Trojan creating popups and blocking installations

[Klykyl]

Trojan creating popups and blocking installations - Desperate Need of Help

I currently am using Windows XP I am using plain old windows firewall and my virus scanners are AVG Fee Edition and Sptbot and that is all I know.
I got a Trojan Horse last night and I cannot follow your 8- Step rules because it is blocking me from downloading the CCcleaner and the Hijack This, I haven't tried to download any other programs because I can tell from the two failures it wont work.
I get this message each time I try to install:
"C:\Document and settings\KELLY\Desktop\HJTsetup.exe is not a valid Win32 application"


Here is what AVG found:
(There were found in C:\WINDOWS\ststem32\ area)
Trojan horse SHeur.KZU
Trojan horse SHeur2.KZU
Trojan horse Generic12.BABB
Trojan horse Generic12.BAAZ
Trojan horse SHeur2.KZU
Trojan horse Generic12.AYYR
(Found in C:\System Volume Information\_restore{)
Trojan horseSHeur2.KZU
Trojan horse Generic12.AYYR

I am willing to do anything to this computer to get it fixed. Except spend money because that's not something I can do.
If someone can tell me how to fix the error blocking me from downloading then I will do the 8- steps.\

Update:

My Windows updates have been shut off and I have been getting popups of well something saying that windows found a virus and click here to use the windows scanner. And it happened again with another "supposed scanner" But this time it didn't look like my "my computer" screen. I shut down the computer about 10 seconds after I saw that come up But other things could have happened to my computer that I don't know about because I left it on for 9 hours unattended. Also, right before the second "scanner" came up windows said in the corner in one of those tan popup windows in the corner that it detected a virus and needs to scan. Then a minute after that the second scanner came up and started scanning immediately.



I put what AVG found as a attachment including all fo what was found before that I had listed.

 

[Bobbye]

Please use a flash drive to download Malwarebytes, SuperAntispyware and HijackThis. Then run the programs on the infected computer per the directions HERE.

 

[Klykyl]

Okay i did the 8-steps.. But I infected my flash drive in the process should I attach the scans i did on it or no?

I also couldnt do step #6 because I still can't install anything and i couldnt put it on the flash drive.

 

[Bobbye]

You are running two antivirus programs- AVG and Symantec. Decide which you want to keep and remove the other. If you decide to remove the Symantec/Norton program, use this Norton Removal Tool.

Step 6 is the Java update. It can be done later.

Do NOT use System Restore. Malware is in the restore points. We will have you drop those after the cleaning.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {54A31C17-8C24-49D7-A609-C42E453E61F9} - (no file)
O2 - BHO: (no name) - {ca266ed7-fd62-4ae9-8b1b-daff86fc87df} - (no file)
O16 - DPF: CabBuilder - http://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot into Safe Mode.

Start> Run> msconfig> enter> Selective Startup> Startup tab> UNCHECK kiw entry> Apply> OK.

Open IE> Tools> Manmage Add-ons> find the kiw entry and click to highlight> Disable

View> Toolbars> click on kiw Toolbar> UNCHECK

Control Panel> Add/Remove Programs> UNCHECK any kiw related entry.

Reboot into Normal Mode. NOTE: you will get a nag message that you can ignore and close after checking 'don't show this message again.' Stay in Selective Startup.

Please UPDATE and rescan with both Malwarebytes and Superantispyware, follow with new scan with HijackThis. Attach all three logs.

 

[Klykyl]

As long as I've had this computer I didn't know I had norton.
Ill do the steps later today thank you

 

[Bobbye]

It was probably pre-loaded on the computer. It's always a good idea to look for the pre-loads and remove those you won't need or use.

 

[Klykyl]

How do i reboot insafe mode? I've never done it before..

And do i do that star>blahblah blah> blah blah blah
After I reboot in safe mode?

 

[Klykyl]

I put my computer in safe mode after i figured it out.. But i couldn't find anything that said kiw.. Is that a abbreviation for something? I couldn't find one thing.. Not even a extra tool bar on Internet explorer..

So what is the Kiw?

 

[Bobbye]

O16 - DPF: CabBuilder - http://ak.imgag.com/imgag/kiw/toolba...lerControl.cab

Gave you four things to do and left out the most important!!

Open Internet Explorer> Tools> Manage Add-ons. Since 'Kiw' is an 016 entry in the HijackThis log, it means it's an Active X object. So look for either CabBuilder or kiw> highlight> Disable.

McAfee identifies Kiw as a Trojan. You can find further description HERE.

Did AVG quarantine the entries it found? Did you delete them? If Yes:

Please run the Kaspersky online scan:
Open Kaspersky Online Scanner in Internet Explorer HERE.

* Click Accept and the web scanner will begin to load
* If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
* You will be prompted to install an ActiveX component from Kaspersky, click Install
* If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT and then Scan Settings
* In the scan settings make that the following are selected:
o Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
o Scan Options:
Scan Archives
Scan Mail Bases
* Click OK
* Now under select a target to scan:
Select My Computer
* The program will start to scan your system.
* Once the scan is complete, click on the Save as Text button and save the file to your desktop

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

Follow this with new scan with HijackThis. Please attach both the Kaspersky report & HJ log.

Give me a description of what is happening on your system. Are you still getting pop-ups? What> Can you now install? Anything else?

 

[Klykyl]

I looked all over for cab and kiw. I didn't find a thing I swear, I spent a half an hour checking and rechecking, either I'm really stupid or it disappeared. I looked for it in safe mode and in regular. So I apologize if I'm causing you to much trouble by not finding this thing it just isn't there. When I look for it, Sorry. I wouldn't know if I could find it somewhere else either O don't know much about any of that to young to have experienced all of that.


Currently my computer as far as I can tell is moving faster then it has in at least 2 years. Which is great and all but I still can't install any programs. I still get the error and on start up when I load to my desktop I get a black box.. I have a ss of it as a attachment below.
But other then that I don't have anymore pop-ups or weird scanners I never had show up on my computer. Which makes me very happy.

Here are the logs

 

[Bobbye]

Okay, I missed this first time around. /You need to temporarily disable the Spybot S&T Teatimer while we run the scans:

SPYBOT TEATIMER

* Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
* On the left hand side, click on Tools, then click on the Resident Icon in the list.
* Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
* Click on the "System Startup" icon in the List
* Uncheck the "TeaTimer" box and "OK" any prompts.
* If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
* Exit Spybot S&D when done.
* (When we are done, you can re-enable Teatimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup.]

The image you left shows the Command screen. You don't install from the Command screen. Let's walk through this:
You're going to update Java:
1. You go to this site: https://www.techspot.com/downloads/6463-java-se.html
2. You click on Windows XP/Vista/2000/2003 Online * for the download.
3. You select Save and save the setup to your Desktop

At what point does the black Command screen come up?

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {0230dfd8-7806-4ea9-ad6a-489cae9842f4} - (no file)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot .

ClamWin has a free virus scanner for flash drive. See if you can download it from here to the flash drive:
http://portableapps.com/apps/utilities/clamwin_portable

You will have to manually activate the scan.

Please give me an exact description of what you are trying to download and at what point the Command screen comes up. Your download process should be: click on Download> Save to Desktop. You do NOT want to run the program from the download screen.

There is another program you need to run but I need to know about the ability to download first.

 

[Klykyl]

I can answer a few questions. The Command screen comes up when I'm loading my desk top thats the only time.

And turns out I can download I just tried putting down new files Java and windows live they both work. The old installation files wont work though.. so thats proably why I never noticed that it was fixed. Sorry. My fault.

I'll follow your directions when I get home.

 

[Bobbye]

The Command screen comes up when I'm loading my desk top thats the only time.

Are you typing something in? Don't.

Follow the instructions I left in my last post>> important that you disable Teatimer.

Then download SDFix:

* Download SDFix HERE and save it to your Desktop.
* Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Boot into Safe Mode
* Restart your computer and start pressing the F8 key on your keyboard.
* Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Run SDFix

* Open the extracted SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt

* Attach Report.txt back here

Rescan with HijackThis and attach new log with SDFix report.

 

[Klykyl]

I did everything you told me to do But now my Internet connection is gone (I am hardwired to the computer with the router) and I can't even connect wirelessly to the neighbours the settings aren't there.

and my windows settings are gone like my current theme is classic not xp they are completely gone.

Do i do a system restore or no? Will that not help i know nothing about Internet connection my dad did everything, and he doesn't know about my current computer issues.

Oh and I do have the logs for everything but because I infected my flash drive a few days ago I'm not sure if I should plug it into this computer I don't wanna give this one a virus. I do have another flash drive but I don't want to infect that one since I only have 3.


Edit:
I got a nifty Idea and thought to put my computer in safe mode with networking. Looks like it works. So I am thinking that scan disabled something it shouldnt have. here are my logs.

 

[Bobbye]

We need to stop as much as possible from starting on boot. There are a lot of useless processes loading, many of which I doubt you even know about!

Please re-open HiJackThis> click on System Scan Only and scan. Check the boxes next to all the entries listed below.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dollwar.com/
(This site is down- no reason given. Check to have HijackThis remove):
O2 - BHO: (no name) - {0230dfd8-7806-4ea9-ad6a-489cae9842f4} - (no file)
Still coming back. Cannot ID.
O4 - Global Startup: Digital Line Detect.lnk = ?
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - ((Checkers Class)
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} - ((UnoCtrl Class)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - ((MessengerStatsClient Class)
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - (Minesweeper Flags Class)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot into safe mode.

Stopping Startups:
1. Start> Run> msconfig> enter> Selective Startup> Startup tab> UNCHECK each of the following if present:

Camera:
Kodak EasyShare softwarem (EasyShare.exe)
KODAK Software Updater n(Updater.exe)

HP Scheduler (HP Software Update)
HP Digital Imaging Monitor (hpqtra08.exe)
Google Desktop Search
Adobe Reader (Reader_sl.exe")

Dell Support:
dsca.exe
DSAgnt.exe
sprtcmd.exe

3 media players:
Quick Time (qttask.exe)
WinAmp
Musicmatch

Changing Service Startup Type:
2. Start> Run> services.msc> change Startup type for each Service below as instructed. To do this> right click on the Service> Properties:
Change Startup type to Manual:

O23 - Service: GEARSecurity - GEAR Software -
O23 - Service: SupportSoft Sprocket Service (sprtsvc_dellsupportcenter)
O23 - Service: Adobe LM Service
O23 - Service: DSBrokerService (brkrsvc.exe)
O23 - Service: Google Desktop Manager
O23 - Service: Google Updater Service (gusvc) -

Change the following to Disabled:

O23 - Service: Java Quick Starter (JavaQuickStarterService)>> Disable

When through, reboot into Normal Mode> Close the nag message after checking 'don't show message again'. Stay in Selective Startup.

Active X:
3. Open IE> Tools> Manage add-ons> Look for each of the following> highlight> disable:

((Checkers Class)
(UnoCtrl Class)
(MessengerStatsClient Class)
(Minesweeper Flags Class)
(These are the 016 entries we removed)

When through, please run a new scan with HijackThis and attach log.
Let me know what problem still exist and if the original problems have been resolved.

NOTE: taking a process off of Startup does not mean you can't use it. You will start it manually when you need it. For instance, why drag EasyShare around with you all day when on some days, you might not even use the camera?! Same for HP Digital Imaginh.

 

[Klykyl]

My internet is now working outside of safe mode.. I think.

But I can't follow your directions. I need my printer to work and it says no printer is connected.
Also, i', just going to change my home page I never got around to it because I use firefox. The website closed and came back as a different one. So how do I fix my printer? And Can't I just keep EasyShare and Hp printer stuff running? I use one or the other at least everyday..
I'm sorry if I'm sounding lazy not wanting to stop all this stuff but it just seems like so much that I don't need to remove.

And I don't have any issues that I had when I got the virus anymore- My computer is working much faster then before I had the virus and everything I am reconsidering buying a new computer it's working so well.

The only issue I have now is that my windows bar doesn't look like this.
http://www.guidebookgallery.org/pics/gui/desktop/empty/winxppro.png
It looks like windows classic and I can't change it.
And also.. why does my computer front screen have a Admin then a Administrator? where did that user come from I only had a Admin which is the screen my dad used when he set up my computer.

 

[Klykyl]

Also, My comptuer seems to think its always in safe mode.
I need to install some programs and neither will work because my computer is in safe mode. It not it's not even in selective start up mode.
The programs I'm installing are:
Cisco Network Magic
Windows live messenger.
But neither will work.
Also upon start up AVG command line (or something like that) comes up saying Its a scan for when your in safe mode.. I'm not in safe mode.

 

[Bobbye]

You can keep any start up you want! You aren't removing anything when you uncheck it on the startup menu- the program, applications or printer is still on the system>The only difference is that it isn't starting on boot.

If you are unwilling to pare down the startup and open the program properly, then be prepared for a slow computer.

If the printer is hard wired to another computer, that computer must be on in order to use the printer.

The only issue I have now is that my windows bar doesn't look like this.

The image is a desktop background called "Bliss." It is found here:
Control Panel> Display> Desktop tab> Background> Bliss.

This is NOT for Windows Classic or Category View. You change that as follows:
Right click on Taskbar> Properties> Start Menu tab> Choose Classic.

Let me know when you decide which mode your computer is in. you said if was back to Normal, then say Safe Mode. Are you sure you know which is which?

 

[Klykyl]

I'm in normal mode but my computer thinks its in safe mode when I am trying to for instance.. I tried one "start" a service but it says it cannot do so because of a error. Then a error number follows that says the problem may be "your computer is in safe moed." But it isn't It's not in selective start up mode and it's not in safe mode it's in normal.

And I'm not talking about my background I'm talking about the bar. It is not the right style.. windows xp style it's windows classic so I cannot change it to the XP style where the varying colors are silver blue and green.

Also, Heres what I cannot do I cannot print and my printer is hooked up to my computer it's right next to me. I cannot hear anything my speakers have completely stopped. They are on and everything but I can;t hear a thing. It says I have no audio device.

And I still can't install anything it says the error is i'm in safe mode. Like I showed you in the SS.

In the bleh attachment thats the error I am getting when I try to start and stop a service. And I'm in normal mode.
Shown in the Normal attachment.


Then in weeewooo and weewoo attachments they both show that my settings are clascic but that is my only setting The other went missing after I did the scans yesterday morning.
Here's what I want it to look like.
http://kampela.it.helsinki.fi/apumatti/images/imagebank/lcms/6522/kaynnistavalikkoxp.jpg


But all I want fixed right this second is my printer and downloading programs so I want my comptuer to stop thinking it's in safe mode when it isnt because I need to install Network Magic and I have a paper to write.

Edit: I don't care how slow my computer will run I want my services back on. It's inconvenient none of them will start.

 

[Klykyl]

I fixed my problem in the above post by doing the steps described here:
http://www.petri.co.il/forums/showthread.php?t=23032&page=2

Want me to still go ahead and do the service stuff?
I just really want to know if my computer is clear of any Viruses or trojans.
Sorry for my snippyness in the above post I hadn't slept much in a day or two and I was confused and frustrated.

Again, I'm sorry .