Bug screensaver virus

[lufo4]

how do i get it onto the other computer

[Broni]

CD, flash drive, memory card....

[cptnick]

hi, I friend of mine has the same problem with his computer, could I get some help with this too?

[evilfantasy]

Hello cptnick. Welcome to the Computer Hope.

In order to help you clean any malware on the computer we will need some more information from you and about the computer. Please go to this thread and read the instructions for posting the required logs.

Once you have the logs start a new topic. Once the logs are posted a malware specialist will be along to assist you in further removal instructions.

[lufo4]

malware bytes wont work without internet connection
trying hijackthis

[lufo4]

ok hijackthis is the only one that works here it is

btw sorry for the long absence, the cable company cut off the net for a bit

_______________________________________ ____________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:05:22 PM, on 5/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\Program Files\Common Files\Symantec Shared\ccProxy.exe
E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
E:\WINDOWS\System32\CTsvcCDA.exe
E:\Program Files\NMSU\VPN Client\cvpnd.exe
E:\WINDOWS\TEMP\NTCA8832.exe
E:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
E:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
E:\WINDOWS\System32\MsPMSPSv.exe
E:\Program Files\DynDNS Updater\DynDNS.exe
E:\WINDOWS\system32\drivers\spools.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\Program Files\QuickTime\qttask.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\WINDOWS\system32\rundll32.exe
E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
E:\WINDOWS\TEMP\winlagon.exe
E:\WINDOWS\TEMP\winlagon.exe
E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\HP\HP Software Update\HPWuSchd2.exe
E:\WINDOWS\system32\PROMon.exe
E:\WINDOWS\system32\CTHELPER.EXE
E:\Program Files\Kuma Games\hcsystray\hc_tray.exe
E:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
E:\WINDOWS\System32\NMSSvc.exe
E:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
E:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
E:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\HPZipm12.exe
E:\WINDOWS\explorer.exe
E:\DOCUME~1\jupiter\LOCALS~1\Temp\~e5d141.tmp
E:\DOCUME~1\jupiter\LOCALS~1\Temp\csrssc.exe
E:\WINDOWS\system32\msiexec.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: ScriptInocUI Class -  - (no file)
F3 - REG:win.ini: load=????
F3 - REG:win.ini: run=????
F2 - REG:system.ini: UserInit=E:\WINDOWS\system32\Userinit.exe
O1 - Hosts: 124.217.252.78 secure.isoftpay.com
O1 - Hosts: 124.217.252.78 secure.isoftpay.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - E:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - E:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: E:\WINDOWS\system32\hdxjd4g.dll - {B5AC49A2-94F2-42BD-F434-2604812C897D} - E:\WINDOWS\system32\hdxjd4g.dll
O2 - BHO: E:\WINDOWS\system32\djki397g.dll - {B5AF0562-94F3-42BD-F434-2604812C797D} - E:\WINDOWS\system32\djki397g.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - E:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - E:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SpySweeper] "E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [ntuser] E:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [autoload] E:\Documents and Settings\jupiter\cftmon.exe
O4 - HKLM\..\Run: [UpdReg] E:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [Jet Detection] "E:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [HP Software Update] E:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ntuser] E:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [autoload] E:\Documents and Settings\jupiter\cftmon.exe
O4 - HKCU\..\Run: [swg] E:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MySpaceIM] E:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [BitTorrent] "E:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] E:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ntuser] E:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autoload] E:\Documents and Settings\LocalService\cftmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Jnskdfmf9eldfd] E:\WINDOWS\TEMP\csrssc.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Hhjg5jfd93dftdf] E:\WINDOWS\TEMP\winlagon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [WintelUpdate] E:\WINDOWS\TEMP\5CE8.tmp.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Windows update loader]  (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [kavir] E:\WINDOWS\kavir.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] E:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: hc_tray.lnk = E:\Program Files\Kuma Games\hcsystray\hc_tray.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Registration .LNK = E:\Program Files\Ubisoft\Telltale Games\CSI-Hard Evidence\Register\RegistrationReminder.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = E:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open RSS Feed - E:\Program Files\Feed Mix\getlink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: e:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O20 - Winlogon Notify: crypt - E:\WINDOWS\SYSTEM32\crypts.dll
O20 - Winlogon Notify: __c0022FF9 - E:\WINDOWS\system32\__c0022FF9.dat
O22 - SharedTaskScheduler: Hkjr94jdfdgj - {B5AC49A2-94F2-42BD-F434-2604812C897D} - E:\WINDOWS\system32\hdxjd4g.dll
O22 - SharedTaskScheduler: Hjkfj93dffd - {B5AF0562-94F3-42BD-F434-2604812C797D} - E:\WINDOWS\system32\djki397g.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - E:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - E:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - E:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - E:\Program Files\NMSU\VPN Client\cvpnd.exe
O23 - Service: DynDNS Updater Service (DynDNS_Updater_Service) - Kana Solution - E:\Program Files\DynDNS Updater\DynDNS.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - E:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: Google Online Services - Unknown owner - E:\WINDOWS\TEMP\NTCA8832.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - E:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - E:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - E:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - E:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\system32\HPZipm12.exe
O23 - Service: CD Guard Drivers Auto Removal (v1) (psrem01) - Protection Technology - E:\WINDOWS\system32\psrem01.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - E:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - E:\WINDOWS\system32\drivers\spools.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - E:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Unknown owner - E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: ZipToA - Iomega Corporation - E:\WINDOWS\System32\ZipToA.exe

--
End of file - 12609 bytes

[Broni]

Look, you have serious infection.
You have to run Super (even without updates), and Malwarebytes (I'm not aware of it in need of internet connection).

[lufo4]

super wont work it does that one thing i explained
and malware bytes wont install on my computer because it says it needs an internet connection

[Broni]

When you install Malwarebytes, you come to a point:

At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

Don't update, just Finish, and run it.

[lufo4]

i have the setup file on a cd
i start it up and click install the only two options are the directory, and wether or not to launch the application, when i click download it comes up with an error
problem with internet connection (ARM1054,12007)
i believe it is because malware bytes installs via download and needs the internet to install

[lufo4]

never mind i have found the solution, i put the downloader on the disk instead of teh actual setup file

[Broni]

Hold on for a moment...

[Broni]

You're doing something wrong.
I just reinstalled it on my computer, and at no point it asks for internet connection, unless I want to run updates.
You're starting with double clicking on mbam-setup.exe file, right?
First screen asks you to select language, and in next screen, installation starts.
The very last screen looks like this:

Uncheck Update, keep Launch checked, and click Finish.
Now, tell me, if you're going through very same steps, at what point you're asked for internet connection?

[Broni]

i put the downloader on the disk instead of teh actual setup file

grrrrrrrrrrrrrrrrrrrrrrrrrrrrr

[Broni]

Run it, give me its log.
Restart computer, and run fresh HJT log.