help needed with Malware takeover

sunshine863 · 08-12-2007, 02:51 AM

Hi, I wonder if you could help here...I have Windows XP (home) with avast, AdAware and just purchased SpyHunter to rid my PC of "Spyware & Malware Protection, Privacy Protector and Error Cleaner' that has installed itself somewhere in my PC. When I use the AdAware or SpyHunter, it locates cookies and these, even though are removed, just appear again. 'http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2' has taken possession of my homepage and can't be deleted and sometimes presents itself as [url]www.safewebnavigate.com.,www.mediasportal.com, www.ucleaner.com.,www.securecleaner.com., and some others keep popping up despite that fact that I have added all of these to my restricted sites. It has also created wallpaper with 'your privacy is in danger'..logo(leading to securepccleaner.com) and can't be removed. I keep also getting pop up messages from Windows security alert about an Internet attack and prompting to download spyware remover - www.safewebnavigate.com. I'm not sure if this is one or a few infections. I would be eternally grateful if you could guide me towards clearing my Pc of this very frequent nuisance.
Many thanks
Cheers
Draha

sUBs · 08-12-2007, 05:32 AM

Please follow MicroBell's 5 Step process - http://www.techsupportforum.com/secu...sting-log.html.

You shall have a proper set of logs for us after that. Someone will be along shortly

sunshine863 · 08-12-2007, 02:44 PM

Thanks for that - unfortunately I'm not getting anywhere fast - Step1 was ok - I didn't have any of the listed programs, step 2. - half way through Panda's scan, my Avast had detected a virus in the download and requested that I abort.
It listed this file : http://acs.pandasoftware.com/actives...motor.cab\pska'
virus/malware: Win32.CTX
VPS version: 000764-12/08/2007

What to do now?

sUBs · 08-12-2007, 02:49 PM

It's a well known False Positive by Avast. Ignore it & disable Avast's realtime scanner whilst doing the online scan.

sunshine863 · 08-13-2007, 02:30 PM

Hi again, more hiccups here.
Step 2.-Panda's scan didn't find anything.
Step 3.-Spyware blaster installed. With the IE-spyed not sure if to install the IE-Spyed for zoned out or just the original.
Step 4 - Windows update didn't have any new critical updates. I have SP2 installed - should I uninstal this while my PC is being rescued? Wouldn't this leave my PC totally exposed?
In the meantime the pop-ups are driving me crazy can't wait to have this resolved. I really appreciate your help

sUBs · 08-13-2007, 02:32 PM

Skip everything & go staright to the final step - Step #5

You shall have some logs for us after that

sunshine863 · 08-13-2007, 03:11 PM

You guys are just terrific. Below is the log as requested along with the attach. I have also noticed that I can't use system restore as there is a missing file - 'framedyn.dll' ?Not sure if this is also part of this ....
I'll look forward to your reply
Cheers

********************************************************

Deckard's System Scanner v20070809.63
Run by Draha Pitner on 2007-08-14 at 07:42:34
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Unable to create WMI object; The operation completed successfully.

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 254 MiB (512 MiB recommended).

-- HijackThis (run as Draha Pitner.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:47:16, on 14/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\FixCamera.exe
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime Alternative\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\Cordless USB Phone\Cordless DUALphone Suite.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Draha Pitner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Draha Pitner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: MSVPS System - {47C54F02-1B28-45F1-AE46-B5CDFB6E7926} - C:\WINDOWS\duocore.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [FixCamera] C:\WINDOWS\FixCamera.exe
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [Windows Update System Shell] svhostcs32.exe
O4 - HKLM\..\Run: [Windows Management] stmb32.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\RunServices: [Windows Update System Shell] svhostcs32.exe
O4 - HKLM\..\RunServices: [Windows Management] stmb32.exe
O4 - HKCU\..\Run: [Windows Management] stmb32.exe
O4 - HKCU\..\Run: [Windows Update System Shell] svhostcs32.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Uniblue Registry Booster2] C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-21-2732481820-3784550950-147138153-1005\..\Run: [Windows Management] stmb32.exe (User '?')
O4 - HKUS\S-1-5-21-2732481820-3784550950-147138153-1005\..\Run: [Windows Update System Shell] svhostcs32.exe (User '?')
O4 - HKUS\S-1-5-21-2732481820-3784550950-147138153-1005\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User '?')
O4 - HKUS\S-1-5-21-2732481820-3784550950-147138153-1005\..\Run: [WebCamRT.exe] (User '?')
O4 - HKUS\S-1-5-21-2732481820-3784550950-147138153-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-2732481820-3784550950-147138153-1005\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" (User '?')
O4 - HKUS\S-1-5-21-2732481820-3784550950-147138153-1005\..\Run: [Uniblue Registry Booster2] C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe /S (User '?')
O4 - HKUS\S-1-5-21-2732481820-3784550950-147138153-1005\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe (User '?')
O4 - HKUS\S-1-5-21-2732481820-3784550950-147138153-1005\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized (User '?')
O4 - HKUS\S-1-5-18\..\Run: [Windows Update System Shell] svhostcs32.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [Windows Update System Shell] svhostcs32.exe (User 'Default user')
O4 - S-1-5-21-2732481820-3784550950-147138153-1005 Startup: .protected (User '?')
O4 - Startup: .protected
O4 - Global Startup: .protected
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: Cordless DUALphone Startup.lnk = C:\Program Files\Cordless USB Phone\Cordless DUALphone Suite.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1158240005171
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1158277898062
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pu...sh/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: wmpenv - {19E771C0-5F75-4691-8B1F-11855E532EF3} - C:\WINDOWS\wmpenv.dll
O21 - SSODL: wmpconf - {AAD1B5DF-F350-4664-A7C3-6525A1FF7634} - C:\WINDOWS\wmpconf.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\System32\wbem\wmiapsrv.exe (file missing)
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 12102 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

2 ScFBPNT2 (CanoScan FBP2 Port Driver) - c:\windows\system32\drivers\scfbpnt2.sys

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

4 NMIndexingService - c:\program files\common files\ahead\lib\nmindexingservice.exe (file missing)
2 RichVideo (Cyberlink RichVideo Service(CRVS)) - c:\program files\cyberlink\shared files\richvideo.exe
3 WmiApSrv (WMI Performance Adapter) - c:\windows\system32\wbem\wmiapsrv.exe (file missing)

-- Device Manager: Disabled ----------------------------------------------------

Unable to create WMI object.

-- Scheduled Tasks -------------------------------------------------------------

2007-09-16 16:40:11 436 --ah----- C:\WINDOWS\Tasks\User_Feed_Synchronization-{6D791AA4-65E9-479C-9BF6-2BA8647125D1}.job
2007-08-06 09:24:00 274 --a------ C:\WINDOWS\Tasks\Backup.job
2007-04-15 09:25:50 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

-- Files created between 2007-07-14 and 2007-08-14 -----------------------------

2007-08-14 07:46:41 0 d-------- C:\Program Files\Trend Micro
2007-08-13 19:09:38 0 d-------- C:\Program Files\SpywareBlaster
2007-08-13 15:49:29 0 d-------- C:\WINDOWS\privacy_danger
2007-08-13 07:29:56 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-08-12 16:03:13 0 d-------- C:\VundoFix Backups
2007-08-11 21:12:05 0 d-------- C:\Program Files\Enigma Software Group
2007-08-10 19:55:54 188416 --a------ C:\WINDOWS\wmpenv.dll <Not Verified; ; IEXPLORE>
2007-08-10 19:55:54 221184 --a------ C:\WINDOWS\wmpconf.dll
2007-08-10 19:55:53 188416 --a------ C:\WINDOWS\duocore.dll <Not Verified; ; BhoNew Module>
2007-08-10 19:54:34 0 d-------- C:\Program Files\VideoAccessCodec
2007-07-19 15:55:09 0 d-------- C:\etax2007

-- Find3M Report ---------------------------------------------------------------

2007-09-17 08:56:29 0 d-------- C:\Program Files\Java
2007-08-14 07:28:09 0 d-------- C:\Documents and Settings\Draha Pitner\Application Data\Skype
2007-08-13 17:19:49 0 d-------- C:\Program Files\QuickTime Alternative
2007-08-13 17:15:24 0 d-------- C:\Program Files\iTunes
2007-08-13 17:13:15 0 d-------- C:\Program Files\Cordless USB Phone
2007-08-13 17:10:46 0 d-------- C:\Program Files\BigFix
2007-08-13 08:50:16 0 d-------- C:\Program Files\Messenger
2007-08-11 19:32:39 2058849 --a------ C:\ieSpellSetup251106.exe
2007-07-11 19:17:36 0 d-------- C:\Documents and Settings\Draha Pitner\Application Data\Adobe
2007-07-09 14:04:53 0 d-------- C:\Program Files\Common Files\Adobe
2007-07-05 20:40:45 0 d-------- C:\Program Files\UserZoom
2007-06-07 19:05:12 78992 --a----c- C:\Documents and Settings\Draha Pitner\Application Data\GDIPFONTCACHEV1.DAT

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{47C54F02-1B28-45F1-AE46-B5CDFB6E7926}]
10/08/2007 03:43 188416 --a------ C:\WINDOWS\duocore.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [15/10/2002 23:18]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [16/10/2002 17:05]
"CHotkey"="mHotkey.exe" [24/07/2002 05:09 C:\WINDOWS\mHotkey.exe]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [08/10/2002 20:03]
"SoundMan"="SOUNDMAN.EXE" [15/04/2005 11:01 C:\WINDOWS\SOUNDMAN.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [12/07/2007 04:00]
"LVCOMS"="C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" [10/12/2002 17:54]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [28/07/2007 08:03]
"FixCamera"="C:\WINDOWS\FixCamera.exe" [06/12/2005 12:08]
"tsnp2std"="C:\WINDOWS\tsnp2std.exe" [24/11/2005 16:01]
"snp2std"="C:\WINDOWS\vsnp2std.exe" [15/09/2006 13:21]
"Windows Update System Shell"="svhostcs32.exe" []
"Windows Management"="stmb32.exe" []
"NWEReboot"="" []
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [23/11/2006 15:10]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [05/12/2006 22:55]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [12/01/2006 16:40]
"QuickTime Task"="C:\Program Files\QuickTime Alternative\qttask.exe" [27/04/2007 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [01/06/2007 16:51]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/05/2007 03:06]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"SpyHunter"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe" [26/04/2007 16:04]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Management"="stmb32.exe" []
"Windows Update System Shell"="svhostcs32.exe" []
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [14/07/2000 06:00]
"WebCamRT.exe"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 17:56]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [01/06/2006 13:32]
"Uniblue Registry Booster2"="C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe" []
"Nero PhotoShow Media Manager"="C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe" []
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [18/05/2007 13:14]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Windows Update System Shell"=svhostcs32.exe
"Windows Management"=stmb32.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Windows Update System Shell"=svhostcs32.exe
"Windows Management"=stmb32.exe

C:\Documents and Settings\Draha Pitner\Start Menu\Programs\Startup\
.protected [11/08/2007 19:52:11]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
.protected [11/08/2007 19:52:11]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [27/10/2006 15:41:14]
BigFix.lnk - C:\Program Files\BigFix\bigfix.exe [26/09/2006 20:19:53]
Cordless DUALphone Startup.lnk - C:\Program Files\Cordless USB Phone\Cordless DUALphone Suite.exe [15/09/2006 13:35:17]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [13/02/2001 00:01:04]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"wmpenv"= {19E771C0-5F75-4691-8B1F-11855E532EF3} - C:\WINDOWS\wmpenv.dll [10/08/2007 03:43 188416]
"wmpconf"= {AAD1B5DF-F350-4664-A7C3-6525A1FF7634} - C:\WINDOWS\wmpconf.dll [10/08/2007 03:43 221184]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

-- End of Deckard's System Scanner: finished at 2007-08-14 at 07:52:28 ---------

sUBs · 08-13-2007, 03:16 PM

Do a HijackThis scan & place a check next to these items and select "Fix checked":

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
O2 - BHO: MSVPS System - {47C54F02-1B28-45F1-AE46-B5CDFB6E7926} - C:\WINDOWS\duocore.dll
O4 - HKLM\..\Run: [Windows Update System Shell] svhostcs32.exe
O4 - HKLM\..\Run: [Windows Management] stmb32.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\RunServices: [Windows Update System Shell] svhostcs32.exe
O4 - HKLM\..\RunServices: [Windows Management] stmb32.exe
O4 - HKCU\..\Run: [Windows Management] stmb32.exe
O4 - HKCU\..\Run: [Windows Update System Shell] svhostcs32.exe
O4 - HKUS\S-1-5-21-2732481820-3784550950-147138153-1005\..\Run: [Windows Management] stmb32.exe (User '?')
O4 - HKUS\S-1-5-21-2732481820-3784550950-147138153-1005\..\Run: [Windows Update System Shell] svhostcs32.exe (User '?')
O4 - HKUS\S-1-5-21-2732481820-3784550950-147138153-1005\..\Run: [WebCamRT.exe] (User '?')
O4 - HKUS\S-1-5-18\..\Run: [Windows Update System Shell] svhostcs32.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [Windows Update System Shell] svhostcs32.exe (User 'Default user')
O4 - S-1-5-21-2732481820-3784550950-147138153-1005 Startup: .protected (User '?')
O4 - Startup: .protected
O4 - Global Startup: .protected
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O21 - SSODL: wmpenv - {19E771C0-5F75-4691-8B1F-11855E532EF3} - C:\WINDOWS\wmpenv.dll
O21 - SSODL: wmpconf - {AAD1B5DF-F350-4664-A7C3-6525A1FF7634} - C:\WINDOWS\wmpconf.dll
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

Ignore any prompts for a reboot

---------------

1. Download this file - http://download.bleepingcomputer.com...a/ComboFix.exe

* IMPORTANT !!! Place combofix.exe on your Desktop

2. Go to

→ Run → paste in the single line command & click OK

"%userprofile%\desktop\combofix.exe" /killall

3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

sunshine863 · 08-13-2007, 06:11 PM

hello again - all done, here are the logs;

*************************************************
ComboFix 07-08-14 - "Draha Pitner" 2007-08-14 10:47:48.1 - NTFSx86
Command switches used :: /killall
framedyn.dll is missing

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\.protected
C:\DOCUME~1\DRAHAP~1\Desktop\internet.lnk
C:\Program Files\VideoAccessCodec
C:\Program Files\VideoAccessCodec\install.ico
C:\Program Files\VideoAccessCodec\Uninstall.exe
C:\Program Files\VideoAccessCodec\VideoAccessCodec.ocx
C:\WINDOWS\.protected
C:\WINDOWS\dat.txt
C:\WINDOWS\duocore.dll
C:\WINDOWS\privacy_danger
C:\WINDOWS\privacy_danger\images\capt.gif
C:\WINDOWS\privacy_danger\images\danger.jpg
C:\WINDOWS\privacy_danger\images\down.gif
C:\WINDOWS\privacy_danger\images\spacer.gif
C:\WINDOWS\privacy_danger\index.htm
C:\WINDOWS\system32\drivers\etc\.protected
C:\WINDOWS\wmpconf.dll
C:\WINDOWS\wmpenv.dll

((((((((((((((((((((((((( Files Created from 2007-07-14 to 2007-08-14 )))))))))))))))))))))))))))))))

2007-08-14 10:41 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-14 07:46 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-14 07:42 <DIR> d-------- C:\Deckard
2007-08-13 19:09 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-08-13 07:29 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-08-12 16:03 <DIR> d-------- C:\VundoFix Backups
2007-08-11 21:12 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-07-19 15:55 <DIR> d-------- C:\etax2007

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-14 10:10 --------- d-------- C:\DOCUME~1\DRAHAP~1\APPLIC~1\Skype
2007-08-13 17:19 --------- d-------- C:\Program Files\QuickTime Alternative
2007-08-13 17:15 --------- d-------- C:\Program Files\iTunes
2007-08-13 17:13 --------- d-------- C:\Program Files\Cordless USB Phone
2007-08-13 17:10 --------- d-------- C:\Program Files\BigFix
2007-08-13 08:50 --------- d-------- C:\Program Files\Messenger
2007-08-11 19:32 2058849 --a------ C:\ieSpellSetup251106.exe
2007-07-28 08:07 783224 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-07-28 08:02 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-28 08:02 92848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-28 08:00 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-28 07:59 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-28 07:58 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-28 07:57 95608 --a------ C:\WINDOWS\system32\AVASTSS.scr
2007-07-05 20:40 --------- d-------- C:\Program Files\UserZoom
2007-05-17 01:12 86528 -----c--- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-17 01:12 85504 -----c--- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-17 01:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-17 01:12 683520 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-17 01:12 510976 -----c--- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-17 01:12 1314816 -----c--- C:\WINDOWS\system32\dllcache\msoe.dll
2006-09-21 17:27 359112 --a------ C:\Program Files\LimeWireWin.exe

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2002-10-15 23:18]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2002-10-16 17:05]
"CHotkey"="mHotkey.exe" [2002-07-24 05:09 C:\WINDOWS\mHotkey.exe]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2002-10-08 20:03]
"SoundMan"="SOUNDMAN.EXE" [2005-04-15 11:01 C:\WINDOWS\SOUNDMAN.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"LVCOMS"="C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 17:54]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-07-28 08:03]
"FixCamera"="C:\WINDOWS\FixCamera.exe" [2005-12-06 12:08]
"tsnp2std"="C:\WINDOWS\tsnp2std.exe" [2005-11-24 16:01]
"snp2std"="C:\WINDOWS\vsnp2std.exe" [2006-09-15 13:21]
"NWEReboot"="" []
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 15:10]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 22:55]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40]
"QuickTime Task"="C:\Program Files\QuickTime Alternative\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-07-14 06:00]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:56]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 13:32]
"Uniblue Registry Booster2"="C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe" []
"Nero PhotoShow Media Manager"="C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe" []
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-05-18 13:14]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Windows Management"=stmb32.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-10-27 15:41:14]
BigFix.lnk - C:\Program Files\BigFix\bigfix.exe [2006-09-26 20:19:53]
Cordless DUALphone Startup.lnk - C:\Program Files\Cordless USB Phone\Cordless DUALphone Suite.exe [2006-09-15 13:35:17]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

Contents of the 'Scheduled Tasks' folder
2007-04-14 23:25:50 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-08-05 23:24:00 C:\WINDOWS\Tasks\Backup.job - C:\WINDOWS\system32\ntbackup.exe
2007-09-16 06:40:11 C:\WINDOWS\Tasks\User_Feed_Synchronization-{6D791AA4-65E9-479C-9BF6-2BA8647125D1}.job - C:\WINDOWS\system32\msfeedssync.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-14 10:53:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-14 10:59:06 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-14 10:58

--- E O F ---

----------------------------------------------------------------

HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:05:08, on 14/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\FixCamera.exe
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime Alternative\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\Cordless USB Phone\Cordless DUALphone Suite.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [FixCamera] C:\WINDOWS\FixCamera.exe
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Uniblue Registry Booster2] C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-21-2732481820-3784550950-147138153-1005\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User '?')
O4 - HKUS\S-1-5-21-2732481820-3784550950-147138153-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-2732481820-3784550950-147138153-1005\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" (User '?')
O4 - HKUS\S-1-5-21-2732481820-3784550950-147138153-1005\..\Run: [Uniblue Registry Booster2] C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe /S (User '?')
O4 - HKUS\S-1-5-21-2732481820-3784550950-147138153-1005\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe (User '?')
O4 - HKUS\S-1-5-21-2732481820-3784550950-147138153-1005\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized (User '?')
O4 - HKUS\S-1-5-18\..\Run: [Windows Management] stmb32.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [Windows Management] stmb32.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: Cordless DUALphone Startup.lnk = C:\Program Files\Cordless USB Phone\Cordless DUALphone Suite.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1158240005171
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1158277898062
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pu...sh/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\System32\wbem\wmiapsrv.exe (file missing)
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 10615 bytes

*********************************************************

Many thanks again

sUBs · 08-13-2007, 08:19 PM

Quote:

Command switches used :: /killall
framedyn.dll is missing

The easiest way to fix this is to copy C:\Windows\System32\wbem\framedyn.dll from another Windows XP machine.

--------------

Go to Start > Control Panel > Add or Remove Programs and uninstall the following programs:

SpyHunter

Please note any other programs that you dont recognize in that list in your next response

---------------

Do a HijackThis scan & place a check next to these items and select "Fix checked":

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKUS\S-1-5-18\..\Run: [Windows Management] stmb32.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [Windows Management] stmb32.exe (User 'Default user')
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

---------------

Open notepad and copy/paste the text in the quotebox below into it:

Code:

Folder::
C:\VundoFix Backups
C:\Program Files\Enigma Software Group
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NWEReboot"=-
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Windows Management"=-
[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]

Save this as "CFScript"

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

---------------

Click here perform an online scan >> Online Scanner

---------------

In your next post, please include fresh logs from:

Fresh Hijackthis log taken just before replying

Online scan

ComboFix's log

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

sunshine863 · 08-14-2007, 04:45 AM

ComboFix 07-08-14 - "Draha Pitner" 2007-08-14 16:34:06.2 - NTFSx86
Command switches used :: C:\Documents and Settings\Draha Pitner\Desktop\CFScript.txt
framedyn.dll is missing

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\Enigma Software Group
C:\Program Files\Enigma Software Group\SpyHunter\Backup\draha_pitner@acvs.mediaonenetwork[2].txt.dat
C:\Program Files\Enigma Software Group\SpyHunter\Backup\draha_pitner@apmebf[1].txt.dat
C:\Program Files\Enigma Software Group\SpyHunter\Backup\draha_pitner@atwola[1].txt.dat
C:\Program Files\Enigma Software Group\SpyHunter\Backup\draha_pitner@avsystemcare[1].txt.dat
C:\Program Files\Enigma Software Group\SpyHunter\Backup\draha_pitner@azjmp[2].txt.dat
C:\Program Files\Enigma Software Group\SpyHunter\Backup\draha_pitner@go.sexprofit[2].txt.dat
C:\Program Files\Enigma Software Group\SpyHunter\Backup\draha_pitner@media.sensis.com[2].txt.dat
C:\Program Files\Enigma Software Group\SpyHunter\Backup\draha_pitner@media.the-leaky-cauldron[2].txt.dat
C:\Program Files\Enigma Software Group\SpyHunter\Backup\draha_pitner@mediaonenetwork[1].txt.dat
C:\Program Files\Enigma Software Group\SpyHunter\Backup\draha_pitner@mediaplex[2].txt.dat
C:\Program Files\Enigma Software Group\SpyHunter\Backup\draha_pitner@pamedia.com[2].txt.dat
C:\Program Files\Enigma Software Group\SpyHunter\Backup\draha_pitner@pcprivacytool[2].txt.dat
C:\Program Files\Enigma Software Group\SpyHunter\Backup\draha_pitner@privacy.securepccleaner[1].txt.dat
C:\Program Files\Enigma Software Group\SpyHunter\Backup\draha_pitner@privacy.securepccleaner[3].txt.dat
C:\Program Files\Enigma Software Group\SpyHunter\Backup\draha_pitner@privacy.securepccleaner[4].txt.dat
C:\Program Files\Enigma Software Group\SpyHunter\Backup\draha_pitner@privacy.securepccleaner[5].txt.dat
C:\Program Files\Enigma Software Group\SpyHunter\Backup\draha_pitner@privacy.securepccleaner[6].txt.dat
C:\Program Files\Enigma Software Group\SpyHunter\Backup\draha_pitner@privacy.securepccleaner[7].txt.dat
C:\Program Files\Enigma Software Group\SpyHunter\Backup\draha_pitner@privacy.securepccleaner[8].txt.dat
C:\Program Files\Enigma Software Group\SpyHunter\Backup\draha_pitner@privacyprotector[1].txt.dat
C:\Program Files\Enigma Software Group\SpyHunter\Backup\draha_pitner@privacyprotector[3].txt.dat
C:\Program Files\Enigma Software Group\SpyHunter\Backup\draha_pitner@protect.trustedantivirus[1].txt.dat
C:\Program Files\Enigma Software Group\SpyHunter\Backup\draha_pitner@protect.trustedantivirus[3].txt.dat
C:\Program Files\Enigma Software Group\SpyHunter\Backup\draha_pitner@protect.trustedantivirus[4].txt.dat
C:\Program Files\Enigma Software Group\SpyHunter\Backup\draha_pitner@rb4.worldsex[2].txt.dat
C:\Program Files\Enigma Software Group\SpyHunter\Backup\draha_pitner@sale.trustedantivirus[1].txt.dat
C:\Program Files\Enigma Software Group\SpyHunter\Backup\draha_pitner@secure.udefender[2].txt.dat
C:\Program Files\Enigma Software Group\SpyHunter\Backup\draha_pitner@securepccleaner[1].txt.dat
C:\Program Files\Enigma Software Group\SpyHunter\Backup\draha_pitner@securepccleaner[2].txt.dat
C:\Program Files\Enigma Software Group\SpyHunter\Backup\draha_pitner@sensismediasmart.com[2].txt.dat
C:\Program Files\Enigma Software Group\SpyHunter\Backup\draha_pitner@shop.securepccleaner[1].txt.dat
C:\Program Files\Enigma Software Group\SpyHunter\Backup\draha_pitner@trustedantivirus[1].txt.dat
C:\Program Files\Enigma Software Group\SpyHunter\Backup\draha_pitner@ucleaner[2].txt.dat
C:\Program Files\Enigma Software Group\SpyHunter\Backup\draha_pitner@udefender[2].txt.dat
C:\Program Files\Enigma Software Group\SpyHunter\Backup\draha_pitner@www.rusteensex[2].txt.dat
C:\Program Files\Enigma Software Group\SpyHunter\Backup\draha_pitner@www.udefender[2].txt.dat
C:\Program Files\Enigma Software Group\SpyHunter\Backup\draha_pitner@www.xnxx[1].txt.dat
C:\Program Files\Enigma Software Group\SpyHunter\Backup\draha_pitner@xnxx[1].txt.dat
C:\Program Files\Enigma Software Group\SpyHunter\Backup\MICROSOFT_WINDOWS NT_CURRENTVERSION_WINLOGON_NOTIFY_igfxcui.dat
C:\Program Files\Enigma Software Group\SpyHunter\backupLog.dat
C:\Program Files\Enigma Software Group\SpyHunter\def.dat.bak
C:\Program Files\Enigma Software Group\SpyHunter\support.log
C:\VundoFix Backups

((((((((((((((((((((((((( Files Created from 2007-07-14 to 2007-08-14 )))))))))))))))))))))))))))))))

2007-08-14 10:41 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-14 07:46 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-14 07:42 <DIR> d-------- C:\Deckard
2007-08-13 19:09 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-08-13 07:29 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-07-19 15:55 <DIR> d-------- C:\etax2007

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-14 15:56 --------- d-------- C:\DOCUME~1\DRAHAP~1\APPLIC~1\Skype
2007-08-13 17:19 --------- d-------- C:\Program Files\QuickTime Alternative
2007-08-13 17:15 --------- d-------- C:\Program Files\iTunes
2007-08-13 17:13 --------- d-------- C:\Program Files\Cordless USB Phone
2007-08-13 17:10 --------- d-------- C:\Program Files\BigFix
2007-08-13 08:50 --------- d-------- C:\Program Files\Messenger
2007-08-11 19:32 2058849 --a------ C:\ieSpellSetup251106.exe
2007-07-28 08:07 783224 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-07-28 08:02 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-28 08:02 92848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-28 08:00 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-28 07:59 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-28 07:58 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-28 07:57 95608 --a------ C:\WINDOWS\system32\AVASTSS.scr
2007-07-05 20:40 --------- d-------- C:\Program Files\UserZoom
2007-05-17 01:12 86528 -----c--- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-17 01:12 85504 -----c--- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-17 01:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-17 01:12 683520 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-17 01:12 510976 -----c--- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-17 01:12 1314816 -----c--- C:\WINDOWS\system32\dllcache\msoe.dll
2006-09-21 17:27 359112 --a------ C:\Program Files\LimeWireWin.exe

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2002-10-15 23:18]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2002-10-16 17:05]
"CHotkey"="mHotkey.exe" [2002-07-24 05:09 C:\WINDOWS\mHotkey.exe]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2002-10-08 20:03]
"SoundMan"="SOUNDMAN.EXE" [2005-04-15 11:01 C:\WINDOWS\SOUNDMAN.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"LVCOMS"="C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 17:54]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-07-28 08:03]
"FixCamera"="C:\WINDOWS\FixCamera.exe" [2005-12-06 12:08]
"tsnp2std"="C:\WINDOWS\tsnp2std.exe" [2005-11-24 16:01]
"snp2std"="C:\WINDOWS\vsnp2std.exe" [2006-09-15 13:21]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 15:10]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 22:55]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40]
"QuickTime Task"="C:\Program Files\QuickTime Alternative\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-07-14 06:00]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:56]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 13:32]
"Uniblue Registry Booster2"="C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe" []
"Nero PhotoShow Media Manager"="C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe" []
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-05-18 13:14]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"ICQ Lite"=C:\Program Files\ICQLite\ICQLite.exe -trayboot

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-10-27 15:41:14]
BigFix.lnk - C:\Program Files\BigFix\bigfix.exe [2006-09-26 20:19:53]
Cordless DUALphone Startup.lnk - C:\Program Files\Cordless USB Phone\Cordless DUALphone Suite.exe [2006-09-15 13:35:17]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]

Contents of the 'Scheduled Tasks' folder
2007-04-14 23:25:50 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-08-05 23:24:00 C:\WINDOWS\Tasks\Backup.job - C:\WINDOWS\system32\ntbackup.exe
2007-09-16 06:40:11 C:\WINDOWS\Tasks\User_Feed_Synchronization-{6D791AA4-65E9-479C-9BF6-2BA8647125D1}.job - C:\WINDOWS\system32\msfeedssync.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-14 16:38:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-14 16:40:01
C:\ComboFix-quarantined-files.txt ... 2007-08-14 16:39
C:\ComboFix2.txt ... 2007-08-14 10:59

--- E O F ---

oooooOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOooooo

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:35:04, on 14/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\FixCamera.exe
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime Alternative\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\Cordless USB Phone\Cordless DUALphone Suite.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\WINDOWS\System32\rsvp.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [FixCamera] C:\WINDOWS\FixCamera.exe
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Uniblue Registry Booster2] C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - HKUS\S-1-5-21-2732481820-3784550950-147138153-1005\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User '?')
O4 - HKUS\S-1-5-21-2732481820-3784550950-147138153-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-2732481820-3784550950-147138153-1005\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" (User '?')
O4 - HKUS\S-1-5-21-2732481820-3784550950-147138153-1005\..\Run: [Uniblue Registry Booster2] C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe /S (User '?')
O4 - HKUS\S-1-5-21-2732481820-3784550950-147138153-1005\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe (User '?')
O4 - HKUS\S-1-5-21-2732481820-3784550950-147138153-1005\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized (User '?')
O4 - HKUS\S-1-5-21-2732481820-3784550950-147138153-1005\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot (User '?')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: Cordless DUALphone Startup.lnk = C:\Program Files\Cordless USB Phone\Cordless DUALphone Suite.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1158240005171
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1158277898062
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pu...sh/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\System32\wbem\wmiapsrv.exe (file missing)

--
End of file - 10559 bytes

ooooooooooOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOoooooooo

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, August 14, 2007 9:26:44 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 14/08/2007
Kaspersky Anti-Virus database records: 379854
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 55320
Number of viruses found: 8
Number of infected objects: 13
Number of suspicious objects: 0
Duration of the scan process: 01:52:23

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\backup\DOCUME~1\DRAHAP~1\LOCALS~1\Temp\NeroDemo12550\Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Draha Pitner\Application Data\Skype\sunshine863\call256.dbb Object is locked skipped
C:\Documents and Settings\Draha Pitner\Application Data\Skype\sunshine863\callmember256.dbb Object is locked skipped
C:\Documents and Settings\Draha Pitner\Application Data\Skype\sunshine863\chat512.dbb Object is locked skipped
C:\Documents and Settings\Draha Pitner\Application Data\Skype\sunshine863\chatmember256.dbb Object is locked skipped
C:\Documents and Settings\Draha Pitner\Application Data\Skype\sunshine863\chatmsg256.dbb Object is locked skipped
C:\Documents and Settings\Draha Pitner\Application Data\Skype\sunshine863\chatmsg512.dbb Object is locked skipped
C:\Documents and Settings\Draha Pitner\Application Data\Skype\sunshine863\contactgroup256.dbb Object is locked skipped
C:\Documents and Settings\Draha Pitner\Application Data\Skype\sunshine863\dyncontent\bundle.dat Object is locked skipped
C:\Documents and Settings\Draha Pitner\Application Data\Skype\sunshine863\index2.dat Object is locked skipped
C:\Documents and Settings\Draha Pitner\Application Data\Skype\sunshine863\profile16384.dbb Object is locked skipped
C:\Documents and Settings\Draha Pitner\Application Data\Skype\sunshine863\user1024.dbb Object is locked skipped
C:\Documents and Settings\Draha Pitner\Application Data\Skype\sunshine863\user16384.dbb Object is locked skipped
C:\Documents and Settings\Draha Pitner\Application Data\Skype\sunshine863\voicemail256.dbb Object is locked skipped
C:\Documents and Settings\Draha Pitner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Draha Pitner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Draha Pitner\Local Settings\History\History.IE5\MSHist012007081420070815\index.dat Object is locked skipped
C:\Documents and Settings\Draha Pitner\Local Settings\Temp\~DF93B5.tmp Object is locked skipped
C:\Documents and Settings\Draha Pitner\Local Settings\Temp\~DF93D8.tmp Object is locked skipped
C:\Documents and Settings\Draha Pitner\Local Settings\Temp\~DFA490.tmp Object is locked skipped
C:\Documents and Settings\Draha Pitner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Draha Pitner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Draha Pitner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Draha Pitner\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\BigFix\__Data\emachines\__Local\Tmp\eMachines_Vista.dat Object is locked skipped
C:\Program Files\BigFix\__Data\emachines\__Local\Tmp\Security.dat Object is locked skipped
C:\Program Files\BigFix\__Data\emachines\__Local\Tmp\Security_UK.dat Object is locked skipped
C:\Program Files\BigFix\__Data\emachines\__Local\Tmp\UK_Specific.dat Object is locked skipped
C:\Program Files\BigFix\__Data\emachines\__Local\Tmp\Urgent.dat Object is locked skipped
C:\Program Files\BigFix\__Data\emachines\__Local\Tmp\Virus.dat Object is locked skipped
C:\Program Files\BigFix\__Data\emachines\__Local\Tmp\Welcome.dat Object is locked skipped
C:\Program Files\BigFix\__Data\emachines\__Local\Tmp\WinXP.dat Object is locked skipped
C:\Program Files\BigFix\__Data\__Global\Logs\20070814.log Object is locked skipped
C:\Program Files\Norton AntiVirus\Quarantine\62AE6F6F.exe Infected: Backdoor.Win32.Rbot.bfb skipped
C:\Program Files\Norton AntiVirus\Quarantine\77AB3D8E Infected: Email-Worm.Win32.Warezov.et skipped
C:\Program Files\Norton AntiVirus\Quarantine\77B078EB Infected: Backdoor.Win32.PoeBot.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\7955211B Infected: Backdoor.Win32.Rbot.bfb skipped
C:\Program Files\Norton AntiVirus\Quarantine\7D6772A1.exe Infected: Backdoor.Win32.PoeBot.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\7D6A1C9D.exe Infected: Backdoor.Win32.Rbot.aqo skipped
C:\Program Files\Trend Micro\HijackThis\backups\backup-20070814-090001-742.dll Infected: not-a-virus:AdWare.Win32.Agent.bn skipped
C:\QooBox\Quarantine\C\WINDOWS\duocore.dll.vir Infected: not-a-virus:AdWare.Win32.Agent.bn skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{35A4A879-B4E1-4F85-811E-93C3722DA63B}\RP424\A0071709.exe Infected: not-virus:Hoax.Win32.Renos.he skipped
C:\System Volume Information\_restore{35A4A879-B4E1-4F85-811E-93C3722DA63B}\RP424\A0071733.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.c skipped
C:\System Volume Information\_restore{35A4A879-B4E1-4F85-811E-93C3722DA63B}\RP424\A0071734.exe Infected: not-virus:Hoax.Win32.Renos.he skipped
C:\System Volume Information\_restore{35A4A879-B4E1-4F85-811E-93C3722DA63B}\RP424\A0071899.dll Infected: not-a-virus:AdWare.Win32.Agent.bn skipped
C:\System Volume Information\_restore{35A4A879-B4E1-4F85-811E-93C3722DA63B}\RP425\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\temp\Perflib_Perfdata_494.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

oooooooOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOooooooo

Hello, so far all seems just about normal. Wallpaper, homepage all back to original, no more pesky pop ups. You guys are the best!!!

You have asked me to delete SpyHunter from my system - does it cause havoc? I have only just purchased it :-(...

As far the framedy.dll file goes, I need to find someone who (still) operates XP.

So thank you once again

Cheers
Draha

sUBs · 08-14-2007, 05:13 AM

Spyhunter - These programs are rogueware and we highly recommend that you uninstall them. Rogue or Suspect means that these products are of unknown, questionable, or dubious value as anti-spyware protection.

You can read up about SpyHunter from here >http://www.spywarewarrior.com/rogue_...re.htm#sh_note

Quote:

I need to find someone who (still) operates XP.

For the moment, download a temporary copy from here >http://www.dll-files.com/dllindex/dl...shtml?framedyn

After you have fixed framedyn.dll, open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

Code:

@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (
"C:\Program Files\Norton AntiVirus\Quarantine\62AE6F6F.exe"
'C:\Program Files\Norton AntiVirus\Quarantine\77AB3D8E"
"C:\Program Files\Norton AntiVirus\Quarantine\77B078EB"
"C:\Program Files\Norton AntiVirus\Quarantine\7955211B"
"C:\Program Files\Norton AntiVirus\Quarantine\7D6772A1.exe"
"C:\Program Files\Norton AntiVirus\Quarantine\7D6A1C9D.exe"
) do (
del /a/f %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)

for %%g in (
"C:\Program Files\Trend Micro\HijackThis\backups"
"%systemdrive%\VundoFix Backups"
%systemdrive%\Deckard
%systemdrive%\Qoobox
) do (
rd /s/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)
if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!

echo.GetObject("winmgmts:" ^& "{impersonationLevel=impersonate}!\\" ^& "." ^& "\root\default").Get("SystemRestore").Disable("")>SR.vbs
echo.GetObject("winmgmts:" ^& "{impersonationLevel=impersonate}!\\" ^& "." ^& "\root\default").Get("SystemRestore").Enable("")>>SR.vbs
wscript SR.vbs

(
echo.REGEDIT4&echo.
echo.[hkey_current_user\software\microsoft\windows\currentversion\explorer\advanced]
echo."hidden"=dword:00000002
echo."hidefileext"=dword:00000001
echo."showsuperhidden"=dword:00000000
)>rehide.reg

regedit /s rehide.reg
del rehide.reg SR.vbs
nircmd wait 7000
del %0

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:

Double click on fix.bat & allow it to run

Post back to tell me what it says

sunshine863 · 08-14-2007, 06:04 AM

The C\WINDOWS\system32\cmd.exe window reported 'Deleted successfully

then I had an alert message from Windows Script Host with a
big X:
Script: C:\Document and Settings\Draha Pitner\Desctop\SR.vbs
Line: 1
Char: 1
Error: Invalid syntax
Code: 800401E4
Source: (null)

ooooOOOOOOOOOOOOOOOOOOOOOOOOOOoooooooooo

Hope this makes sense as I am sooo lost here

sUBs · 08-14-2007, 06:05 AM

Did you manage to get the framedyn.dll before running fix.bat?

sunshine863 · 08-14-2007, 06:08 AM

Yes I did and the system restore is operational now

sUBs · 08-14-2007, 06:14 AM

Quote:

Script: C:\Document and Settings\Draha Pitner\Desctop\SR.vbs
Line: 1
Char: 1

SR.vbs pertains to System Restore. I suppose it was framedyn.dll that was causing the error message.
No matter. What's important is that the infected files are deleted successfully & System Restore works now. Do remember to copyover a proper replacement from another SP2 machine.

Your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

ANTIVIRUS SOFTWARE
It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
FIREWALL
Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here ? http://www.bleepingcomputer.com/forums/tutorial60.html
Microsoft Windows Update ? http://www.windowsupdate.com
Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
SPYWAREBLASTER
SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.

Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here ? http://www.bleepingcomputer.com/forums/tutorial49.html
IE-SPYAD
IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here http://www.spywarewarrior.com/uiuc/resource.htm

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://computercops.biz/postlite7736-.html

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Kindly respond to this thread once more so we can mark this thread as resolved.

sunshine863 · 08-14-2007, 06:34 AM

This was a learning experience for me. I thought by having automatic updates enabled on my Windows Updates and Avast and Windows firewall that I was protected - obviously not the case.
Once again, many thanks for your advice, guidance and time and I will definately be visiting you donation link tomorrow(it's almost midnight here) to help keep you guys in business.
Cheers
Draha

08-12-2007, 02:51 AM	#1 (permalink)
sunshine863 Registered User Join Date: Aug 2007 Location: Australia Posts: 9 OS: XP home edition	help needed with Malware takeover Hi, I wonder if you could help here...I have Windows XP (home) with avast, AdAware and just purchased SpyHunter to rid my PC of "Spyware & Malware Protection, Privacy Protector and Error Cleaner' that has installed itself somewhere in my PC. When I use the AdAware or SpyHunter, it locates cookies and these, even though are removed, just appear again. 'http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2' has taken possession of my homepage and can't be deleted and sometimes presents itself as [url]www.safewebnavigate.com.,www.mediasportal.com, www.ucleaner.com.,www.securecleaner.com., and some others keep popping up despite that fact that I have added all of these to my restricted sites. It has also created wallpaper with 'your privacy is in danger'..logo(leading to securepccleaner.com) and can't be removed. I keep also getting pop up messages from Windows security alert about an Internet attack and prompting to download spyware remover - www.safewebnavigate.com. I'm not sure if this is one or a few infections. I would be eternally grateful if you could guide me towards clearing my Pc of this very frequent nuisance. Many thanks Cheers Draha Last edited by sunshine863; 08-12-2007 at 02:54 AM.

08-12-2007, 05:32 AM	#2 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 23,245 OS: N/A	Re: help needed with Malware takeover Please follow MicroBell's 5 Step process - http://www.techsupportforum.com/secu...sting-log.html. You shall have a proper set of logs for us after that. Someone will be along shortly __________________

08-12-2007, 02:44 PM	#3 (permalink)
sunshine863 Registered User Join Date: Aug 2007 Location: Australia Posts: 9 OS: XP home edition	Re: help needed with Malware takeover Thanks for that - unfortunately I'm not getting anywhere fast - Step1 was ok - I didn't have any of the listed programs, step 2. - half way through Panda's scan, my Avast had detected a virus in the download and requested that I abort. It listed this file : http://acs.pandasoftware.com/actives...motor.cab\pska' virus/malware: Win32.CTX VPS version: 000764-12/08/2007 What to do now?

08-12-2007, 02:49 PM	#4 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 23,245 OS: N/A	Re: help needed with Malware takeover It's a well known False Positive by Avast. Ignore it & disable Avast's realtime scanner whilst doing the online scan. __________________

08-13-2007, 02:30 PM	#5 (permalink)
sunshine863 Registered User Join Date: Aug 2007 Location: Australia Posts: 9 OS: XP home edition	Re: help needed with Malware takeover Hi again, more hiccups here. Step 2.-Panda's scan didn't find anything. Step 3.-Spyware blaster installed. With the IE-spyed not sure if to install the IE-Spyed for zoned out or just the original. Step 4 - Windows update didn't have any new critical updates. I have SP2 installed - should I uninstal this while my PC is being rescued? Wouldn't this leave my PC totally exposed? In the meantime the pop-ups are driving me crazy can't wait to have this resolved. I really appreciate your help

08-13-2007, 02:32 PM	#6 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 23,245 OS: N/A	Re: help needed with Malware takeover Skip everything & go staright to the final step - Step #5 You shall have some logs for us after that __________________

08-13-2007, 03:16 PM	#8 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 23,245 OS: N/A	Re: help needed with Malware takeover Do a HijackThis scan & place a check next to these items and select "Fix checked": R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2 O2 - BHO: MSVPS System - {47C54F02-1B28-45F1-AE46-B5CDFB6E7926} - C:\WINDOWS\duocore.dll O4 - HKLM\..\Run: [Windows Update System Shell] svhostcs32.exe O4 - HKLM\..\Run: [Windows Management] stmb32.exe O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe O4 - HKLM\..\RunServices: [Windows Update System Shell] svhostcs32.exe O4 - HKLM\..\RunServices: [Windows Management] stmb32.exe O4 - HKCU\..\Run: [Windows Management] stmb32.exe O4 - HKCU\..\Run: [Windows Update System Shell] svhostcs32.exe O4 - HKUS\S-1-5-21-2732481820-3784550950-147138153-1005\..\Run: [Windows Management] stmb32.exe (User '?') O4 - HKUS\S-1-5-21-2732481820-3784550950-147138153-1005\..\Run: [Windows Update System Shell] svhostcs32.exe (User '?') O4 - HKUS\S-1-5-21-2732481820-3784550950-147138153-1005\..\Run: [WebCamRT.exe] (User '?') O4 - HKUS\S-1-5-18\..\Run: [Windows Update System Shell] svhostcs32.exe (User '?') O4 - HKUS\.DEFAULT\..\Run: [Windows Update System Shell] svhostcs32.exe (User 'Default user') O4 - S-1-5-21-2732481820-3784550950-147138153-1005 Startup: .protected (User '?') O4 - Startup: .protected O4 - Global Startup: .protected O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O21 - SSODL: wmpenv - {19E771C0-5F75-4691-8B1F-11855E532EF3} - C:\WINDOWS\wmpenv.dll O21 - SSODL: wmpconf - {AAD1B5DF-F350-4664-A7C3-6525A1FF7634} - C:\WINDOWS\wmpconf.dll O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm Ignore any prompts for a reboot --------------- 1. Download this file - http://download.bleepingcomputer.com...a/ComboFix.exe * IMPORTANT !!! Place combofix.exe on your Desktop 2. Go to → Run → paste in the single line command & click OK "%userprofile%\desktop\combofix.exe" /killall 3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall __________________

08-13-2007, 06:11 PM	#9 (permalink)
sunshine863 Registered User Join Date: Aug 2007 Location: Australia Posts: 9 OS: XP home edition	Re: help needed with Malware takeover hello again - all done, here are the logs; ************************************************* ComboFix 07-08-14 - "Draha Pitner" 2007-08-14 10:47:48.1 - NTFSx86 Command switches used :: /killall framedyn.dll is missing ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\.protected C:\DOCUME~1\DRAHAP~1\Desktop\internet.lnk C:\Program Files\VideoAccessCodec C:\Program Files\VideoAccessCodec\install.ico C:\Program Files\VideoAccessCodec\Uninstall.exe C:\Program Files\VideoAccessCodec\VideoAccessCodec.ocx C:\WINDOWS\.protected C:\WINDOWS\dat.txt C:\WINDOWS\duocore.dll C:\WINDOWS\privacy_danger C:\WINDOWS\privacy_danger\images\capt.gif C:\WINDOWS\privacy_danger\images\danger.jpg C:\WINDOWS\privacy_danger\images\down.gif C:\WINDOWS\privacy_danger\images\spacer.gif C:\WINDOWS\privacy_danger\index.htm C:\WINDOWS\system32\drivers\etc\.protected C:\WINDOWS\wmpconf.dll C:\WINDOWS\wmpenv.dll ((((((((((((((((((((((((( Files Created from 2007-07-14 to 2007-08-14 ))))))))))))))))))))))))))))))) 2007-08-14 10:41 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-08-14 07:46 <DIR> d-------- C:\Program Files\Trend Micro 2007-08-14 07:42 <DIR> d-------- C:\Deckard 2007-08-13 19:09 <DIR> d-------- C:\Program Files\SpywareBlaster 2007-08-13 07:29 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-08-12 16:03 <DIR> d-------- C:\VundoFix Backups 2007-08-11 21:12 <DIR> d-------- C:\Program Files\Enigma Software Group 2007-07-19 15:55 <DIR> d-------- C:\etax2007 (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-08-14 10:10 --------- d-------- C:\DOCUME~1\DRAHAP~1\APPLIC~1\Skype 2007-08-13 17:19 --------- d-------- C:\Program Files\QuickTime Alternative 2007-08-13 17:15 --------- d-------- C:\Program Files\iTunes 2007-08-13 17:13 --------- d-------- C:\Program Files\Cordless USB Phone 2007-08-13 17:10 --------- d-------- C:\Program Files\BigFix 2007-08-13 08:50 --------- d-------- C:\Program Files\Messenger 2007-08-11 19:32 2058849 --a------ C:\ieSpellSetup251106.exe 2007-07-28 08:07 783224 --a------ C:\WINDOWS\system32\aswBoot.exe 2007-07-28 08:02 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys 2007-07-28 08:02 92848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys 2007-07-28 08:00 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys 2007-07-28 07:59 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys 2007-07-28 07:58 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys 2007-07-28 07:57 95608 --a------ C:\WINDOWS\system32\AVASTSS.scr 2007-07-05 20:40 --------- d-------- C:\Program Files\UserZoom 2007-05-17 01:12 86528 -----c--- C:\WINDOWS\system32\dllcache\directdb.dll 2007-05-17 01:12 85504 -----c--- C:\WINDOWS\system32\dllcache\wabimp.dll 2007-05-17 01:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll 2007-05-17 01:12 683520 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll 2007-05-17 01:12 510976 -----c--- C:\WINDOWS\system32\dllcache\wab32.dll 2007-05-17 01:12 1314816 -----c--- C:\WINDOWS\system32\dllcache\msoe.dll 2006-09-21 17:27 359112 --a------ C:\Program Files\LimeWireWin.exe ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2002-10-15 23:18] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2002-10-16 17:05] "CHotkey"="mHotkey.exe" [2002-07-24 05:09 C:\WINDOWS\mHotkey.exe] "NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2002-10-08 20:03] "SoundMan"="SOUNDMAN.EXE" [2005-04-15 11:01 C:\WINDOWS\SOUNDMAN.EXE] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00] "LVCOMS"="C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 17:54] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-07-28 08:03] "FixCamera"="C:\WINDOWS\FixCamera.exe" [2005-12-06 12:08] "tsnp2std"="C:\WINDOWS\tsnp2std.exe" [2005-11-24 16:01] "snp2std"="C:\WINDOWS\vsnp2std.exe" [2006-09-15 13:21] "NWEReboot"="" [] "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 15:10] "LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 22:55] "NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40] "QuickTime Task"="C:\Program Files\QuickTime Alternative\qttask.exe" [2007-04-27 09:41] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-07-14 06:00] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:56] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 13:32] "Uniblue Registry Booster2"="C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe" [] "Nero PhotoShow Media Manager"="C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe" [] "Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-05-18 13:14] [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "Windows Management"=stmb32.exe C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-10-27 15:41:14] BigFix.lnk - C:\Program Files\BigFix\bigfix.exe [2006-09-26 20:19:53] Cordless DUALphone Startup.lnk - C:\Program Files\Cordless USB Phone\Cordless DUALphone Suite.exe [2006-09-15 13:35:17] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04] [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] Source= file:///C:\WINDOWS\privacy_danger\index.htm FriendlyName= Privacy Protection Contents of the 'Scheduled Tasks' folder 2007-04-14 23:25:50 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe 2007-08-05 23:24:00 C:\WINDOWS\Tasks\Backup.job - C:\WINDOWS\system32\ntbackup.exe 2007-09-16 06:40:11 C:\WINDOWS\Tasks\User_Feed_Synchronization-{6D791AA4-65E9-479C-9BF6-2BA8647125D1}.job - C:\WINDOWS\system32\msfeedssync.exe ************************************************************************ catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-08-14 10:53:34 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** Completion time: 2007-08-14 10:59:06 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-08-14 10:58 --- E O F --- ---------------------------------------------------------------- HJT log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:05:08, on 14/08/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16473) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\CyberLink\Shared Files\RichVideo.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\mHotkey.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\FixCamera.exe C:\WINDOWS\tsnp2std.exe C:\WINDOWS\vsnp2std.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\QuickTime Alternative\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\BigFix\bigfix.exe C:\Program Files\Cordless USB Phone\Cordless DUALphone Suite.exe C:\Program Files\Skype\Plugin Manager\SkypePM.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [CHotkey] mHotkey.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [FixCamera] C:\WINDOWS\FixCamera.exe O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [Uniblue Registry Booster2] C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe /S O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKUS\S-1-5-21-2732481820-3784550950-147138153-1005\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User '?') O4 - HKUS\S-1-5-21-2732481820-3784550950-147138153-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?') O4 - HKUS\S-1-5-21-2732481820-3784550950-147138153-1005\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" (User '?') O4 - HKUS\S-1-5-21-2732481820-3784550950-147138153-1005\..\Run: [Uniblue Registry Booster2] C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe /S (User '?') O4 - HKUS\S-1-5-21-2732481820-3784550950-147138153-1005\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe (User '?') O4 - HKUS\S-1-5-21-2732481820-3784550950-147138153-1005\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized (User '?') O4 - HKUS\S-1-5-18\..\Run: [Windows Management] stmb32.exe (User '?') O4 - HKUS\.DEFAULT\..\Run: [Windows Management] stmb32.exe (User 'Default user') O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe O4 - Global Startup: Cordless DUALphone Startup.lnk = C:\Program Files\Cordless USB Phone\Cordless DUALphone Suite.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1158240005171 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1158277898062 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pu...sh/swflash.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\System32\wbem\wmiapsrv.exe (file missing) O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm -- End of file - 10615 bytes ******************************************************* Many thanks again

08-14-2007, 06:04 AM	#13 (permalink)
sunshine863 Registered User Join Date: Aug 2007 Location: Australia Posts: 9 OS: XP home edition	Re: help needed with Malware takeover The C\WINDOWS\system32\cmd.exe window reported 'Deleted successfully then I had an alert message from Windows Script Host with a big X: Script: C:\Document and Settings\Draha Pitner\Desctop\SR.vbs Line: 1 Char: 1 Error: Invalid syntax Code: 800401E4 Source: (null) ooooOOOOOOOOOOOOOOOOOOOOOOOOOOoooooooooo Hope this makes sense as I am sooo lost here

08-14-2007, 06:05 AM	#14 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 23,245 OS: N/A	Re: help needed with Malware takeover Did you manage to get the framedyn.dll before running fix.bat? __________________

08-14-2007, 06:08 AM	#15 (permalink)
sunshine863 Registered User Join Date: Aug 2007 Location: Australia Posts: 9 OS: XP home edition	Re: help needed with Malware takeover Yes I did and the system restore is operational now

08-14-2007, 06:34 AM	#17 (permalink)
sunshine863 Registered User Join Date: Aug 2007 Location: Australia Posts: 9 OS: XP home edition	Re: help needed with Malware takeover This was a learning experience for me. I thought by having automatic updates enabled on my Windows Updates and Avast and Windows firewall that I was protected - obviously not the case. Once again, many thanks for your advice, guidance and time and I will definately be visiting you donation link tomorrow(it's almost midnight here) to help keep you guys in business. Cheers Draha