Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Followed The Advice And Still Infected. It's Trying To Install Some Program


  • This topic is locked This topic is locked
6 replies to this topic

#1 Real Mom

Real Mom

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:44 PM

Posted 20 October 2007 - 02:15 PM

My computer keeps trying to install something that asks me to insert my MS Office 2000 SR-1 Professional CD. Of course I just click Cancel and then it gives me an error that it cannot intsall what it needs to and then it pops up some random ad. I got this after I searched for a myspace tracker and clicked on one of the listings.

What I have done:
-ran my usual antivirus-Defender Pro- it found nothing
-downloaded and installed SuperAntiSpyware in safe mode- it found a lot at first and deleted them
-downloaded and ran VundoFx in safe mode: found and deleted Vundo, but problem still remains

Okay, so what now? I probably have too many antivirus programs installed now but I am frustrated and at a loss as to what to do. Please advise.

Below is my HT file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:09:03 PM, on 10/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Defender Pro\DPASNT.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\winshow.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
C:\Program Files\IOGEAR\Bluetooth Software\BTTray.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Defender Pro\AntiSpy\TSAntiSpy.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Downloads\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://centurytel.myway.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: OsbornTech Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\Program Files\Defender Pro\PopupBlocker\PopupBlocker.dll
O2 - BHO: (no name) - {DB5825EA-B434-C69E-8E2D-81387140521A} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kav.exe" /minimize
O4 - HKLM\..\Run: [DPAS] "C:\Program Files\Defender Pro\DPASNT.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow.exe"
O4 - HKCU\..\Run: [TaskTray] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
O4 - HKCU\..\Run: [Taskbar] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\Defender Pro\PopupBlocker\PopupBlocker.dll
O9 - Extra 'Tools' menuitem: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\Defender Pro\PopupBlocker\PopupBlocker.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1179943346546
O16 - DPF: {775879E2-7309-4619-BB02-AADE41F4B690} (CPlayFirstdreamControl Object) - http://games.bigfishgames.com/en_dream-chr...web.1.0.0.9.cab
O16 - DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} (SpinTop Games Launcher) - http://games.bigfishgames.com/en_mysteryso...mesLauncher.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ssqpnkh - ssqpnkh.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: kavsvc - Defender Pro LLC - C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kavsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7016 bytes

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:44 PM

Posted 20 October 2007 - 03:14 PM

Hello Real Mom,

Welcome to Bleeping Computer :thumbsup:

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Real Mom

Real Mom
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:44 PM

Posted 20 October 2007 - 04:29 PM

Okay here is the Combo Fix log and then my new HT log. Thanks!

ComboFix 07-10-21.1 - Home 2007-10-20 16:20:30.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.588 [GMT -5:00]
Running from: C:\Documents and Settings\Home\Local Settings\Temporary Internet Files\Content.IE5\C9WQI1GE\ComboFix[1].exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Defender Pro\AntiSpy\Def\CnsMin.dsc
C:\Program Files\Defender Pro\AntiSpy\Def\CnsMin.prf
C:\WINDOWS\system32\oTt08e
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\winshow.exe

.
((((((((((((((((((((((((( Files Created from 2007-09-21 to 2007-10-21 )))))))))))))))))))))))))))))))
.

2007-10-20 16:19 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-20 12:40 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2007-10-20 10:17 1,953,799 --a------ C:\Documents and Settings\Downloads\stinger.exe
2007-10-20 09:21 401,720 --a------ C:\Documents and Settings\Downloads\HiJackThis.exe
2007-10-17 08:27 <DIR> d-------- C:\Program Files\CCleaner
2007-10-16 10:11 <DIR> d-------- C:\Documents and Settings\Home\.SunDownloadManager
2007-10-16 09:54 672 ---hs---- C:\WINDOWS\system32\wvvwa.ini2
2007-10-16 09:31 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-10-16 09:31 <DIR> d-------- C:\Documents and Settings\Home\Application Data\SUPERAntiSpyware.com
2007-10-16 09:31 <DIR> d-------- C:\Documents and Settings\Home\Application Data\SUPERAntiSpyware.com
2007-10-16 09:31 <DIR> d-------- C:\Documents and Settings\Home\Application Data\SUPERAntiSpyware.com
2007-10-16 09:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-16 09:30 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-16 07:31 <DIR> d-------- C:\Temp
2007-10-15 17:18 <DIR> d-------- C:\Documents and Settings\Home\Application Data\Legends of pirates
2007-10-15 17:18 <DIR> d-------- C:\Documents and Settings\Home\Application Data\Legends of pirates
2007-10-15 17:18 <DIR> d-------- C:\Documents and Settings\Home\Application Data\Legends of pirates
2007-10-14 13:35 <DIR> d-------- C:\Program Files\Pirateville
2007-10-13 11:31 <DIR> d-------- C:\Program Files\Stunt Track Driver
2007-09-29 20:12 <DIR> d-------- C:\Documents and Settings\Home\Application Data\ForgottenRiddles
2007-09-29 20:12 <DIR> d-------- C:\Documents and Settings\Home\Application Data\ForgottenRiddles
2007-09-29 20:12 <DIR> d-------- C:\Documents and Settings\Home\Application Data\ForgottenRiddles
2007-09-29 19:21 <DIR> d-------- C:\Program Files\Forgotten Riddles - The Mayan Princess
2007-09-25 09:11 <DIR> d-------- C:\Documents and Settings\Downloads\Arkansas
2007-09-25 09:09 1,331,790 --a------ C:\Documents and Settings\Downloads\PES.zip

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-20 19:37 --------- d-----w C:\Program Files\Pony Luv
2007-10-20 19:35 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-20 14:03 --------- d-----w C:\Program Files\Tropix
2007-10-16 12:12 --------- d-----w C:\Program Files\Paint Shop Pro 6
2007-10-05 13:27 --------- d-----w C:\Program Files\JumpStart
2007-09-22 17:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-22 17:32 --------- d-----w C:\Program Files\Disney Interactive
2007-09-22 17:03 --------- d-----w C:\Program Files\Hidden Expedition - Everest
2007-09-09 17:32 2,029,242 ----a-w C:\Documents and Settings\Downloads\polkadot outline pes.zip
2007-09-09 17:32 1,782,017 ----a-w C:\Documents and Settings\Downloads\Simply Sweet Applique pes.zip
2007-09-09 01:31 --------- d-----w C:\Program Files\Return to Mysterious Island
2007-08-29 21:07 --------- d-----w C:\Program Files\Pet Vet
2007-08-29 21:05 1,598,108 ----a-w C:\Documents and Settings\Downloads\patch.zip
2007-08-22 21:07 --------- d-----w C:\Program Files\Law & Order Criminal Intent 2 - Dark Obsession
2007-08-22 20:42 903,973 ----a-w C:\Documents and Settings\Downloads\ci_patch_v3.exe
2007-08-22 20:41 869,248 ----a-w C:\Documents and Settings\Downloads\ci_patch_us1.zip
2007-08-22 20:32 901,954 ----a-w C:\Documents and Settings\Downloads\CI_patch1-1.exe
2007-08-22 19:47 --------- d-----w C:\Program Files\MySpace
2007-08-22 11:28 304,730 ----a-w C:\Documents and Settings\Downloads\Nicki Design.zip
2007-08-20 00:35 533,179 ----a-w C:\Documents and Settings\Downloads\checkered flags.zip
2007-08-20 00:34 423,178 ----a-w C:\Documents and Settings\Downloads\Hog.zip
2007-08-20 00:34 419,575 ----a-w C:\Documents and Settings\Downloads\G Bulldogs.zip
2007-08-20 00:34 132,790 ----a-w C:\Documents and Settings\Downloads\Tennessee.zip
2007-08-20 00:33 683,193 ----a-w C:\Documents and Settings\Downloads\cheer brat.zip
2007-08-20 00:33 392,695 ----a-w C:\Documents and Settings\Downloads\Grandmother saying.zip
2007-08-20 00:33 364,622 ----a-w C:\Documents and Settings\Downloads\Christmas Tree.zip
2007-08-20 00:33 150,945 ----a-w C:\Documents and Settings\Downloads\Barbie.zip
2007-08-20 00:32 669,669 ----a-w C:\Documents and Settings\Downloads\smarty pants applique.zip
2007-08-20 00:32 554,320 ----a-w C:\Documents and Settings\Downloads\sman logo.zip
2007-08-20 00:32 418,555 ----a-w C:\Documents and Settings\Downloads\Olivia.zip
2007-08-20 00:32 367,495 ----a-w C:\Documents and Settings\Downloads\mh_pony.zip
2007-08-20 00:32 248,082 ----a-w C:\Documents and Settings\Downloads\Megaphone Flipflops.zip
2007-08-20 00:31 732,248 ----a-w C:\Documents and Settings\Downloads\R2 D2.zip
2007-08-20 00:31 581,394 ----a-w C:\Documents and Settings\Downloads\character1.zip
2007-08-20 00:31 341,811 ----a-w C:\Documents and Settings\Downloads\character2.zip
2007-08-20 00:31 113,040 ----a-w C:\Documents and Settings\Downloads\character3.zip
2007-08-13 13:42 32,538 ----a-w C:\Documents and Settings\Downloads\first grader.zip
2007-08-12 18:41 29,387 ----a-w C:\Documents and Settings\Downloads\ayummya.zip
2007-08-12 18:39 39,447 ----a-w C:\Documents and Settings\Downloads\angelica.zip
2007-08-12 18:39 25,063 ----a-w C:\Documents and Settings\Downloads\acadian.zip
2007-08-12 18:36 27,685 ----a-w C:\Documents and Settings\Downloads\fontleroybrown.zip
2007-07-14 04:04 1,525,133 ----a-w C:\Documents and Settings\Downloads\Thansgiving_pes.zip
2007-07-14 04:03 380,237 ----a-w C:\Documents and Settings\Downloads\Lets_Face_It_Peachy_pes.zip
2007-06-13 19:31 3,400,869 ----a-w C:\Documents and Settings\Downloads\PIXresizer.zip
2007-06-12 20:40 42,567,136 ----a-w C:\Documents and Settings\Downloads\93.71_forceware_winxp2k_english_whql.exe
2007-06-12 14:12 1,559,601 ----a-w C:\Documents and Settings\Downloads\MB059AW8.ZIP
2007-05-29 22:04 1,166,528 ----a-w C:\Documents and Settings\Downloads\Sue-Plaids_Checks.zip
2007-05-29 21:02 93,204 ----a-w C:\Documents and Settings\Downloads\msvcrt10.zip
2007-05-29 21:02 67,860 ----a-w C:\Documents and Settings\Downloads\bonus.zip
2007-05-29 21:02 289,902 ----a-w C:\Documents and Settings\Downloads\simple.zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DB5825EA-B434-C69E-8E2D-81387140521A}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo RX500"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.exe" [2003-06-01 15:00]
"Disc Detector"="C:\Program Files\Creative\ShareDLL\CtNotify.exe" [2001-08-01 02:00]
"UpdReg"="C:\WINDOWS\Updreg.exe" [2000-05-11 01:00]
"CTStartup"="C:\Program Files\Creative\Splash Screen\CTEaxSpl.exe" [2001-09-14 12:10]
"Jet Detection"="C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2001-04-20 14:52]
"KAVPersonal50"="C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kav.exe" [2005-10-21 04:21]
"DPAS"="C:\Program Files\Defender Pro\DPASNT.exe" [2005-04-29 05:17]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TaskTray"="C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe" [2001-06-29 01:00]
"Taskbar"="C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe" [2001-09-20 01:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\IOGEAR\Bluetooth Software\BTTray.exe [2005-05-31 14:29:16]
Kodak EasyShare software.lnk - C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe [2007-02-20 05:10:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 03:15:54]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqpnkh]
ssqpnkh.dll

R0 viamraid;viamraid;C:\WINDOWS\system32\drivers\viamraid.sys
R1 Klmc;Klmc;C:\WINDOWS\system32\drivers\klmc.sys
R3 emu10kx;Creative EMU10K1/EMU10K2 Audio Driver (WDM);C:\WINDOWS\system32\drivers\e10kx2k.sys

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-08-13 16:26:26 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-21 16:23:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Disc Detector = C:\Program Files\Creative\ShareDLL\CtNotify.exe?X???????????????? C?????Disc Detector?B???A???????A?? ????B???@???@?? C???????@?????????@?B???A???????A?? ????B???@?????P?????@?? ??????k??w??????????@?u?????????????????B?????? ????????????????????????????B
CTStartup = C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run???h??????s?????\?w? ?w???????w???w4???????.??w4???????4???TA?s4????????&2????wd??w????????\???\??????????????w-??w\???\???????8?`??????C@?\???\??????s????\??????s\????&2?A??s?&2??C@?x???`|?w\?????@

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-10-21 16:24:15
.
--- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:28:01 PM, on 10/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Defender Pro\DPASNT.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
C:\Program Files\IOGEAR\Bluetooth Software\BTTray.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Defender Pro\AntiSpy\TSAntiSpy.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Downloads\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://centurytel.myway.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {DB5825EA-B434-C69E-8E2D-81387140521A} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kav.exe" /minimize
O4 - HKLM\..\Run: [DPAS] "C:\Program Files\Defender Pro\DPASNT.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [TaskTray] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
O4 - HKCU\..\Run: [Taskbar] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\Defender Pro\PopupBlocker\PopupBlocker.dll
O9 - Extra 'Tools' menuitem: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\Defender Pro\PopupBlocker\PopupBlocker.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1179943346546
O16 - DPF: {775879E2-7309-4619-BB02-AADE41F4B690} (CPlayFirstdreamControl Object) - http://games.bigfishgames.com/en_dream-chr...web.1.0.0.9.cab
O16 - DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} (SpinTop Games Launcher) - http://games.bigfishgames.com/en_mysteryso...mesLauncher.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ssqpnkh - ssqpnkh.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: kavsvc - Defender Pro LLC - C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kavsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6752 bytes

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:44 PM

Posted 20 October 2007 - 06:15 PM

Hello,

Please open Notepad and copy and paste the text present inside the code box below (don't forget to copy and paste REGEDIT4 as well):

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqpnkh]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DB5825EA-B434-C69E-8E2D-81387140521A}]

Save this as fix.reg and change the "Save as type" to "All Files" and place it on your desktop. It should look like this: Posted Image
Double-click on it and when it asks you if you want to merge the contents to the registry, click "Yes" or "OK". You should receive a message that it was successful.

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Now please run SUPERAntispyware and post the report in your reply. Please also let me know how your computer is running now.:thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 Real Mom

Real Mom
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:44 PM

Posted 20 October 2007 - 08:02 PM

Oh thank you!! I think you fixed it. :thumbsup:

I don't have a log to post as SAS didn't find anything on my system.

Grateful,
Real mom

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:44 PM

Posted 20 October 2007 - 08:42 PM

Well that's great news! :thumbsup: You're most welcome.

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

I don't see any active AntiVirus on your system. This is somewhat suicidal in today's digital world. That's why I want you to install one!! You have AntiSpyware programs. These are not the same!!

AVG, Avira OR Avast are good FREE antivirus.

If there are no further problems:

Below I have included a number of recommendations on how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously! These few simple steps can stave off the vast majority of spyware problems.

In order to protect yourself against spyware, you should consider installing and running the following free programs:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

IE/Spyad:
It places over 5000 malicious websites and domains in your IE's restricted zone.
IE/Spyad

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. A lot of free software can bundle other software, including spyware.

Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/

Please make sure to run your antivirus software regularly, and to keep it up-to-date.

Take care!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:44 PM

Posted 25 October 2007 - 03:16 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users