Redirected to Clickover.cn, and BSOD's

thedeciever1 · 08-11-2009, 01:27 PM

I was being stupid and went looking around for free games. One popup, I pressed close instead of Ctrl+Alt+Del and I'm pretty sure that's where my problem started. After that my browser started showing errors about memory pointers and such when I closed firefox. Then I went to play a (purchased game) and I BSOD'ed. Driver_IRQL_NOT_LESS_OR_EQUAL. So I restarted, tried again. This time, upon getting to my desktop, I BSOD'ed with a fatal error. Ouch. Restarted, and did a Malwarebytes scan. A couple of problems:
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe logon.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\system32\logon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
Restarted, then I went to google to look up the BSOD's, and was redirected. So Then I did a kaspersky online scan, and It failed updating at 70%.

And now I come here.

I did the DDS scan, but the GMER stopped at one file for an hour, then the computer stopped responding.
I'll give you what I have:

DDS (Ver_09-07-30.01) - NTFSx86
Run by J at 11:31:16.14 on Tue 08/11/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1620 [GMT -7:00]

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\J\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101664&gct=&gc=1&q=%s
uURLSearchHooks: DefaultSearchHook Class: {c94e154b-1459-4a47-966b-4b843befc7db} - c:\program files\asksearch\bin\DefaultSearch.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [AsusStartupHelp] c:\program files\asus\aasp\1.00.15\AsRunHelp.exe
mRun: [Launch Ai Booster] "c:\program files\asus\ai booster\OverClk.exe"
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\SMax4.exe" /tray
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\j\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemydsl.verizon.net/sdcCommon/download/DSL/Verizon%20High%20Speed%20Internet%20Installer.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1246174693640
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Notify: Antiwpa - antiwpa.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

=============== Created Last 30 ================

==================== Find3M ====================

============= FINISH: 11:32:21.10 ===============

thedeciever1 · 08-13-2009, 06:21 PM

Well since I saw you guys start helping people that posted after me, I gave up. I re-installed XP and am now trying Windows 7. Thanks for not helping me, I think I'm better off anyway.

**chemist** · 08-13-2009, 06:44 PM

You are running a pirated copy of Windows.

As you should have read in our pre-posting thread:

IMPORTANT - Read This Before Posting For Malware Removal Help

* It is also this forum's policy that we only address users with a legal copy of Windows. If during the course of a fix it is determined that the copy is not legal, we must stop the cleansing process.

This thread shall now be closed.

------------------------------------------------------

08-13-2009, 06:21 PM	#2 (permalink)
thedeciever1 Registered User Join Date: Oct 2008 Posts: 4 OS: Windows XP SP3	Re: Redirected to Clickover.cn, and BSOD's Well since I saw you guys start helping people that posted after me, I gave up. I re-installed XP and am now trying Windows 7. Thanks for not helping me, I think I'm better off anyway.

08-13-2009, 06:44 PM	#3 (permalink)
chemist Moderator, Analyst, Security Team; Rangemaster, TSF Academy Join Date: Oct 2007 Location: Georgia Posts: 10,646 OS: XP SP3	Re: Redirected to Clickover.cn, and BSOD's You are running a pirated copy of Windows. As you should have read in our pre-posting thread: IMPORTANT - Read This Before Posting For Malware Removal Help * It is also this forum's policy that we only address users with a legal copy of Windows. If during the course of a fix it is determined that the copy is not legal, we must stop the cleansing process. This thread shall now be closed. ------------------------------------------------------ __________________ Our help is free but please donate Proud member of ASAP Proud member of UNITE