Tech Support Forum - View Single Post

sUBs · 08-13-2007, 04:16 PM

Do a HijackThis scan & place a check next to these items and select "Fix checked":

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
O2 - BHO: MSVPS System - {47C54F02-1B28-45F1-AE46-B5CDFB6E7926} - C:\WINDOWS\duocore.dll
O4 - HKLM\..\Run: [Windows Update System Shell] svhostcs32.exe
O4 - HKLM\..\Run: [Windows Management] stmb32.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\RunServices: [Windows Update System Shell] svhostcs32.exe
O4 - HKLM\..\RunServices: [Windows Management] stmb32.exe
O4 - HKCU\..\Run: [Windows Management] stmb32.exe
O4 - HKCU\..\Run: [Windows Update System Shell] svhostcs32.exe
O4 - HKUS\S-1-5-21-2732481820-3784550950-147138153-1005\..\Run: [Windows Management] stmb32.exe (User '?')
O4 - HKUS\S-1-5-21-2732481820-3784550950-147138153-1005\..\Run: [Windows Update System Shell] svhostcs32.exe (User '?')
O4 - HKUS\S-1-5-21-2732481820-3784550950-147138153-1005\..\Run: [WebCamRT.exe] (User '?')
O4 - HKUS\S-1-5-18\..\Run: [Windows Update System Shell] svhostcs32.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [Windows Update System Shell] svhostcs32.exe (User 'Default user')
O4 - S-1-5-21-2732481820-3784550950-147138153-1005 Startup: .protected (User '?')
O4 - Startup: .protected
O4 - Global Startup: .protected
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O21 - SSODL: wmpenv - {19E771C0-5F75-4691-8B1F-11855E532EF3} - C:\WINDOWS\wmpenv.dll
O21 - SSODL: wmpconf - {AAD1B5DF-F350-4664-A7C3-6525A1FF7634} - C:\WINDOWS\wmpconf.dll
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

Ignore any prompts for a reboot

---------------

1. Download this file - http://download.bleepingcomputer.com...a/ComboFix.exe

* IMPORTANT !!! Place combofix.exe on your Desktop

2. Go to

→ Run → paste in the single line command & click OK

"%userprofile%\desktop\combofix.exe" /killall

3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

08-13-2007, 04:16 PM	#8 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,332 OS: N/A	Re: help needed with Malware takeover Do a HijackThis scan & place a check next to these items and select "Fix checked": R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2 O2 - BHO: MSVPS System - {47C54F02-1B28-45F1-AE46-B5CDFB6E7926} - C:\WINDOWS\duocore.dll O4 - HKLM\..\Run: [Windows Update System Shell] svhostcs32.exe O4 - HKLM\..\Run: [Windows Management] stmb32.exe O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe O4 - HKLM\..\RunServices: [Windows Update System Shell] svhostcs32.exe O4 - HKLM\..\RunServices: [Windows Management] stmb32.exe O4 - HKCU\..\Run: [Windows Management] stmb32.exe O4 - HKCU\..\Run: [Windows Update System Shell] svhostcs32.exe O4 - HKUS\S-1-5-21-2732481820-3784550950-147138153-1005\..\Run: [Windows Management] stmb32.exe (User '?') O4 - HKUS\S-1-5-21-2732481820-3784550950-147138153-1005\..\Run: [Windows Update System Shell] svhostcs32.exe (User '?') O4 - HKUS\S-1-5-21-2732481820-3784550950-147138153-1005\..\Run: [WebCamRT.exe] (User '?') O4 - HKUS\S-1-5-18\..\Run: [Windows Update System Shell] svhostcs32.exe (User '?') O4 - HKUS\.DEFAULT\..\Run: [Windows Update System Shell] svhostcs32.exe (User 'Default user') O4 - S-1-5-21-2732481820-3784550950-147138153-1005 Startup: .protected (User '?') O4 - Startup: .protected O4 - Global Startup: .protected O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O21 - SSODL: wmpenv - {19E771C0-5F75-4691-8B1F-11855E532EF3} - C:\WINDOWS\wmpenv.dll O21 - SSODL: wmpconf - {AAD1B5DF-F350-4664-A7C3-6525A1FF7634} - C:\WINDOWS\wmpconf.dll O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm Ignore any prompts for a reboot --------------- 1. Download this file - http://download.bleepingcomputer.com...a/ComboFix.exe * IMPORTANT !!! Place combofix.exe on your Desktop 2. Go to → Run → paste in the single line command & click OK "%userprofile%\desktop\combofix.exe" /killall 3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall __________________ Question - what have you done for the community today?