KillAV.KI {TRJ} JS:FakeAV-K[TRJ], TRJ[GEN], avast not updatind, Sad But True

[St.Anger_561_]

Here is my malware bytes log that I just ran.  I don't know if it deleted the files at the bottom on reboot, it seemed like my computer rebooted like it normally does, so I am running malware again to see what it finds.

Database version: 1945
Windows 5.1.2600 Service Pack 3

4/18/2009 12:21:18 PM
mbam-log-2009-04-18 (12-21-18).txt

Scan type: Quick Scan
Objects scanned: 110574
Time elapsed: 17 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp (Hijack.Help) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\TEMP\Local Settings\Application Data\Microsoft\Windows\pguard.ini (Rogue.InternetAntivirus) -> Delete on reboot.
C:\Documents and Settings\TEMP\Local Settings\Application Data\Microsoft\Windows\pg32.exe (Rogue.InternetAntivirus) -> Delete on reboot.
C:\Documents and Settings\TEMP\Local Settings\Application Data\Microsoft\Internet Explorer\iv.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\TEMP\Local Settings\Application Data\Microsoft\Internet Explorer\procgdsj32.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\TEMP\Local Settings\Application Data\Microsoft\sessmgr.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\TEMP\Local Settings\Application Data\Microsoft\spoolsv.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\TEMP\Local Settings\Application Data\Microsoft\Windows\sav.exe (Fake.Dropped.Malware) -> Delete on reboot.
C:\Documents and Settings\TEMP\Local Settings\Application Data\Microsoft\Windows\services.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\TEMP\Local Settings\Application Data\Microsoft\Windows\procgdwh32.exe (Rogue.InternetAntivirus) -> Delete on reboot.

[St.Anger_561_]

I did notice another thing, my msconfig.exe keeps starting up due to a modified boot.ini because I am not loading up all the startup items, I guess?  I don't know if that is important or not, thanks again

[St.Anger_561_]

Here is the current scan, I will try to reboot again and hopefully it will clear or do something this time

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

4/18/2009 12:45:23 PM
mbam-log-2009-04-18 (12-45-23).txt

Scan type: Quick Scan
Objects scanned: 110319
Time elapsed: 18 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\TEMP\Local Settings\Application Data\Microsoft\Windows\pguard.ini (Rogue.InternetAntivirus) -> Delete on reboot.
C:\Documents and Settings\TEMP\Local Settings\Application Data\Microsoft\Windows\pg32.exe (Rogue.InternetAntivirus) -> Delete on reboot.
C:\Documents and Settings\TEMP\Local Settings\Application Data\Microsoft\Internet Explorer\iv.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\TEMP\Local Settings\Application Data\Microsoft\Internet Explorer\procgdsj32.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\TEMP\Local Settings\Application Data\Microsoft\sessmgr.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\TEMP\Local Settings\Application Data\Microsoft\spoolsv.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\TEMP\Local Settings\Application Data\Microsoft\Windows\sav.exe (Fake.Dropped.Malware) -> Delete on reboot.
C:\Documents and Settings\TEMP\Local Settings\Application Data\Microsoft\Windows\services.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\TEMP\Local Settings\Application Data\Microsoft\Windows\procgdwh32.exe (Rogue.InternetAntivirus) -> Delete on reboot.

[St.Anger_561_]

    Update time, here is what I have done thus far:

I went into safe mode and tried to run avast, but it would not load up completely.  I did run Spybot S&D in safe mode (nothing found) and malwarebytes in safe mode (nothing found), Adaware (nothing found) not I am in safe/network mode so I can go online.

My checkdisk utility would not work completely so I had to run it at reboot after safe mode.  Checkdisk then "Deleted Index Entries" in $I30, whatever that means, and also "orphaned file client" for 2 files into two directory files, whatever that means.

After this chkdisk said it was verifying UsnJournal, and that seemed it was ok, during boot up and then it rebooted and chkdisk ran ok and complete without any issues.

After this I defrag'ed my hard drive, not completely since it took about 6 hours to defrag it approx. 30%.  I also changed my password while I was offline, however I do not think I removed the trojan since Malware bytes never ran on reboot previously.

I have tried to load up avast in safe mode, but it will not load completely.  It shows me that it is loaded but AvastSimpleUserInterface is loaded and running in the task manager in safe mode, but when I click "Switch to" nothing happens.   

Anyway I just ran malware bytes, in safe/network mode, but it showed me no infections...which is great!  I think, hehe. I

Does anyone have any additional suggestions?  I tried to learn about fixing this myself but I think I am in deep with this trojan and I am worried I am going to have to reformat...      

Thanks in advance

[St.Anger_561_]

   Ok this stupid trojan thing or whatever is in my system is still active and redirecting my browser.

I am having car problems (yes that was just my life, lately), which is another story since I am about to throw in the towel, worried my ride has reached the end of the line too, but I digress.

Anyway I just did a search, again I am in safe mode w/networking, for an automotive forum via google.  I clicked on the link for this carjunky website, then I get a popup saying I am about to be redirected to a new site, and it takes me to EDMUNDS.com 

I had to hit back on my browser to get me back to the car junky website.  Also my windows defender will not update either...is that related?  I will run another hijack log now, I suppose..

[St.Anger_561_]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:49:26 AM, on 4/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\taskmgr.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

[St.Anger_561_]

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://help.bellsouth.net/sdccommon/download/tgctlcm.cab
O16 - DPF: {02CA9974-B6AC-497E-A371-73580432B0F6} (Eyeball Video Message Control) - http://imlive.com/ChatSource/gVideoContol.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by124fd.bay124.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145927023781
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (Yahoo! MailTo) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} (Java Plug-in 1.4.2) -
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livemetallica.com/nugster/dlControl.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{8ED412C0-6CA1-43D5-A584-2A41E154CB5A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{B7F3EB81-4190-41B1-8527-EAC21B3079E9}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220 208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220 208.67.222.222
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE

--
End of file - 10498 bytes

I am going to do some further reading in the other posts, I am sure someone else must have had a similar problem.  Thanks again

[micky77]

Just 2 brief questions, are mbam scans in normal mode all clear.Also did you manually update SAS and scan  ?

[St.Anger_561_]

thanks for the feedback.  I ran mbam in normal and it showed me "all clear" no infections, also I ran SAS in normal, showed me the same thing.

I did just download advanced system care v3.2.0 and did some repair work with that program.  It did find win32/Aspam.trojan and aspam.trojan/drvman variant when I ran it in safe mode, but this program has since taken care of those two items.

I noticed when I went into normal mode that I got the win32 generic host services error and when I opened up ie8.0 after running the mbam and sas in normal mode, my ie was redirected again when i clicked on the search link results.

Thanks again for your advice, I don't know what else to do or try at this point

[Lisandro]

I suggest:

1. Clean your temporary files.
2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
3. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.
4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
5. (you can skin this step as you've already done) Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
6. Disable System Restore and then reenable it again.
7. Immunize your system with SpywareBlaster.
8. Check if you have insecure applications with Secunia Software Inspector.

[micky77]

St.Anger_561_, sorry to hear your still having problems. Are there any entries in your hosts file ? Look in
C:\WINDOWS\SYSTEM32\DRIVERS\ETC open hosts file by double clicking, choose  notepad to open. copy/paste whats there.

[St.Anger_561_]

 :'(  thanks for the advice again Tech and Micky77

I have made progress, sort of.  I tried TREND Micro housecall but it will not work properly.  on my IE browser it says that I don't have JAVA updated, but I know I do b/c i downloaded it after I tried the Secunia Software Inspector already from a suggestion from one of your other posts, which showed me I needed several items updated, which I did.

I WAS able to run a panda active scan, although it was stuck on 36% complete FOREVER and it took several hours to run (really too long to run) it told me that I have a Trojan - KillAV.KI, which totally stinks!!        :'(   

What stinks even more is that Panda will not let me get rid of it b/c it asked me for my email address and I registered, but they have never sent me an email yet.  If i can just get that email and confirm then it seems like Panda is ready willing and able to remove...but the email is not coming through...gggrrrr!!    

I did open the host file with notepad Micky77, but it is a huge file!  There are many many many entries in it, was something I did supposed to delete those?

I am ready to throw in the towel but I appreciate your suggestions.  I have downloaded RunScanner from another of your posts too I believe, Tech, but I haven't ran it yet.

THanks again for the Secunia site, I had no clue on that.  I am going to try searching online for info on this KillAV.KI trojan that Panda found.  Total bummer..

[micky77]

Don't throw the towel in yet.There was a recent post here with KillAV ( maybe not the exact same thing )

http://forum.avast.com/index.php?topic=43784.msg368768#msg368768
Will look back later today. Chin up

[micky77]

Hello again St.Anger_561_, just a couple more suggestions.
First download Hostsxpert, this program does not need installing,just run it from where you download it to.Unzip it,then open,you will see a h in a red square,double click to start program.
You said there were many entries in your file,its possible most of them are from Spybots immunisation.Do you have spybot's ' locking' your host file setting onDidn't stop the malware  if so uncheck that  in spybot ( i notice from HJT you have your homepaged locked ) I see you have teatimer on,( advanced settings ) 
In spybot go to 1. Click "Mode", selecting "Advanced Mode".
2. Click "Tools" in the left pane.
3. Click "IE tweaks" in the right pane.
4. UNCHECK "Lock Hosts file read-only as protection against hijackers".
http://z.about.com/d/antivirus/1/0/2/2/spybot_4.jpg
Its possible if this setting was checked it would stop you from clearing the host file
Anyway, click on file handling,then on restore MS host file.click on ok,then on, make read only.Your host file should now be clear ALL the entries gone
All this may not work due to malware,if it does,it will only be temporary,but may give you the oppurtunity to update programs and surf without being redirected.

Secondly you could try a rescue disc, These are fully updated av programs, that use linux,so no need to boot windows or malware.
 Here are links to instructions and downloads. These programs are primarily for unbootable computers.

With Avira, simply download file, from a clean pc,double click on file,you will be prompted to insert cd/dvd into drive.Program automatically burnt to disc.Insert disc into bad pc and reboot. See link ( especially about choosing english )

With Kaspersky,the file you download (from a clean pc )is an iso file,it will not work if you copy this to cd.You need to use something like Nero, and choose burn imageto disc.
Then same again,insert into bad pc, reboot
I have never used Kaspersky, but with Avira,which has a gui, you will be given the option to rename any suspicious files eg virus.exe to virus.xxx.
If it finds anything look carefully, you don't want to rename something like winlogon.exe  .
If you are unsure post back with any names.
I wish you luck.

Hostsxpert http://www.snapfiles.com/reviews/hoster/hoster.html

Avira tutorial and download link http://forum.avira.com/wbb/index.php?page=Thread&postID=730130#post730130

Extra download link http://www.free-av.com/en/products/12/avira_antivir_rescue_system.html

Kaspersky iso http://devbuilds.kaspersky-labs.com/devbuilds/RescueDisk/

Kaspersky instructions http://www.raymond.cc/blog/archives/2008/06/16/kaspersky-offers-free-rescue-disk-to-clean-virus-without-booting-in-windows/

[St.Anger_561_]

Hey Micky77,

Thanks so much for your help!  I have not given up yet, I am a soldier, like my father was before me.

However I also am a slave to my job, and the 9-5 is a real drag!  Unfortunately I have not had the time or energy to follow your most recent recommendations, but I fully intend to do so and will try to download some of the stuff you suggested today on my laptop while at work on my lunch.

As an aside, this trojan jerk bot killav program is messing with me, apparently, because my password to log into this forum had been changed!!!  Sad but true

I am changing my password to my email now (on my laptop) hopefully that will help a little, at least I wont have to change it again, thanks again!