Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With New Poly Win32


  • This topic is locked This topic is locked
2 replies to this topic

#1 ryszka

ryszka

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:37 PM

Posted 02 January 2006 - 04:49 PM

Internet explores sets the default homepage to about:blank. Also, some entries have been added to my favorites. And the worst of the problem is my desktop is set to a dark blue background with a big black box located in the middle of it that says..

Spyware Infection (big red letters)
Your system is infected with spyware. Windows recommends you to use a spyware removal tool to prevent loss of important data and increase system performance. Using this PC before having it cleaned from spyware threats is highly discouraged.

Logfile of HijackThis v1.99.1
Scan saved at 4:19:53 PM, on 1/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\system32\netbp.exe
C:\DOCUME~1\KEVINR~1\LOCALS~1\Temp\CD.tmp.exe
C:\DOCUME~1\KEVINR~1\LOCALS~1\Temp\CE.tmp.exe
C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe
C:\Program Files\Messenger\msmsgs.exe
C:\winstall.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\addqt.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\KEVINR~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[2].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qxxki.dll/sp.html#28129%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qxxki.dll/sp.html#28129%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qxxki.dll/sp.html#28129%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qxxki.dll/sp.html#28129%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qxxki.dll/sp.html#28129%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qxxki.dll/sp.html#28129%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qxxki.dll/sp.html#28129%resultposition.net
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {3C151A68-188A-0D75-77E2-FFCC5E29D857} - C:\WINDOWS\sdkig32.dll
O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - C:\PROGRA~1\RXTOOL~1\sfcont.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Class - {FBC963C0-47A1-07C0-004E-D8258BEE3766} - C:\WINDOWS\system32\sysng32.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [netbp.exe] C:\WINDOWS\system32\netbp.exe
O4 - HKLM\..\Run: [CD.tmp] C:\DOCUME~1\KEVINR~1\LOCALS~1\Temp\CD.tmp.exe
O4 - HKLM\..\Run: [CE.tmp] C:\DOCUME~1\KEVINR~1\LOCALS~1\Temp\CE.tmp.exe
O4 - HKLM\..\Run: [CE.tmp.exe] C:\DOCUME~1\KEVINR~1\LOCALS~1\Temp\CE.tmp.exe
O4 - HKLM\..\Run: [CD.tmp.exe] C:\DOCUME~1\KEVINR~1\LOCALS~1\Temp\CD.tmp.exe
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\KEVINR~1\LOCALS~1\Temp\200612161648_mcinfo.exe /insfin
O4 - HKLM\..\Run: [Cleanup] C:\DOCUME~1\KEVINR~1\LOCALS~1\Temp\200612161648_mcappins.exe /v=3 /cleanup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: &Search - http://km.bar.need2find.com/KM/menusearch.html?p=KM
O8 - Extra context menu item: Ebates - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {47CD99DF-8BCF-4B9B-94EF-02E51B2F79DA} - http://www.alwaysupdatednews.com/install/aun_0036.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1097379945578
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcophotocenter.com/CostcoUpload.cab
O16 - DPF: {EC51659D-721F-4CBF-9CEA-5E776D89CEA9} - http://www.pacimedia.com/install/pcs_0007.exe
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\addqt.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe

BC AdBot (Login to Remove)

 


m

#2 JG427

JG427

  • Members
  • 241 posts
  • OFFLINE
  •  
  • Local time:03:37 PM

Posted 11 January 2006 - 09:18 PM

Hi, ryszka.
Sorry for the delay in replying to your post.

If you still need help, please scan with hijackthis and post a fresh log.

Your copy of hijackthis has not been unzipped and is located in a temporary directory.
When the temp files are cleaned out, the program and backup files it makes will be lost.

Instead of hunting it down and moving it, let's download a new one.
Click the link below, then choose to save it to your drive. Go to the download location and double click hijackthis_sfx.exe.
A box will open, choose unzip, then close the box. A hijackthis folder will be placed at C:\Program Files\HijackThis.

http://www.merijn.org/files/hijackthis_sfx.exe
Posted Image

#3 JG427

JG427

  • Members
  • 241 posts
  • OFFLINE
  •  
  • Local time:03:37 PM

Posted 24 January 2006 - 04:57 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users