Expert: Brian Benosky - 12/23/2008

Question
This is my mother-in-law's computer so I don't know how the computer became infected but I'm pretty sure it is infected. The computer is running Vista Home Premium and it is a AMD X2 4850e.
When the computer starts all of the .exe fail to load and I can't start other .exe files. I can't seem to install a antivirus program to scan the computer either because something is stopping all installations. I can't get to the control panel, do updates, or really do anything but use IE to surf the internet and explore the folders on the computer. I tried to boot in safe mode to laod stuff but can't seem to install anything to remove whatever this computer has. I'm running the Microsoft Malicious Software Removal tool right now but it has not found anything yet. Please help?

Anyway here is my Hijack log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:06:20 PM, on 12/22/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:Windowssystem32Dwm.exe
C:WindowsExplorer.EXE
C:Windowssystem32taskeng.exe
C:Program FilesHPHP Software UpdatehpwuSchd2.exe
C:Program FilesQwestQuickCarebinsprtcmd.exe
C:Program FilesJavajre1.6.0_07binjusched.exe
C:Program FilesAlwil SoftwareAvast4ashDisp.exe
C:Program FilesWindows Sidebarsidebar.exe
C:Program FilesCommon FilesAheadLibNMBgMonitor.exe
C:Windowsehomeehtray.exe
C:Program FilesHPDigital Imagingbinhpqtra08.exe
C:Program FilesPhoTags ExpressPhotags AutoDetect.exe
C:Windowsehomeehmsas.exe
C:Program FilesCommon FilesAheadLibNMIndexStoreSvr.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesCommon FilesMicrosoft SharedWindows LiveWLLoginProxy.exe
C:UsersCindyDesktopwindows-kb890830-v2.5.exe
c:bdaa83a390dcc05df475bda1493fmrtstub.exe
C:Windowssystem32MRT.exe
C:Program FilesTrend MicroHijackThisHijackThis.exe
C:Windowssystem32SearchFilterHost.exe
C:Windowssystem32DllHost.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://qwest.live.com
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://qwest.live.com
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://qwest.live.com
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://qwest.live.com
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch =
R1 - HKCUSoftwareMicrosoftInternet ExplorerSearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Window Title = Windows Internet Explorer provided by Qwest
R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program FilesJavajre1.6.0_07binssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:Program FilesCommon FilesMicrosoft SharedWindows LiveWindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:program filesgooglegoogletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:Program FilesWindows Live Toolbarmsntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:Program FilesWindows Live Toolbarmsntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:program filesgooglegoogletoolbar2.dll
O4 - HKLM..Run: [Windows Defender] %ProgramFiles%Windows DefenderMSASCui.exe -hide
O4 - HKLM..Run: [NeroFilterCheck] C:Program FilesCommon FilesAheadLibNeroCheck.exe
O4 - HKLM..Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM..Run: [Adobe Reader Speed Launcher] "C:Program FilesAdobeReader 8.0ReaderReader_sl.exe"
O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:Windowssystem32NvCpl.dll,NvStartup
O4 - HKLM..Run: [NvMediaCenter] RUNDLL32.EXE C:Windowssystem32NvMcTray.dll,NvTaskbarInit
O4 - HKLM..Run: [PCTVOICE] pctspk.exe
O4 - HKLM..Run: [HP Software Update] C:Program FilesHPHP Software UpdateHPWuSchd2.exe
O4 - HKLM..Run: [QuickCare2.2] C:Program FilesQwestQuickCarebinsprtcmd.exe /P QuickCare2.2
O4 - HKLM..Run: [OneCareUI] "C:Program FilesMicrosoft Windows OneCare Livewinssnotify.exe"
O4 - HKLM..Run: [SunJavaUpdateSched] "C:Program FilesJavajre1.6.0_07binjusched.exe"
O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeQTTask.exe" -atboottime
O4 - HKLM..Run: [AppleSyncNotifier] C:Program FilesCommon FilesAppleMobile Device SupportbinAppleSyncNotifier.exe
O4 - HKLM..Run: [iTunesHelper] "C:Program FilesiTunesiTunesHelper.exe"
O4 - HKLM..Run: [avast!] C:PROGRA~1ALWILS~1Avast4ashDisp.exe
O4 - HKCU..Run: [Sidebar] C:Program FilesWindows Sidebarsidebar.exe /autoRun
O4 - HKCU..Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:Program FilesCommon FilesAheadLibNMBgMonitor.exe"
O4 - HKCU..Run: [Yahoo! Pager] "C:PROGRA~1Yahoo!MESSEN~1YAHOOM~1.EXE" -quiet
O4 - HKCU..Run: [MsnMsgr] "C:Program FilesWindows LiveMessengerMsnMsgr.Exe" /background
O4 - HKCU..Run: [ehTray.exe] C:WindowsehomeehTray.exe
O4 - HKCU..Run: [WMPNSCFG] C:Program FilesWindows Media PlayerWMPNSCFG.exe
O4 - HKUSS-1-5-19..Run: [Sidebar] %ProgramFiles%Windows SidebarSidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-19..Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:Program FilesHPDigital Imagingbinhpqtra08.exe
O4 - Global Startup: Photags AutoDetect.lnk = C:Program FilesPhoTags ExpressPhotags AutoDetect.exe
O8 - Extra context menu item: &Windows Live Search - res://C:Program FilesWindows Live Toolbarmsntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2Office12EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:PROGRA~1JavaJRE16~2.0_0binssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:PROGRA~1JavaJRE16~2.0_0binssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~1MICROS~2Office12ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~1MICROS~2Office12ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:Windowsbdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:Windowsbdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~2Office12REFIEBAR.DLL
O9 - Extra button: Qwest Live - {8F5D83B7-4208-4AFA-8CD4-CA33F45B7C0D} - http://qwest.live.com (file missing) (HKCU)
O13 - Gopher Prefix:
O15 - Trusted Zone: *.netzero.com
O15 - Trusted Zone: *.netzero.net
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:Program FilesYahoo!CommonYinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/VistaMSNPUplden-us.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:Program FilesAlwil SoftwareAvast4aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:Program FilesAlwil SoftwareAvast4ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:Program FilesAlwil SoftwareAvast4ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:Program FilesAlwil SoftwareAvast4ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:Program FilesBonjourmDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:Program FilesGoogleCommonGoogle UpdaterGoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:Program FilesiPodbiniPodService.exe
O23 - Service: NBService - Nero AG - C:Program FilesNeroNero 7Nero BackItUpNBService.exe
O23 - Service: NMIndexingService - Nero AG - C:Program FilesCommon FilesAheadLibNMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:Windowssystem32nvvsvc.exe
O23 - Service: @%systemroot%system32Locator.exe,-2 (RpcLocator) - Unknown owner - C:Windowssystem32locator.exe
O23 - Service: SupportSoft Listener Service (sprtlisten) - SupportSoft, Inc. - C:Program FilesCommon Filessupportsoftbinsprtlisten.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:Program FilesCommon FilesSupportSoftbinssrc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:Windowssystem32DRIVERSxaudio.exe

--
End of file - 9452 bytes


Answer
Hi Scott

Let's try running a Malwarebytes scan, preferably in Safe Mode.  Please download Malwarebytes' Anti-Malware to your desktop from here:

http://www.besttechie.net/tools/mbam-setup.exe

Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to
o Update Malwarebytes' Anti-Malware
* then click Finish.
* If an update is found, it will download and install the latest version.  Do not run a scan yet.

Restart the computer in Safe Mode by continuously tapping the F8 key on boot until a black screen with a menu appears.  Choose to Start Windows in Safe Mode.  Log on as usual.  Open Malwarebytes and run a Full Scan.

* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.  Save that log and reboot normally.
* Post me that log along with a new HJT log.

Brian