You've been having so much fun. Lucky thing.
Try downloading MBAM http://www.malwarebytes.org/mbam.php
Install, update, run full scan. It may prompt you for a restart. Answer "yes" to all prompts.
Download DrWeb Cureit (standalone virus scanner.) http://www.freedrweb.com/cureit/
This one doesn't install, doesn't update, but is an excellent scanner and cleaner. Run it.
How does that work?
Hello. I'll start with posting some system info: I have Windows XP Home (SP2), and I use an HP Pavilion dv4000 series laptop. I'll provide any more relevant specs as required..
My computer got infected recently, and here's how I started noticing the problem...I was just browsing the web normally, when all of a sudden my computer restarted by itself. When it did restart, I noticed several peculiarities:
1. First of all, there was a little white "X" on a circular red background in my system tray in the lower right of my screen, and this launched a little bubble saying "Your computer is infected! Windows has detected a spyware infection! It's recommended to use special antispyware tools to pervent (sic) data loss. Windows will now download and install the most up-to-date antispyware for you. Click here to protect your computer from spyware!" Notice that the message spelled "prevent" incorrectly...an obvious indicator that there was something malicious going on. Also, whenever I clicked the "close" icon for this message, it would simply pop right back up after a few seconds from the system tray.
2. Also, I have McAfee VirusScan Plus (a free-edition suite from AOL/McAfee). McAfee's shields seemed to have been shut down. All of the real-time protections (av, as, scripts, etc..) were disabled, and I was not able to re-activate them by clicking "Fix Now" in the McAfee main panel.
3. When I opened up Internet Explorer, my home page was no longer Yahoo!, but Google. So, I went to Internet options to change this back to "Yahoo", but, even after doing this, my home page continued to revert to Google upon subsequent restarts of my system.
4. I tried opening up "fsbl.exe" from my desktop (the F-Secure Blacklight anti-rootkit scanner), but it would not open.
5. I also was not able to access the online scanners NOD32 and TM Housecall. These are in my "favorites" in IE, but, when I clicked on them, I would get a message from Google saying "Oops! This link appears to be broken. Page not found--connection failure."
6. Out of curiosity, I tried searching for random things on Yahoo and Google. And I noticed that several (if not all) of the links either took me to the wrong page or back to that Google message I mentioned in the previous point.
7. I also have McAfee SiteAdvisor, but its ratings were no longer present for Google or Yahoo search results (but the SA bar was still present at the top of the screen). Also, the search results from these sites looked weird...the font-size was way larger than it used to be, and I could not return it to the normal size.
8. I tried opening up HiJackThis from my desktop, but it would not open.
9. I tried restarting my computer several times, but, each time, a few seconds after it restarted, I kept getting a Blue Screen. All Blue Screens were followed by an immediate automatic restart.
Now, let me describe for you what I did...
I restarted my computer again, but this time, in an effort to stave off another Blue Screen, I IMMEDIATELY started running CCleaner as soon as my computer restarted, hoping to sort of "tie up" my machine with something to do. Amazingly, this worked: the BSOD did not come back, and CC was able to complete its wash of my system. Then, just to sort of kill time and make sure things were still okay, I ran Webroot Window Washer. It too was able to complete its wash (at the time it seemed like running CC and WW were the REASONS that the Blue Screen was prevented...but later on I experienced a Blue Screen while CC was running). Then, I ran a full McAfee scan. McAfee's real-time protections were still disabled, but I was able to run a full on-demand scan. It turned up 3 infections, all of which I removed from my system (I cannot recall what or where these 3 infections were). Then, I ran Windows Live OneCare online scanner (the only online scanner I was able to access in my "favorites"). This found 2 different infections: I don't remember one of them but the other was called "TrojanDownloader:Win32/Renos". OneCare said that this infection was comprised of 12 "items" on my system (I can supply these 12 items if desired). It was able to delete all of them (as well as the 2nd general infection that I couldn't recall). However, one of the deletions required me to restart my system (the file in question was C:\Windows\system32\brastk.exe). Anyway, I proceeded to do as WLOC suggested, and I restarted my system. Praying I wouldn't get another Blue Screen, I immediately ran CC and WW again upon restart to stave it off. The Blue Screen in this particular instance did not return (but running these apps probably had nothing to do with the lack of a Blue Screen, since, as I said before, I did subsequently discover a Blue Screen while CC was running...so, even after running McAfee, WLOC, and restarting, I did experience at least one Blue Screen--for example, once while CC was running shortly after starting up, once at just a random time while surfing the internet, and also while trying to install some additional security software..I'll describe this last problem later). Now, there were a few positive changes I noticed after the restart. First of all, my home page was back to normal (Yahoo). Secondly, the McAfee shields were up and functioning again. Also, the little white "X" symbol in my system tray was no longer there. So, now I proceeded to try some more disinfection steps...here's what I did:
1. I tried opening NOD32 online scanner again, but it wouldn't work. I tried clicking the link in my Favorites, but I got that "Google Oops" message again. I tried typing the address into the address bar, but again I got this same message. I tried clicking on the link in the Google and Yahoo search results, but they each took me to the wrong page. I also tried opening the cached page, but again I got that "Google Oops" screen.
2. I tried opening the TM Housecall online scanner. The only difference from the attempts with NOD32 was that when I clicked on the Housecall link in Google, I got taken to the "Google Oops" screen instead of to a wrong page.
3. I tried navigating to the web page where I can download IceSword (a powerful anti-rootkit app) from, but I was not able to access the page. The links in the Yahoo and Google search results each took me to a random website, and, when I typed in the relevant address, I got taken once again to that "Google Oops" screen.
4. I tried opening fsbl.exe (F-Secure Blacklight anti-rootkit) again from my desktop. This time it opened up, and I was able to run a scan. But, the scan finished VERY, VERY quickly..like in less than 1 minute. Usually it takes more like 4 or 5 minutes to complete. Anyway, nothing suspicious was found.
5. Finally, I was able to open and run HiJackThis.
Another abnormal event I should note that occurred AFTER I ran the McAfee and WLOC scans and restarted my computer (as per WLOC's suggestion): I got a pop-up message while on the internet saying "Attention! Do you want to install AntiVirus 2009 to scan your computer now?" Then, below, there were 2 options "OK" and "Cancel". Obviously, I chose the latter. Clearly, even after deleting some infections with McAfee and WLOC and restarting my computer, there was still something malicious lurking within my system.
Next, I sent the log of HJT to a knowledgeable person, and he told me to delete 2 entries: one pertaining to a Yahoo! toolbar (which I do not have in either of my 2 browsers: IE7 and Firefox 3) and the other was called "AppInit_DLLs: karna.dat". This latter item was entry O20 in the log. I went ahead and deleted both. Then, this person to whom I sent the log told me to reboot my machine (I did), make sure that these 2 HJT entries were still absent (they were), check to see if I oould now open the other online scanners (I could not), reboot into Safe Mode w/ Networking if I could not open those scanners (I did), and try opening the scanners from there (they still did not open). When I tried opening them from Safe Mode w/ Networking, I got sent to a page saying "IE could not open the page" or something like that.
So, the next thing I did was reboot back into Normal mode. When I did this, I discovered that several of the initial problems I reported above were back: that little white "X" was back in my system tray, McAfee's real-time protections were disabled again, my home page had been converted from Yahoo! to Google again, I still got sent to that "Google Oops" screen when trying to open NOD32 and TM Housecall online scanners, Yahoo! and Google search result links were still taking me to wrong pages, SiteAdvisor ratings were still absent from Yahoo! and Google search results (and the search results still looked odd as described above), and HJT would not open again from my desktop (HJT fails to open in Safe Mode, as well).
The friend who analyzed my HJT log told me to run EasyCleaner (a conservative registry cleaner) and WinDoctor (a Symantec app) to see if it cures the Blue Screens. I ran both of these, but I did subsequently discover Blue Screens. I proceeded to try other online scanners (Norton, Panda, and Ewido), but they all failed in normal mode (I didn't try these 3 in safe mode, since I assumed they would fail just as NOD32 and TM Housecall had). I then tried installing the Scan-Only (free) version of Webroot Antivirus with Antispyware. This resulted in a Blue Screen (the contents of which I can supply, if needed) towards the very end of the installation process. So, I went ahead and tried installing it in safe mode with networking. To do this, I first downloaded the Webroot Safe Mode Installer to my desktop (since the Windows Installer doesn't work in safe mode). Then, I opened up the Webroot Antivirus with Antispyware installation file from my desktop and tried to install it once again (in safe mode this time). But once again, I got the same Blue Screen message towards the very end of the installation process. So, currently, this particular software cannot be installed on my machine in EITHER normal or safe mode.
Now, there are a few more observations I would like to mention:
1. From safe mode (with networking), I opened up msconfig, and I found an entry with the startup name "brastk", the command "brastk.exe", and the location "HKLM\SOFTWARE\Microsoft\Windows\CurrentVer." I disabled this entry and also the one for Yahoo! Messenger (which I did have installed on my system at the time). But, upon a reboot into normal mode, this seems to have made no difference: Yahoo! Messenger started up again, and brastk also started up again.
2. I continue to be unable to reactivate McAfee's real-time shields in Safe Mode w/ Networking.
3. A few times in safe mode w/ networking, I would get the following error message: "svchost.exe-application error...the instruction at "blah blah" could not be "read"" or something like that.
4. One time, when rebooting into safe mode w/ networking, my machine froze on the blank desktop with the hourglass symbol in the middle (just prior to when the "windows is starting up" screen would appear).
5. In safe mode with networking, I did a computer search for "brastk.exe" and "karna.dat". Each of these were found in C:\WINDOWS and C:\WINDOWS\System32. This discovery was made subsequent to the scans by McAfee, WLOC (which apparently was supposed to have deleted brastk.exe from these 2 locations), and HJT (which apparently was supposed to have deleted karna.dat). I did not try to delete them, though, because I highly doubted it would have made any difference whatsoever.
6. I have noticed that the Blue Screens seem to have stopped (EXCEPT when trying to install Webroot Antivirus with Antispyware from either mode). I don't know the reason for this, but I did remove Yahoo! Messenger from my system and subsequently cleaned out my registry with CCleaner and WLOC (each more powerful than EasyCleaner mentioned above). Perhaps this had something to do with it..
7. I mentioned that I have Webroot Window Washer on my system. This has an option to wipe the entire Free Space on my hard drive. Out of curiosity, I tried performing this task from both normal and safe modes, but it would not start (wwDisp.exe was having trouble launching).
8. I tried defragmenting my hard drive using Windows' own built-in defragmenter (my machine needs it...it's like 17% fragmented). But it would not start from either mode.
9. From normal mode, in Internet Explorer 7, I went to "Tools" and then "Manage Add-Ons" to see if there was anything fishy there. I didn't see any malicious entries, but, under "Add-Ons currently loaded", there were only 3 entries there: one for the Google Toolbar (which I have), one for the SiteAdvisor toolbar (which I also have), and one which just said "research". Usually, there are SEVERAL entries listed here...not just 3.
I know this is a lot of information that I have provided...but I wanted to be as specific as possible so that the right solution to this problem could be discovered. I am certainly glad that I decided to make a log of all of the "symptoms" and attempted "treatments" of my system. I would greatly appreciate somebody's help...thank you so much.
Anyway, I will give it a go from Safe mode, and, if it fails there too, I will proceed with my sequence of steps...I'll keep you informed..
Chowhound
Comic Vine
GameFAQs
GameSpot
Giant Bomb
TechRepublic