Spyware Infection - Pop ups, software being installed, icon tray icons etc..

[El Nino]

I have some spyware on my pc and have tried about 5 anti spyware programs to get rid, have done hijackthis, cclean, everything and it is still there.

It has a yellow sign in my icon tray as well as a red one advising their OWN spyware.

It also puts link to porn sites on my desktop as well as advising and installing it's own program.

Here is ths hijackthis file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:41:22, on 21/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\wscntfy.exe
F:\WINDOWS\System32\alg.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
F:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
F:\WINDOWS\system32\wpabaln.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Spyware Doctor\pctsAuxs.exe
F:\Program Files\Spyware Doctor\pctsSvc.exe
F:\Program Files\Spyware Doctor\pctsTray.exe
F:\Program Files\Spyware Doctor\pctsGui.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Trend Micro\HijackThis\Crusty.exe.exe
F:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - F:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - F:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - F:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [NVMixerTray] "F:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [ISTray] "F:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "F:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Windows Live Search - res://F:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - F:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - F:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 4047 bytes

I removed http as i cant post links.

 

[kritius]

Make sure that you go through all of the 15 steps in this thread and then repost the requested logs as attatchments.

https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

 

[El Nino]

Combofix Log PART 1.

ComboFix 08-02-21 - Kyle Stephenson-Wood 2008-02-21 11:49:26.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.698 [GMT 0:00]
Running from: F:\Documents and Settings\Kyle Stephenson-Wood\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

F:\Documents and Settings\Kyle Stephenson-Wood\Application Data\printer.exe
F:\Documents and Settings\Kyle Stephenson-Wood\install.exe
F:\Program Files\ucleaner_setup.exe
F:\WINDOWS\system32\cfxvajfd.dll
F:\WINDOWS\system32\ggjlm.ini2
F:\WINDOWS\system32\mcrh.tmp
F:\WINDOWS\system32\ntload.sys
F:\WINDOWS\system32\nwqxiqcs.dll
F:\WINDOWS\system32\scqixqwn.ini
F:\WINDOWS\system32\wowfx.dll

.
((((((((((((((((((((((((( Files Created from 2008-01-21 to 2008-02-21 )))))))))))))))))))))))))))))))
.

2008-02-21 11:59 . 2008-02-21 11:59 268 --ah----- F:\sqmdata00.sqm
2008-02-21 11:59 . 2008-02-21 11:59 244 --ah----- F:\sqmnoopt00.sqm
2008-02-21 11:31 . 2008-02-21 11:35 <DIR> d-------- F:\Program Files\Spyware Doctor
2008-02-21 11:31 . 2008-02-21 11:31 <DIR> d-------- F:\Documents and Settings\Kyle Stephenson-Wood\Application Data\PC Tools
2008-02-21 11:31 . 2008-02-21 12:02 <DIR> d-a------ F:\Documents and Settings\All Users\Application Data\TEMP
2008-02-21 11:31 . 2007-12-10 14:53 81,288 --a------ F:\WINDOWS\system32\drivers\iksyssec.sys
2008-02-21 11:31 . 2007-12-10 14:53 66,952 --a------ F:\WINDOWS\system32\drivers\iksysflt.sys
2008-02-21 11:31 . 2007-12-10 14:53 41,864 --a------ F:\WINDOWS\system32\drivers\ikfilesec.sys
2008-02-21 11:31 . 2007-12-10 14:53 29,576 --a------ F:\WINDOWS\system32\drivers\kcom.sys
2008-02-21 10:32 . 2008-02-21 10:32 <DIR> d-------- F:\Program Files\LSoft Technologies
2008-02-21 10:27 . 2008-02-21 11:13 <DIR> d-------- F:\Program Files\Video DVD Maker
2008-02-21 09:51 . 2008-02-21 11:15 <DIR> d-------- F:\Program Files\EasySpywareCleaner
2008-02-21 09:51 . 2008-02-21 09:51 <DIR> d-------- F:\Documents and Settings\Kyle Stephenson-Wood\Application Data\EasySpywareCleaner.com
2008-02-21 09:50 . 2008-02-21 09:50 15,872 --a------ F:\Program Files\tmp100203.exe
2008-02-20 22:59 . 2008-02-20 22:59 <DIR> d-------- F:\Program Files\SysCleaner
2008-02-20 22:48 . 2008-02-20 22:48 15,872 --a------ F:\Program Files\tmp5565015.exe
2008-02-20 21:14 . 2008-02-20 21:14 <DIR> d-------- F:\VundoFix Backups
2008-02-20 21:10 . 2008-02-20 21:10 <DIR> d-------- F:\Program Files\Trend Micro
2008-02-20 21:02 . 2008-02-20 22:16 <DIR> d-------- F:\Documents and Settings\Kyle Stephenson-Wood\.housecall6.6
2008-02-20 21:02 . 2008-02-20 21:02 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-02-20 21:01 . 2008-02-20 21:01 <DIR> d-------- F:\WINDOWS\Sun
2008-02-20 21:01 . 2008-02-20 21:01 <DIR> d-------- F:\Program Files\Java
2008-02-20 21:01 . 2007-09-24 23:31 69,632 --a------ F:\WINDOWS\system32\javacpl.cpl
2008-02-20 21:00 . 2008-02-20 21:00 <DIR> d-------- F:\Program Files\Common Files\Java
2008-02-20 20:57 . 2008-02-20 20:57 <DIR> d-------- F:\Program Files\Yahoo!
2008-02-20 20:57 . 2008-02-20 20:57 <DIR> d-------- F:\Program Files\CCleaner
2008-02-20 20:55 . 2008-02-20 20:55 0 --a------ F:\WINDOWS\system32\wscmp.dll.tmp
2008-02-20 20:53 . 2008-02-20 20:53 0 --a------ F:\WINDOWS\system32\sex2.ico.tmp
2008-02-20 20:52 . 2008-02-20 20:52 15,872 --a------ F:\Program Files\tmp131375.exe
2008-02-20 20:52 . 2008-02-20 20:52 15,872 --a------ F:\Program Files\tmp129375.exe
2008-02-20 20:52 . 2008-02-20 20:52 15,872 --a------ F:\Program Files\tmp129296.exe
2008-02-20 20:52 . 2008-02-20 20:52 0 --a------ F:\WINDOWS\system32\sex1.ico.tmp
2008-02-20 19:29 . 2008-02-20 19:29 <DIR> d-------- F:\Program Files\Spybot - Search & Destroy
2008-02-20 19:29 . 2008-02-20 19:29 <DIR> d-------- F:\Documents and Settings\Kyle Stephenson-Wood\Application Data\Grisoft
2008-02-20 19:29 . 2008-02-20 19:36 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-20 19:28 . 2008-02-20 19:28 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-20 19:28 . 2007-05-30 12:10 10,872 --a------ F:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-20 19:22 . 2008-02-20 19:22 3,262 --a------ F:\WINDOWS\system32\sex2.ico
2008-02-20 19:21 . 2008-02-20 19:21 15,872 --a------ F:\Program Files\tmp7012312.exe
2008-02-20 19:21 . 2008-02-20 19:21 3,262 --a------ F:\WINDOWS\system32\sex1.ico
2008-02-20 19:20 . 2008-02-20 19:20 15,872 --a------ F:\Program Files\tmp6968531.exe
2008-02-20 19:20 . 2008-02-20 19:20 15,872 --a------ F:\Program Files\tmp6967546.exe
2008-02-20 19:20 . 2008-02-20 19:20 15,872 --a------ F:\Program Files\tmp6967531.exe
2008-02-20 19:19 . 2008-02-19 20:16 53,760 --a------ F:\Documents and Settings\Kyle Stephenson-Wood\keygen.exe
2008-02-20 19:19 . 2008-02-20 19:19 39,936 --a------ F:\WINDOWS\system32\hggfdba.dll.vir
2008-02-20 19:19 . 2008-02-20 19:19 24,576 --a------ F:\WINDOWS\system32\winjyp32.dll
2008-02-20 19:19 . 2008-02-12 14:45 43 --a------ F:\Documents and Settings\Kyle Stephenson-Wood\RUNME.bat
2008-02-20 11:08 . 2008-02-20 11:08 <DIR> d-------- F:\Program Files\FM Modifier 2.2
2008-02-19 23:47 . 2008-02-19 23:47 <DIR> d-------- F:\Documents and Settings\Kyle Stephenson-Wood\Application Data\vlc
2008-02-19 23:24 . 2008-02-19 23:24 <DIR> d-------- F:\Program Files\VideoLAN
2008-02-18 20:28 . 2007-07-30 19:19 271,224 --a------ F:\WINDOWS\system32\mucltui.dll
2008-02-18 20:28 . 2007-07-30 19:19 207,736 --a------ F:\WINDOWS\system32\muweb.dll
2008-02-18 20:28 . 2007-07-30 19:19 30,072 --a------ F:\WINDOWS\system32\mucltui.dll.mui
2008-02-18 14:16 . 2008-02-18 14:16 <DIR> d-------- F:\Program Files\Common Files\Adobe Systems Shared
2008-02-18 14:15 . 2008-02-20 11:44 <DIR> d-------- F:\Program Files\Common Files\Adobe
2008-02-18 08:55 . 2008-02-18 08:57 <DIR> d--h----- F:\Program Files\Zero G Registry
2008-02-18 08:55 . 2008-02-18 08:55 <DIR> d-------- F:\Program Files\Sports Interactive
2008-02-18 08:55 . 2008-02-18 08:55 <DIR> d--h----- F:\Documents and Settings\Kyle Stephenson-Wood\InstallAnywhere
2008-02-18 08:54 . 2008-02-18 13:12 <DIR> d-------- F:\Documents and Settings\Kyle Stephenson-Wood\Application Data\Sports Interactive
2008-02-18 08:44 . 2008-02-18 08:44 <DIR> d-------- F:\Program Files\PowerISO
2008-02-17 23:52 . 2008-02-17 23:52 <DIR> d-------- F:\Program Files\BitLord
2008-02-17 23:46 . 2008-02-17 23:46 <DIR> d-------- F:\Program Files\uTorrent
2008-02-17 23:46 . 2008-02-19 08:27 <DIR> d-------- F:\Documents and Settings\Kyle Stephenson-Wood\Application Data\uTorrent
2008-02-17 23:23 . 2008-02-17 23:23 <DIR> d----c--- F:\WINDOWS\system32\DRVSTORE
2008-02-17 23:23 . 2008-02-17 23:24 <DIR> d-------- F:\Program Files\Windows Live Toolbar
2008-02-17 23:23 . 2008-02-17 23:23 <DIR> d-------- F:\Program Files\Windows Live Favorites
2008-02-17 23:23 . 2008-02-17 23:23 <DIR> d-------- F:\Documents and Settings\Kyle Stephenson-Wood\Contacts
2008-02-17 23:21 . 2008-02-20 21:01 1,397 --a------ F:\WINDOWS\mozver.dat
2008-02-17 23:19 . 2008-02-17 23:23 <DIR> d--hsc--- F:\Program Files\Common Files\WindowsLiveInstaller
2008-02-17 23:18 . 2008-02-17 23:23 <DIR> d-------- F:\Program Files\Windows Live
2008-02-17 23:18 . 2008-02-17 23:18 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\WLInstaller
2008-02-17 23:08 . 2005-06-28 10:21 22,752 --a------ F:\WINDOWS\system32\spupdsvc.exe
2008-02-17 23:05 . 2007-12-07 02:21 6,066,176 -----c--- F:\WINDOWS\system32\dllcache\ieframe.dll
2008-02-17 23:05 . 2007-07-01 03:31 2,455,488 -----c--- F:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-02-17 23:05 . 2007-07-01 03:36 991,232 -----c--- F:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-02-17 23:05 . 2007-12-07 02:21 459,264 -----c--- F:\WINDOWS\system32\dllcache\msfeeds.dll
2008-02-17 23:05 . 2007-12-07 02:21 383,488 -----c--- F:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-02-17 23:05 . 2007-12-07 02:21 267,776 -----c--- F:\WINDOWS\system32\dllcache\iertutil.dll
2008-02-17 23:05 . 2007-12-07 02:21 63,488 -----c--- F:\WINDOWS\system32\dllcache\icardie.dll
2008-02-17 23:05 . 2007-12-07 02:21 52,224 -----c--- F:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-02-17 23:05 . 2007-12-06 11:00 13,824 -----c--- F:\WINDOWS\system32\dllcache\ieudinit.exe

 

[El Nino]

COMBO FIX LOG PART 2

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-17 22:41 --------- d--h--w F:\Program Files\InstallShield Installation Information
2008-02-17 22:41 --------- d-----w F:\Program Files\NVIDIA Corporation
2008-02-17 22:41 --------- d-----w F:\Program Files\Common Files\NVIDIA Shared
2008-02-17 22:41 --------- d-----w F:\Program Files\Common Files\InstallShield
2008-02-17 22:32 --------- d-----w F:\Program Files\microsoft frontpage
2008-01-20 07:07 33,292 ----a-w F:\WINDOWS\system32\drivers\scdemu.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="F:\WINDOWS\system32\ctfmon.exe" [2006-02-28 12:00 15360]
"MsnMsgr"="F:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="F:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-03 20:51 131072]
"ISTray"="F:\Program Files\Spyware Doctor\pctsTray.exe" [2007-12-10 14:53 1103752]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="F:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 12:00 15360]


.
Contents of the 'Scheduled Tasks' folder
"2008-02-21 11:52:14 F:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- F:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-02-21 12:02:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
F:\Program Files\Spyware Doctor\pctsAuxs.exe
F:\Program Files\Spyware Doctor\pctsSvc.exe
F:\WINDOWS\system32\imapi.exe
F:\WINDOWS\system32\wscntfy.exe
F:\WINDOWS\system32\wpabaln.exe
.
**************************************************************************
.
Completion time: 2008-02-21 12:04:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-21 12:04:39

 

[kritius]

When posting logs its usually good practice to post them as attatchments (the paper clip icon in the message screen) rather than just pasting them into your message, it makes it easier for the right people to read them.