode=WIN&version=5.0&nameCode=ACRO&languageCode=USENGLIS&systemCode=AOLN
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Desktop Search Capture: {7c1ce531-09e9-4fc5-9803-1c2956615786} - IeCaptureBho Object
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: &Google Notebook: {ccccccd3-666f-4f81-8b69-745de9f6d897} - c:\program files\google\google notebook\gnotes1.0.2.19-1224530676.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Notebook: {ccccccdb-4ddb-4703-95d4-dd2c526397bf} - c:\program files\google\google notebook\gnotes1.0.2.19-1224530676.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Google Notebook: {ccccccdb-4ddb-4703-95d4-dd2c526397bf} - c:\program files\google\google notebook\gnotes1.0.2.19-1224530676.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [IS Inventory] c:\program files\inventory\inventory.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [NWTRAY] NWTRAY.EXE
mRun: [Proxy Auto] c:\program files\is apps\proxyauto\proxyauto.exe
mRun: [QCRRUpdate] c:\sql\QCRRUPDATER.EXE
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Mouse Suite 98 Daemon] ICO.EXE
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe
mPolicies-system: CompatibleRUPSecurity = 1 (0x1)
IE: Note this (Google Notebook) - c:\program files\google\google notebook\gnotes1.0.2.19-1224530676.dll/gn_menu1.html
IE: Note this item (Google Notebook) - c:\program files\google\google notebook\gnotes1.0.2.19-1224530676.dll/gn_menu2.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: career.org\*.edu
Trusted Zone: digitalpoint.com\www
Trusted Zone: directtrack.com\datamark
Trusted Zone: directtrack.com\schoolclick
Trusted Zone: encryptedprocessing.com\ssl
Trusted Zone: godaddy.com
Trusted Zone: godaddy.com\idp
Trusted Zone: godaddy.com\mya
Trusted Zone: google.com
Trusted Zone: google.com\www
Trusted Zone: google.com \maps
Trusted Zone: secureserver.net\ecc
Trusted Zone: secureserver.net\email
Trusted Zone: secureserver.net\hostingmanager
Trusted Zone: secureserver.net\p3slhsccweb
DPF: Web-Based Email Tools - hxxp://email01.secureserver.net/Download.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} - hxxp://mailer.transdev.com/iNotes6W.cab
DPF: {3D29D4FC-1A26-4082-81B8-4F0746FCA4D2} - hxxp://qos.doubleclick.net/browsersettingscommon/Settings.cab
DPF: {75AA409D-05F9-4F27-BD53-C7339D4B1D0A} - hxxp://mailer.transdev.com/dwa85W.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - hxxp://download.yahoo.com/dl/mail/ymmapi.cab
DPF: {CAFEEFAC-0014-0002-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
LSA: Authentication Packages = msv1_0 nwv1_0

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\rozen_l\applic~1\mozilla\firefox\profiles\6f4u2bzk.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://finance.yahoo.com/mo?u
FF - component: c:\documents and settings\rozen_l\application data\mozilla\firefox\profiles\6f4u2bzk.default\extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97}\platform\winnt_x86-msvc\components\pagespeed.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npnipp.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - hȋdden: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - hȋdden: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [2004-10-11 34671]
R1 pelmouse;Mouse Suite Driver;c:\windows\system32\drivers\PELMouse.SYS [2005-1-13 17251]
R2 Lotus Notes Diagnostics;Lotus Notes Diagnostics;c:\lotus\notes\nsd.exe -svcinvoke -ini "c:\lotus\notes\notes.ini" --> c:\lotus\notes\nsd.exe -svcinvoke -ini c:\lotus\notes\notes.ini [?]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\tmxpflt.sys [2007-8-15 225808]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2007-8-15 36368]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2007-8-15 307984]
S3 pelps2m;PS/2 Mouse Filter Driver;c:\windows\system32\drivers\pelps2m.sys [2005-1-13 29329]
S3 TmPfw;OfficeScanNT Personal Firewall;c:\program files\trend micro\officescan client\TmPfw.exe [2008-3-28 488768]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2008-3-28 652552]

=============== Created Last 30 ================

2009-11-23 15:00:02 52224 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-11-23 15:00:02 459264 ------w- c:\windows\system32\dllcache\msfeeds.dll
2009-11-23 15:00:00 267776 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-11-23 14:59:59 63488 ------w- c:\windows\system32\dllcache\icardie.dll
2009-11-23 14:59:59 383488 ------w- c:\windows\system32\dllcache\ieapfltr.dll
2009-11-23 14:59:59 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-11-23 14:59:57 991232 ------w- c:\windows\system32\dllcache\ieframe.dll.mui
2009-11-23 14:59:57 2455488 ------w- c:\windows\system32\dllcache\ieapfltr.dat
2009-11-23 14:59:53 6066688 ------w- c:\windows\system32\dllcache\ieframe.dll
2009-11-08 02:59:12 0 d-sh--w- C:\FOUND.018
2009-10-30 14:22:50 0 d-sh--w- C:\FOUND.017
2009-10-27 17:16:58 0 d-----w- c:\docume~1\rozen_l\applic~1\LPC
2009-10-27 17:09:08 0 d-----w- c:\program files\Softnik Technologies

==================== Find3M ====================

2009-09-25 05:37:10 81920 ------w- c:\windows\system32\ieencode.dll
2009-09-25 05:37:10 81920 ------w- c:\windows\system32\dllcache\ieencode.dll
2009-09-25 05:37:10 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll
2009-09-10 15:55:02 2968576 ----a-w- c:\windows\QCRR32.dll

============= FINISH: 22:57:04.29 ===============

Please download the OTMoveIt by OldTimer.

• Save it to your desktop.
  
• Please double-click OTM.exe to run it.
  
• Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  :files
  C:\FOUND.***
  
  
  
• Return to OTMoveIt, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  
• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTMoveIt
  

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.

It's getting intriguing... Here is OTM log:
========== FILES ==========
C:\FOUND.017 folder moved successfully.
C:\FOUND.016 folder moved successfully.
C:\FOUND.018 folder moved successfully.
C:\FOUND.000 folder moved successfully.
C:\FOUND.001 folder moved successfully.
C:\FOUND.002 folder moved successfully.
C:\FOUND.003 folder moved successfully.
C:\FOUND.004 folder moved successfully.
C:\FOUND.005 folder moved successfully.
C:\FOUND.006 folder moved successfully.
C:\FOUND.007 folder moved successfully.
C:\FOUND.008 folder moved successfully.
C:\FOUND.009 folder moved successfully.
C:\FOUND.011 folder moved successfully.
C:\FOUND.010 folder moved successfully.
C:\FOUND.012 folder moved successfully.
C:\FOUND.013 folder moved successfully.
C:\FOUND.014 folder moved successfully.
C:\FOUND.015 folder moved successfully.

OTM by OldTimer - Version 3.1.2.0 log created on 11272009_073749

We can remove OTMoveIt now.

• Please double-click OTM.exe to run it again.
  
• Press the green CleanUp! button.
  
• Press Yes cleanup process prompt, do the same for the reboot prompt.
  

How is the machine running now?

It's running fine, thanks. Did OTM remove some pest files missed by MBAM?