Author Topic: Bug screensaver virus (Read 29766 times)

lufo4 · « **on:** April 27, 2008, 07:50:43 PM »

hello, recently i was under a virus attack, after fending it off and scanning it, i disconnected all my network connections. then after running another scan, a screensaver would show up every once in a while. it was a bunch of bugs, eating up the desktop, at the move of my mouse it would dissapear. it acts like a screen saver, but under my desktop settings no screensaver is set, and i have no recollection of ever installing said screensaver.

any help would be appreciated thank you

mcxeb52! · « **Reply #1 on:** April 27, 2008, 07:56:25 PM »

what windows version are you using?

And if XP or vista, try system restore....

Broni · « **Reply #2 on:** April 27, 2008, 10:20:31 PM »

Print these instructions out.

1. Download SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
* Close SUPERAntiSpyware.

Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen

* Open SUPERAntiSpyware.
* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.
Post SUPERAntiSpyware log.

RESTART COMPUTER!

2. Download Malwarebytes' Anti-Malware: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

RESTART COMPUTER!

3. Download HijackThis:
http://www.snapfiles.com/get/hijackthis.html
Post HijackThis log.

lufo4 · « **Reply #3 on:** April 28, 2008, 04:30:17 PM »

Quote from: mcxeb52! on April 27, 2008, 07:56:25 PM

what windows version are you using?

And if XP or vista, try system restore....

im using XP pro
i tried system restore, but it has been turned off and there is no restore point to before my little brother downloaded the game, and the virus attack started

patio · « **Reply #4 on:** April 28, 2008, 04:35:44 PM »

Follow the instructions posted step by step...

lufo4 · « **Reply #5 on:** April 28, 2008, 05:10:02 PM »

Quote from: lufo4 on April 28, 2008, 04:30:17 PM

Quote from: mcxeb52! on April 27, 2008, 07:56:25 PM
what windows version are you using?

And if XP or vista, try system restore....

im using XP pro
i tried system restore, but it has been turned off and there is no restore point to before my little brother downloaded the game, and the virus attack started

when i clicked the .exe setup file it opened up a dialog box titled "WIndows Installer"
and it had this in teh dialog box

Windows ® Installer. V 3.01.4000.1823

msiexec /Option <Required Parameter> [Optional Parameter]

Install Options
   </package | /i> <Product.msi>
      Installs or configures a product
   /a <Product.msi>
      Administrative install - Installs a product on the network
   /j<u|m> <Product.msi> [/t <Transform List>] [/g <Language ID>]
      Advertises a product - m to all users, u to current user
   </uninstall | /x> <Product.msi | ProductCode>
      Uninstalls the product
Display Options
   /quiet
      Quiet mode, no user interaction
   /passive
      Unattended mode - progress bar only
   /q[n|b|r|f]
      Sets user interface level
      n - No UI
      b - Basic UI
      r - Reduced UI
      f - Full UI (default)
   /help
      Help information
Restart Options
   /norestart
      Do not restart after the installation is complete
   /promptrestart
      Prompts the user for restart if necessary
   /forcerestart
      Always restart the computer after installation
Logging Options
   /l[i|w|e|a|r|u|c|m|o|p|v|x|+|!|*] <LogFile>
      i - Status messages
      w - Nonfatal warnings
      e - All error messages
      a - Start up of actions
      r - Action-specific records
      u - User requests
      c - Initial UI parameters
      m - Out-of-memory or fatal exit information
      o - Out-of-disk-space messages
      p - Terminal properties
      v - Verbose output
      x - Extra debugging information
      + - Append to existing log file
      ! - Flush each line to the log
      * - Log all information, except for v and x options
   /log <LogFile>
      Equivalent of /l* <LogFile>
Update Options
   /update <Update1.msp>[;Update2.msp]
      Applies update(s)
   /uninstall <PatchCodeGuid>[;Update2.msp] /package <Product.msi | ProductCode>
      Remove update(s) for a product
Repair Options
   /f[p|e|c|m|s|o|d|a|u|v] <Product.msi | ProductCode>
      Repairs a product
      p - only if file is missing
      o - if file is missing or an older version is installed (default)
      e - if file is missing or an equal or older version is installed
      d - if file is missing or a different version is installed
      c - if file is missing or checksum does not match the calculated value
      a - forces all files to be reinstalled
      u - all required user-specific registry entries (default)
      m - all required computer-specific registry entries (default)
      s - all existing shortcuts (default)
      v - runs from source and recaches local package
Setting Public Properties
   [PROPERTY=PropertyValue]

Consult the Windows ® Installer SDK for additional documentation on the
command line syntax.

Copyright © Microsoft Corporation. All rights reserved.
Portions of this software are based in part on the work of the Independent JPEG Group.

the only option is OK and when i hit it, it doesnt do anything

Broni · « **Reply #6 on:** April 28, 2008, 06:44:57 PM »

Install fresh copy of Windows Installer: http://support.microsoft.com/kb/893803

lufo4 · « **Reply #7 on:** April 29, 2008, 08:39:57 AM »

ok i installed, but the message comes up again

Broni · « **Reply #8 on:** April 29, 2008, 07:26:16 PM »

That error happens, when you try to install which application?

lufo4 · « **Reply #9 on:** April 30, 2008, 11:24:00 AM »

the super anti spyware application

Broni · « **Reply #10 on:** April 30, 2008, 06:45:20 PM »

Please, proceed to step #2.

lufo4 · « **Reply #11 on:** April 30, 2008, 07:16:03 PM »

i would love too but now my network has decided to not to work,

Broni · « **Reply #12 on:** April 30, 2008, 07:47:13 PM »

Where are you posting from?

lufo4 · « **Reply #13 on:** May 01, 2008, 04:33:36 PM »

my second computer

Broni · « **Reply #14 on:** May 01, 2008, 06:44:49 PM »

Download Malwarebytes' Anti-Malware on good computer, and install it on bad computer. Same with HijackThis.

lufo4 · « **Reply #15 on:** May 01, 2008, 06:51:42 PM »

how do i get it onto the other computer

Broni · « **Reply #16 on:** May 01, 2008, 06:58:10 PM »

CD, flash drive, memory card....

cptnick · « **Reply #17 on:** May 08, 2008, 10:49:06 AM »

hi, I friend of mine has the same problem with his computer, could I get some help with this too?

evilfantasy · « **Reply #18 on:** May 08, 2008, 11:01:26 AM »

Hello cptnick. Welcome to the Computer Hope.

In order to help you clean any malware on the computer we will need some more information from you and about the computer. Please go to this thread and read the instructions for posting the required logs.

Once you have the logs start a new topic. Once the logs are posted a malware specialist will be along to assist you in further removal instructions.

lufo4 · « **Reply #19 on:** May 10, 2008, 08:03:26 PM »

malware bytes wont work without internet connection
trying hijackthis

lufo4 · « **Reply #20 on:** May 10, 2008, 08:10:54 PM »

ok hijackthis is the only one that works here it is

btw sorry for the long absence, the cable company cut off the net for a bit

_______________________________________ ____________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:05:22 PM, on 5/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\Program Files\Common Files\Symantec Shared\ccProxy.exe
E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
E:\WINDOWS\System32\CTsvcCDA.exe
E:\Program Files\NMSU\VPN Client\cvpnd.exe
E:\WINDOWS\TEMP\NTCA8832.exe
E:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
E:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
E:\WINDOWS\System32\MsPMSPSv.exe
E:\Program Files\DynDNS Updater\DynDNS.exe
E:\WINDOWS\system32\drivers\spools.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\Program Files\QuickTime\qttask.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\WINDOWS\system32\rundll32.exe
E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
E:\WINDOWS\TEMP\winlagon.exe
E:\WINDOWS\TEMP\winlagon.exe
E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\HP\HP Software Update\HPWuSchd2.exe
E:\WINDOWS\system32\PROMon.exe
E:\WINDOWS\system32\CTHELPER.EXE
E:\Program Files\Kuma Games\hcsystray\hc_tray.exe
E:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
E:\WINDOWS\System32\NMSSvc.exe
E:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
E:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
E:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\HPZipm12.exe
E:\WINDOWS\explorer.exe
E:\DOCUME~1\jupiter\LOCALS~1\Temp\~e5d141.tmp
E:\DOCUME~1\jupiter\LOCALS~1\Temp\csrssc.exe
E:\WINDOWS\system32\msiexec.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: ScriptInocUI Class - - (no file)
F3 - REG:win.ini: load=????
F3 - REG:win.ini: run=????
F2 - REG:system.ini: UserInit=E:\WINDOWS\system32\Userinit.exe
O1 - Hosts: 124.217.252.78 secure.isoftpay.com
O1 - Hosts: 124.217.252.78 secure.isoftpay.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - E:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - E:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: E:\WINDOWS\system32\hdxjd4g.dll - {B5AC49A2-94F2-42BD-F434-2604812C897D} - E:\WINDOWS\system32\hdxjd4g.dll
O2 - BHO: E:\WINDOWS\system32\djki397g.dll - {B5AF0562-94F3-42BD-F434-2604812C797D} - E:\WINDOWS\system32\djki397g.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - E:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - E:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SpySweeper] "E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [ntuser] E:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [autoload] E:\Documents and Settings\jupiter\cftmon.exe
O4 - HKLM\..\Run: [UpdReg] E:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [Jet Detection] "E:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [HP Software Update] E:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ntuser] E:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [autoload] E:\Documents and Settings\jupiter\cftmon.exe
O4 - HKCU\..\Run: [swg] E:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MySpaceIM] E:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [BitTorrent] "E:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] E:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ntuser] E:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autoload] E:\Documents and Settings\LocalService\cftmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Jnskdfmf9eldfd] E:\WINDOWS\TEMP\csrssc.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Hhjg5jfd93dftdf] E:\WINDOWS\TEMP\winlagon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [WintelUpdate] E:\WINDOWS\TEMP\5CE8.tmp.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Windows update loader] (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [kavir] E:\WINDOWS\kavir.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] E:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: hc_tray.lnk = E:\Program Files\Kuma Games\hcsystray\hc_tray.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Registration .LNK = E:\Program Files\Ubisoft\Telltale Games\CSI-Hard Evidence\Register\RegistrationReminder.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = E:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open RSS Feed - E:\Program Files\Feed Mix\getlink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: e:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O20 - Winlogon Notify: crypt - E:\WINDOWS\SYSTEM32\crypts.dll
O20 - Winlogon Notify: __c0022FF9 - E:\WINDOWS\system32\__c0022FF9.dat
O22 - SharedTaskScheduler: Hkjr94jdfdgj - {B5AC49A2-94F2-42BD-F434-2604812C897D} - E:\WINDOWS\system32\hdxjd4g.dll
O22 - SharedTaskScheduler: Hjkfj93dffd - {B5AF0562-94F3-42BD-F434-2604812C797D} - E:\WINDOWS\system32\djki397g.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - E:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - E:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - E:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - E:\Program Files\NMSU\VPN Client\cvpnd.exe
O23 - Service: DynDNS Updater Service (DynDNS_Updater_Service) - Kana Solution - E:\Program Files\DynDNS Updater\DynDNS.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - E:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: Google Online Services - Unknown owner - E:\WINDOWS\TEMP\NTCA8832.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - E:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - E:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - E:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - E:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\system32\HPZipm12.exe
O23 - Service: CD Guard Drivers Auto Removal (v1) (psrem01) - Protection Technology - E:\WINDOWS\system32\psrem01.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - E:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - E:\WINDOWS\system32\drivers\spools.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - E:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Unknown owner - E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: ZipToA - Iomega Corporation - E:\WINDOWS\System32\ZipToA.exe

--
End of file - 12609 bytes

Broni · « **Reply #21 on:** May 10, 2008, 08:44:02 PM »

Look, you have serious infection.
You have to run Super (even without updates), and Malwarebytes (I'm not aware of it in need of internet connection).

lufo4 · « **Reply #22 on:** May 10, 2008, 08:47:05 PM »

super wont work it does that one thing i explained
and malware bytes wont install on my computer because it says it needs an internet connection

Broni · « **Reply #23 on:** May 10, 2008, 09:05:40 PM »

When you install Malwarebytes, you come to a point:

Quote

At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

Don't update, just Finish, and run it.

lufo4 · « **Reply #24 on:** May 10, 2008, 09:11:10 PM »

i have the setup file on a cd
i start it up and click install the only two options are the directory, and wether or not to launch the application, when i click download it comes up with an error
problem with internet connection (ARM1054,12007)
i believe it is because malware bytes installs via download and needs the internet to install

lufo4 · « **Reply #25 on:** May 10, 2008, 09:13:20 PM »

never mind i have found the solution, i put the downloader on the disk instead of teh actual setup file

Broni · « **Reply #26 on:** May 10, 2008, 09:16:31 PM »

Hold on for a moment...

Broni · « **Reply #27 on:** May 10, 2008, 09:24:54 PM »

You're doing something wrong.
I just reinstalled it on my computer, and at no point it asks for internet connection, unless I want to run updates.
You're starting with double clicking on mbam-setup.exe file, right?
First screen asks you to select language, and in next screen, installation starts.
The very last screen looks like this:

Uncheck Update, keep Launch checked, and click Finish.
Now, tell me, if you're going through very same steps, at what point you're asked for internet connection?

Broni · « **Reply #28 on:** May 10, 2008, 09:25:43 PM »

Quote

i put the downloader on the disk instead of teh actual setup file

grrrrrrrrrrrrrrrrrrrrrrrrrrrrr

Broni · « **Reply #29 on:** May 10, 2008, 09:26:41 PM »

Run it, give me its log.
Restart computer, and run fresh HJT log.

lufo4 · « **Reply #30 on:** May 11, 2008, 11:59:06 AM »

the log is too large for a single post
here is part 1

_______________________________________ _____

Malwarebytes' Anti-Malware 1.12
Database version: 722

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 407932
Time elapsed: 2 hour(s), 43 minute(s), 22 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 5
Registry Keys Infected: 49
Registry Values Infected: 14
Registry Data Items Infected: 0
Folders Infected: 45
Files Infected: 155

Memory Processes Infected:
e:\WINDOWS\system32\drivers\spools.exe (Worm.Socks) -> Unloaded process successfully.

Memory Modules Infected:
e:\WINDOWS\system32\crypts.dll (Trojan.Downloader) -> Unloaded module successfully.
E:\WINDOWS\system32\hdxjd4g.dll (Trojan.Agent) -> Unloaded module successfully.
E:\WINDOWS\system32\djki397g.dll (Trojan.Agent) -> Unloaded module successfully.
E:\WINDOWS\system32\__c0022FF9.dat (Trojan.Agent) -> Unloaded module successfully.
E:\WINDOWS\system32\basenpnv32.dll (Trojan.Downloader) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\schedule (Worm.Socks) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\schedule (Worm.Socks) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\schedule (Worm.Socks) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\schedule (Worm.Socks) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{B5AC49A2-94F2-42BD-F434-2604812C897D} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{B5AF0562-94F3-42BD-F434-2604812C797D} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f2f2a4cb-daad-4d0c-bdfc-e945647202c2} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b5ac49a2-94f2-42bd-f434-2604812c897d} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b5af0562-94f3-42bd-f434-2604812c797d} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{43382522-a846-46f4-ac57-1f71ae6e1086} (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{572fb162-c0ba-4edf-8cff-e3846153b9b0} (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{72a836d1-bc00-43c0-a941-17960e4fb842} (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cjp74 (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cjp74 (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cjp74 (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cjp74 (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\starware337 (Adware.Starware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\qandr (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\qandr (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\qandr (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Google Online Services (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0022ff9 (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\aldd (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Starware337 (Adware.Starware) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser (Worm.Socks) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser (Worm.Socks) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser (Worm.Socks) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{B5AC49A2-94F2-42BD-F434-2604812C897D} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{B5AF0562-94F3-42BD-F434-2604812C797D} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload (Worm.Socks) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload (Worm.Socks) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload (Worm.Socks) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jnskdfmf9eldfd (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hhjg5jfd93dftdf (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{07aa283a-43d7-4cbe-a064-32a21112d94d} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kavir (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows update loader (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\&Search\ (Adware.Hotbar) -> Quarantined and deleted successfully.

_______________________________________ _______________________

lufo4 · « **Reply #31 on:** May 11, 2008, 12:01:05 PM »

here is part 2

_______________________________________ _________________________
Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
E:\Program Files\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
E:\Program Files\MyWebSearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
E:\Program Files\MyWebSearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.
E:\Program Files\MyWebSearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.
E:\Program Files\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
E:\Program Files\FunWebProducts\ScreenSaver (Adware.MyWebSearch) -> Quarantined and deleted successfully.
E:\Program Files\FunWebProducts\Shared (Adware.MyWebSearch) -> Quarantined and deleted successfully.
E:\Program Files\FunWebProducts\ScreenSaver\Images (Adware.MyWebSearch) -> Quarantined and deleted successfully.
E:\Program Files\Starware337 (Adware.Starware) -> Quarantined and deleted successfully.
E:\Program Files\Starware337\bin (Adware.Starware) -> Quarantined and deleted successfully.
E:\Program Files\Starware337\icons (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\All Users\Application Data\Starware337 (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\All Users\Application Data\Starware337\buttons (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\All Users\Application Data\Starware337\contexts (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\All Users\Application Data\Starware337\images (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\All Users\Application Data\Starware337\SimpleUpdate (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337 (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\BrowserSearch (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\ErrorSearch (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\Games (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\Layouts (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\Manager (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\Movies (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\Recipes (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\RecipeSearch (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\Reference (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\RelatedSearch (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\ScreensaversMarketingSitePager (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\SearchAssistPlus (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\SearchMatch (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\Toolbar (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\ToolbarLogo (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\ToolbarSearch (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\TravelSearch (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\Weather (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\Games\images (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\Games\images\active (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\Games\images\default (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\Movies\images (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\Movies\images\active (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\Movies\images\default (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\ScreensaversMarketingSitePager\images (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\ScreensaversMarketingSitePager\images\active (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\ScreensaversMarketingSitePager\images\default (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\SearchMatch\searchMatchPages (Adware.Starware) -> Quarantined and deleted successfully.

part 3 comes next

_______________________________________ __________________

lufo4 · « **Reply #32 on:** May 11, 2008, 12:02:19 PM »

her is part 3

_______________________________________ _______

Files Infected:
e:\WINDOWS\system32\crypts.dll (Trojan.Downloader) -> Delete on reboot.
e:\WINDOWS\system32\drivers\spools.exe (Worm.Socks) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\hdxjd4g.dll (Trojan.Zlob) -> Delete on reboot.
E:\WINDOWS\system32\djki397g.dll (Trojan.Zlob) -> Delete on reboot.
E:\Documents and Settings\jupiter\cftmon.exe (Worm.Socks) -> Quarantined and deleted successfully.
E:\Documents and Settings\LocalService\cftmon.exe (Worm.Socks) -> Quarantined and deleted successfully.
E:\WINDOWS\Temp\csrssc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
E:\WINDOWS\Temp\winlagon.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\autoex.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\everything else like windows stuff\New Folder\Setup.exe (Adware.Zango) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Local Settings\Temp\2839312628.exe (Trojan.Agent) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Local Settings\Temp\749B.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Local Settings\Temp\csrssc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
E:\Program Files\HP Games\Star Defender 4\sqlite3.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{F32A7D6C-7F82-4E40-82A8-63C3A783E380}\RP2\A0000014.exe (Worm.Socks) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{F32A7D6C-7F82-4E40-82A8-63C3A783E380}\RP4\A0000077.sys (Trojan.Downloader) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{F32A7D6C-7F82-4E40-82A8-63C3A783E380}\RP4\A0000398.dll (Trojan.DownLoader) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{F32A7D6C-7F82-4E40-82A8-63C3A783E380}\RP4\A0000423.exe (Worm.Socks) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{F32A7D6C-7F82-4E40-82A8-63C3A783E380}\RP6\A0000487.exe (Adware.WhenUSave) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\blackster.scr (Trojan.Agent) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\ctfmonb.bmp (Malware.Trace) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\kezb427.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\kezb449.exe (Trojan.Inject) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\kezb472.exe (BackDoor.Bech) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\kezb534.exe (Trojan.DownLoader) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\kezb563.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\kezb573.exe (Trojan.BHO) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\kezb574.exe (Worm.Socks) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\kezb576.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\wind32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\drivers\Cjp74.sys (Trojan.Downloader) -> Quarantined and deleted successfully.
E:\WINDOWS\Temp\5CE8.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
E:\WINDOWS\Temp\7755.tmp (Trojan.DownLoader) -> Quarantined and deleted successfully.
E:\WINDOWS\Temp\836187518.exe (Trojan.Agent) -> Quarantined and deleted successfully.
E:\WINDOWS\Temp\A08A.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
E:\WINDOWS\Temp\loader.exe (Trojan.DownLoader) -> Quarantined and deleted successfully.
E:\WINDOWS\Temp\win32.exe (Worm.Zhelatin) -> Quarantined and deleted successfully.
E:\Program Files\MyWebSearch\bar\History\search2 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
E:\Program Files\MyWebSearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
E:\Program Files\Starware337\brand.bmp (Adware.Starware) -> Quarantined and deleted successfully.
E:\Program Files\Starware337\Starware337Config.xml (Adware.Starware) -> Quarantined and deleted successfully.
E:\Program Files\Starware337\Starware337Uninstall.exe (Adware.Starware) -> Quarantined and deleted successfully.
E:\Program Files\Starware337\bin\Starware337.dll (Adware.Starware) -> Quarantined and deleted successfully.
E:\Program Files\Starware337\icons\star_16.ico (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\All Users\Application Data\Starware337\buttons\epiRSS.bmp (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\All Users\Application Data\Starware337\buttons\epiRSS.png (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\All Users\Application Data\Starware337\buttons\epiSearch.bmp (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\All Users\Application Data\Starware337\buttons\epiSearch.png (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\All Users\Application Data\Starware337\buttons\FindIt.bmp (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\All Users\Application Data\Starware337\buttons\FindItHot.bmp (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\All Users\Application Data\Starware337\buttons\findithotxp.png (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\All Users\Application Data\Starware337\buttons\finditxp.png (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\All Users\Application Data\Starware337\buttons\Highlight.bmp (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\All Users\Application Data\Starware337\buttons\HighlightHot.bmp (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\All Users\Application Data\Starware337\buttons\highlighthotxp.png (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\All Users\Application Data\Starware337\buttons\highlightxp.png (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\All Users\Application Data\Starware337\buttons\logo.bmp (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\All Users\Application Data\Starware337\buttons\logoxp.bmp (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\All Users\Application Data\Starware337\buttons\Reference.bmp (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\All Users\Application Data\Starware337\buttons\ReferenceHot.bmp (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\All Users\Application Data\Starware337\buttons\referencehotxp.png (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\All Users\Application Data\Starware337\buttons\referencexp.png (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\All Users\Application Data\Starware337\buttons\Weather.bmp (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\All Users\Application Data\Starware337\buttons\weatherhotxp.png (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\All Users\Application Data\Starware337\buttons\weatherxp.png (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\All Users\Application Data\Starware337\contexts\error.xml (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\All Users\Application Data\Starware337\contexts\related.xml (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\All Users\Application Data\Starware337\contexts\travel.xml (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\All Users\Application Data\Starware337\images\walert.bmp (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\All Users\Application Data\Starware337\SimpleUpdate\ProductMessagingConfig.xml (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\All Users\Application Data\Starware337\SimpleUpdate\ProductMessagingConfig.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\All Users\Application Data\Starware337\SimpleUpdate\SimpleUpdateConfig.xml (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\All Users\Application Data\Starware337\SimpleUpdate\SimpleUpdateConfig.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\All Users\Application Data\Starware337\SimpleUpdate\TimerManagerConfig.xml (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\All Users\Application Data\Starware337\SimpleUpdate\TimerManagerConfig.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\BrowserSearch\BrowserSearch.xml (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\BrowserSearch\BrowserSearch.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\ErrorSearch\ErrorSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\ErrorSearch\ErrorSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\Games\GamesOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\Games\GamesOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\Games\images\active\Games0.bmp (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\Layouts\ToolbarLayout.xml (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\Layouts\ToolbarLayout.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\Manager\ManagerOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\Manager\ManagerOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\Movies\MoviesOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\Movies\MoviesOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\Movies\images\active\Movies0.bmp (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\Recipes\RecipesOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\Recipes\RecipesOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\RecipeSearch\RecipeSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\RecipeSearch\RecipeSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\Reference\ReferenceOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\Reference\ReferenceOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\RelatedSearch\RelatedSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\RelatedSearch\RelatedSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\ScreensaversMarketingSitePager\images\active\ScreensaversMarketingSitePager0.bmp (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\SearchAssistPlus\SearchAssistPlusOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\SearchAssistPlus\SearchAssistPlusOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\SearchMatch\SearchMatchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\SearchMatch\SearchMatchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\Toolbar\TBProductsOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\Toolbar\TBProductsOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\ToolbarLogo\ToolbarLogoOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\ToolbarLogo\ToolbarLogoOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\ToolbarSearch\ToolbarSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\ToolbarSearch\ToolbarSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\TravelSearch\TravelSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\TravelSearch\TravelSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\Weather\AlertArchive.xml (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\Weather\WeatherOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
E:\Documents and Settings\jupiter\Application Data\Starware337\Weather\WeatherOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
E:\WINDOWS\nivavir.config (Trojan.Agent) -> Quarantined and deleted successfully.
E:\WINDOWS\kavir.exe (Trojan.Agent) -> Quarantined and deleted successfully.

part 4 is next
_______________________________________ ________________________

lufo4 · « **Reply #33 on:** May 11, 2008, 12:02:54 PM »

part 4

_______________________________________ ________-

E:\WINDOWS\system32\drivers\qandr.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\h@tkeysh@@k.dll (Trojan.Agent) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\__c0012A5B.dat (Trojan.Agent) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\__c0022FF9.dat (Trojan.Agent) -> Delete on reboot.
E:\WINDOWS\system32\__c002C55C.dat (Trojan.Agent) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\__c003F351.dat (Trojan.Agent) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\__c0047B06.dat (Trojan.Agent) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\__c005EE10.dat (Trojan.Agent) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\__c0067F24.dat (Trojan.Agent) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\__c006999E.dat (Trojan.Agent) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\__c007798A.dat (Trojan.Agent) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\__c00A8F90.dat (Trojan.Agent) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\__c00B491.dat (Trojan.Agent) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\__c00BD6A1.dat (Trojan.Agent) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\__c00C710C.dat (Trojan.Agent) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\__c00DC690.dat (Trojan.Agent) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\basekdgtv32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
E:\WINDOWS\Help\oqtxde.chm (Rootkit.Rustok) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\WLCtrl32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\ctfmona.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\basenpnv32.dll (Trojan.Downloader) -> Delete on reboot.
E:\WINDOWS\system32\lost.exe.exe (Worm.Zhelatin) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\dllgh8jkd1q1.exe (Heuristics.Malware) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\dllgh8jkd1q2.exe (Heuristics.Malware) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\dllgh8jkd1q5.exe (Heuristics.Malware) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\dllgh8jkd1q6.exe (Heuristics.Malware) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\dllgh8jkd1q7.exe (Heuristics.Malware) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\dllgh8jkd1q8.exe (Heuristics.Malware) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\winsub.xml (Malware.Trace) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\maxpaynowti1.exe (Heuristics.Malware) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\__c004B1A3.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\vx.tll (Malware.Trace) -> Quarantined and deleted successfully.
E:\WINDOWS\Temp\1.dllb (Heuristics.Malware) -> Quarantined and deleted successfully.
E:\WINDOWS\Temp\2.dllb (Heuristics.Malware) -> Quarantined and deleted successfully.
E:\WINDOWS\Temp\5.dllb (Heuristics.Malware) -> Quarantined and deleted successfully.
E:\WINDOWS\Temp\6.dllb (Heuristics.Malware) -> Quarantined and deleted successfully.
E:\WINDOWS\Temp\7.dllb (Heuristics.Malware) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\svchost.t__ (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

Broni · « **Reply #34 on:** May 11, 2008, 12:04:24 PM »

That's it? It was quiet a bit

Fresh HJT log, please.

kidjete · « **Reply #35 on:** May 21, 2008, 01:39:49 AM »

I had a similar problem and followed your steps. Would you mind taking a look at my logs? I couldn't find the SAS log after I rebooted from safe mode after running it, I forgot to save it I think. SAS and Malwarebytes both found and deleted files. I'm not real familiar with HJT so I just ran the log and didn't touch anything else yet. Anyway here's the Malwarebytes' and HJT logs...

Malwarebytes' Anti-Malware 1.12
Database version: 772

Scan type: Full Scan (C:\|)
Objects scanned: 198636
Time elapsed: 1 hour(s), 9 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\baseksqn32.dll (Trojan.Downloader) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SysLibrary (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\herjek (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Absolute Poker\browser.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\herjek.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\baseksqn32.dll (Trojan.Downloader) -> Delete on reboot.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:32:33 AM, on 5/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\runservice.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://flashmail.kent.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.kent.edu/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Chad Muniz\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Chad Muniz\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: PartyGammon.com - {59A861EE-32B3-42cd-8CCA-FC130EDF3A44} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyGammon.com - {59A861EE-32B3-42cd-8CCA-FC130EDF3A44} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.com/Register/Branding/olr3313/OCX/v1018/flashax.cab
O16 - DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} (CacheManager.CacheManagerCtrl) - http://www.candystand.com/assets/activex/virtools/CacheManager.CAB
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 11591 bytes

evilfantasy · « **Reply #36 on:** May 21, 2008, 09:54:42 AM »

kidjete start a new topic in this forum and post the logs there. We can't work on your logs in the same thread. You need your own topic.

kidjete · « **Reply #37 on:** May 21, 2008, 02:14:32 PM »

Quote from: evilfantasy on May 21, 2008, 09:54:42 AM

kidjete start a new topic in this forum and post the logs there. We can't work on your logs in the same thread. You need your own topic.

Why not? That doesn't make a lot of sense. We had the same issue why not use the same thread so there is more than one example? Whatever though I'll post a new thread.

mcxeb52! · « **Reply #38 on:** May 21, 2008, 10:19:27 PM »

Quote from: kidjete on May 21, 2008, 02:14:32 PM

Quote from: evilfantasy on May 21, 2008, 09:54:42 AM
kidjete start a new topic in this forum and post the logs there. We can't work on your logs in the same thread. You need your own topic.

Why not? That doesn't make a lot of sense. We had the same issue why not use the same thread so there is more than one example? Whatever though I'll post a new thread.

one needs his own thread. his own computer logs may confuse the original poster. make your own post and the other guy shall be directed to the new post if needed.

sallymae · « **Reply #39 on:** May 23, 2008, 02:40:34 PM »

I had this same thing happen on a system where I work. I found out it was a screensaver named blackster.scr from a screensaver program on the Internet named Bugs 2.0.2. I found the entry in the registry where it was running the screensaver blackster.scr and replaced it with ssstars.scr from Windows. Then I deleted the blackster.scr file from the system. The original virus was ctfmona.exe which I also had to manually remove from the system. We run Trend Micro Office Scan Virus Protection and it caught it but could not quarantine it. After I removed the virus and got clean scans, I still had the screensaver issue. Now that I have removed it, I am hoping the system is really clean now. Time will tell.

evilfantasy · « **Reply #40 on:** May 23, 2008, 03:38:13 PM »

Welcome to CH sallymae.

The best way to find out if you are clean is to start a new topic. Click here >>

<< and post a Hijackthis log for a malware specialist to look at.

Download and rename HijackThis (HJT)

Double-click on HJTInstall.
Click on the Install button.
It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe.
Upon install, HijackThis should open for you.

Close HijackThis and rename it.
Go to C:\Program Files\Trend Micro\HijackThis.exe
Right click on HijackThis.exe and select Rename.
Type in sniper.exe and press Enter.
Right-click on sniper.exe and select Send To > Desktop (create shortcut)

From the desktop open Hijackthis.
If using Windows Vista, Right-click and Run As Administrator.
Click on the Do a system scan and save a log file button
Hijackthis will scan and then a log will open in notepad.
Copy and then paste the entire contents of the log in your post.
Do not have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

Although we have renamed Hijackthis to sniper, we will still refer to it as Hijackthis or HJT.

CBMatt · « **Reply #41 on:** June 10, 2008, 07:55:26 PM »

Because I'm lazy...

http://www.computerhope.com/forum/index.php/topic,58684.msg371855.html#msg371855

Computer Hope Forum

News:

Author Topic: Bug screensaver virus (Read 29766 times)

lufo4

mcxeb52!

Broni

lufo4

patio

lufo4

Broni

lufo4

Broni

lufo4

Broni

lufo4

Broni

lufo4

Broni

lufo4

Broni

cptnick

evilfantasy

lufo4

lufo4

Broni

lufo4

Broni

lufo4

lufo4

Broni

Broni

Broni

Broni

lufo4

lufo4

lufo4

lufo4

Broni

kidjete

evilfantasy

kidjete

mcxeb52!

sallymae

evilfantasy

CBMatt