Pending: A few logs to review - Page 2

weeksn · 05-16-2009

I noticed the following was still not deleted after running Combo fix
c:\windows\system32\pavuppad.exe

So, I navigated to the file and I was manually able to delete it.

Crush · 05-17-2009

Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:

Code:

Driver::
lvuvc

File::
c:\windows\system32\drivers\lvuvc.hs

Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please.

*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.Altering this script in any way could damage your computer*

weeksn · 05-17-2009

ComboFix 09-05-17.01 - Natasha 17/05/2009 18:32.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1014.547 [GMT 1:00]
Running from: c:\documents and settings\Natasha\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Natasha\Desktop\CFScript.txt
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
FILE ::
c:\windows\system32\drivers\lvuvc.hs
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\drivers\lvuvc.hs
c:\windows\system32\gumapoke.dll
c:\windows\system32\kivifivu.dll
c:\windows\system32\lonufeyi.dll
----- BITS: Possible infected sites -----
hxxp://62.4.83.201
hxxp://82.98.235.228
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_LVUVC

((((((((((((((((((((((((( Files Created from 2009-04-17 to 2009-05-17 )))))))))))))))))))))))))))))))
.
2009-05-17 15:52 . 2009-05-17 15:52 6537 --sh--w c:\windows\system32\kizosewa.dll
2009-05-16 15:53 . 2009-05-16 16:23 -------- d-sh--w c:\windows\system32\bookls
2009-05-12 10:42 . 2008-06-19 16:24 28544 ----a-w c:\windows\system32\drivers\pavboot.sys
2009-05-04 10:27 . 2009-05-04 10:27 -------- d-----w c:\documents and settings\All Users\Application Data\Source
2009-05-04 10:27 . 2009-05-04 10:21 241 ----a-w c:\documents and settings\All Users\Application Data\Setting.dat
2009-04-27 12:17 . 2009-04-27 12:17 -------- d-----w c:\program files\Common Files\xing shared
2009-04-27 10:24 . 2009-04-27 10:24 -------- d-sh--w c:\documents and settings\Natasha\IECompatCache
2009-04-22 21:23 . 2009-04-22 21:23 -------- d-----w c:\documents and settings\Natasha\Application Data\Canneverbe_Limited
2009-04-22 21:21 . 2009-04-22 21:21 -------- d-----w c:\program files\CDBurnerXP
2009-04-22 21:13 . 2009-04-22 21:14 -------- d-----w C:\OS
2009-04-22 20:34 . 2009-04-22 20:34 -------- d-----w c:\program files\Microsoft Silverlight
2009-04-20 08:28 . 2009-05-12 15:24 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-04-20 07:10 . 2009-05-12 15:23 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-20 07:08 . 2009-04-20 07:08 -------- dc-h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-20 07:08 . 2009-04-20 07:08 -------- d-----w c:\program files\Lavasoft
2009-04-20 07:08 . 2009-04-20 07:10 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-05-06 01:11 . 2007-03-26 20:17 -------- d-----w c:\program files\Yahoo!
2009-04-28 21:50 . 2007-07-27 00:32 -------- d-----w c:\program files\Lexmark 1200 Series
2009-04-28 03:30 . 2009-01-21 15:19 -------- d-----w c:\program files\Hotspot Shield
2009-04-27 12:17 . 2007-05-16 10:48 -------- d-----w c:\program files\Common Files\Real
2009-04-20 20:05 . 2009-04-07 15:48 -------- d-----w c:\program files\Windows Live Safety Center
2009-04-20 08:55 . 2008-12-15 22:03 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-20 08:44 . 2006-11-26 21:35 -------- d-----w c:\program files\LimeWire
2009-04-14 13:29 . 2006-11-26 21:36 -------- d-----w c:\program files\Java
2009-04-07 00:58 . 2009-03-21 20:22 -------- d-----w c:\program files\ESET
2009-04-06 14:32 . 2008-12-15 22:03 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 14:32 . 2008-12-15 22:03 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-03 18:18 . 2009-02-06 20:12 33256 ----a-w c:\windows\system32\drivers\hssdrv.sys
2009-03-09 04:19 . 2008-12-18 19:54 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2006-07-04 23:51 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2005-10-19 22:12 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2009-04-09 11:04 78336 ----a-w c:\windows\system32\ieencode.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-05-12_22.22.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-17 17:37 . 2009-05-17 17:37 16384 c:\windows\Temp\Perflib_Perfdata_220.dat
- 2005-10-19 22:31 . 2009-05-12 20:08 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2005-10-19 22:31 . 2009-05-17 15:50 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-10-19 22:31 . 2009-05-12 20:08 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-10-19 22:31 . 2009-05-17 15:50 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-10-19 22:31 . 2009-05-17 15:50 32768 c:\windows\system32\config\systemprofile\Cookies\i ndex.dat
- 2005-10-19 22:31 . 2009-05-12 20:08 32768 c:\windows\system32\config\systemprofile\Cookies\i ndex.dat
+ 2006-11-28 21:27 . 2009-05-13 08:42 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2006-11-28 21:27 . 2009-04-29 17:35 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2006-11-28 21:27 . 2009-04-29 17:35 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2006-11-28 21:27 . 2009-05-13 08:42 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2006-11-28 21:27 . 2009-05-13 08:42 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2006-11-28 21:27 . 2009-04-29 17:35 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2006-11-28 21:27 . 2009-05-13 08:42 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2006-11-28 21:27 . 2009-04-29 17:35 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2006-11-28 21:27 . 2009-04-29 17:35 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2006-11-28 21:27 . 2009-05-13 08:42 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2006-11-28 21:27 . 2009-05-13 08:42 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2006-11-28 21:27 . 2009-04-29 17:35 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2007-03-22 18:05 . 2007-03-22 18:05 97632 c:\windows\Installer\$PatchCache$\Managed\90401109 00063D11C8EF10054038389C\11.0.8173\PP7X32.DLL
+ 2006-11-28 21:27 . 2009-05-13 08:42 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2006-11-28 21:27 . 2009-04-29 17:35 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2006-11-28 21:27 . 2009-05-13 08:42 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2006-11-28 21:27 . 2009-04-29 17:35 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2006-11-28 21:27 . 2009-04-29 17:35 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2006-11-28 21:27 . 2009-05-13 08:42 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2006-11-28 21:27 . 2009-05-13 08:42 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2006-11-28 21:27 . 2009-04-29 17:35 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2006-11-28 21:27 . 2009-05-13 08:42 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2006-11-28 21:27 . 2009-04-29 17:35 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2006-11-28 21:27 . 2009-04-29 17:35 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2006-11-28 21:27 . 2009-05-13 08:42 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2006-11-28 21:27 . 2009-04-29 17:35 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2006-11-28 21:27 . 2009-05-13 08:42 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2009-03-24 17:20 215528 ----a-w c:\program files\Hotspot Shield\HssIE\HssIE.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-02-07 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-02-07 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-02-07 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-09-30 737370]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-04-14 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-04-14 602182]
"EOUApp"="c:\program files\Intel\Wireless\Bin\EOUWiz.exe" [2006-04-14 569413]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 563984]
"Keyboard Manager Utility"="c:\program files\Keyboard Manager\Manager Utility\KeyboardManager.exe" [2006-05-17 1200128]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-10-09 98304]
"BigDogPath"="c:\windows\VM_STI.EXE" [2004-06-09 40960]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2007-12-21 1443072]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-05-12 516440]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-04-27 198160]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-04-28 61952]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system]
"EnableProfileQuota"= 1 (0x1)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TMMonitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\TMMonitor.lnk
backup=c:\windows\pss\TMMonitor.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AOL 9.0a\\waol.exe"=
"c:\\Program Files\\FreePhoneLine\\FreePhoneLine.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\StubInstaller.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr .exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"c:\\Program Files\\OpenCase\\OpenCASE Media Agent\\PandoBinaries\\NBCPandoREST.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"57779:TCP"= 57779:TCP:PandoRest Listening Port
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [20/04/2009 8:10 AM 64160]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboo t.sys [12/05/2009 11:42 AM 28544]
R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [21/12/2007 8:21 AM 468224]
R2 HssSrv;Hotspot Shield Helper Service;c:\program files\Hotspot Shield\HssWPR\hsssrv.exe [22/04/2009 2:12 AM 328752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 8:06 PM 953168]
R2 OpenCASE Media Agent;OpenCASE Media Agent;c:\program files\OpenCase\OpenCASE Media Agent\MediaAgent.exe [29/08/2008 6:29 PM 835208]
R3 HssDrv;Hotspot Shield Helper Miniport;c:\windows\system32\drivers\hssdrv.sys [06/02/2009 9:12 PM 33256]
S0 ggosz;ggosz;c:\windows\system32\drivers\kzvnows.sy s --> c:\windows\system32\drivers\kzvnows.sys [?]
S3 BDA_Capture_225;USB Digital-TV receiver Driver 2.0.1.8;c:\windows\system32\drivers\BDA_Capture_22 5.sys [03/01/2007 10:20 PM 14592]
S3 BDA_Loader_225;USB Digital-TV Receiver Firmware Loader 6.5.8.0;c:\windows\system32\drivers\BDA_Loader_225 .sys [03/01/2007 10:18 PM 18944]
S3 DrmRDriverV32

rmRDriverV32;c:\windows\system32\dr ivers\DrmRDriverV32.sys [01/11/2007 10:09 PM 513152]
S3 DrmRVideo32

rmRVideo32;c:\windows\system32\driver s\DrmRVideo32.sys [01/11/2007 10:09 PM 2688]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [06/10/2008 9:19 PM 33752]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [03/11/2008 6:15 PM 13352]
S3 HssTrayService;Hotspot Shield Tray Service;c:\program files\Hotspot Shield\bin\HssTrayService.exe [22/04/2009 10:34 PM 34352]
S3 MovRVDrv32;MovRVDrv32;c:\windows\system32\drivers\ MovRVDrv32.sys [01/11/2007 9:30 PM 2688]
S3 ZSMC302;VIMICRO USB PC Camera;c:\windows\system32\drivers\usbVM31b.sys [11/08/2008 11:42 PM 90568]
.
Contents of the 'Scheduled Tasks' folder
2009-05-04 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 15:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.mypixmania.com/partenaires/dsg/
uInternet Settings,ProxyOverride = local
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
DPF: {915757F8-5E16-4F58-9E9F-0443F0149041} - hxxp://bueno.com/Bueno.cab
DPF: {915757F8-5E16-4F58-9E9F-E4EFDCBAAAAA} - hxxp://bueno.com/Bueno.cab
DPF: {915757F8-5E16-4F58-9E9F-E4EFDCBACCCC} - hxxp://bueno.com/Buenonew.cab
DPF: {915757F8-5E16-4F58-9E9F-E4EFDCBADDDD} - hxxp://bueno.com/Buenonew.cab
DPF: {915757F8-5E16-4F58-9E9F-E4EFDCBAEEEE} - hxxp://bueno.com/Bueno.cab
DPF: {983A9C21-8207-4B58-BBB8-0EBC3D7C5505} - hxxps://my.londonexternal.ac.uk/webmail02/dwa8W.cab
FF - ProfilePath - c:\documents and settings\Natasha\Application Data\Mozilla\Firefox\Profiles\nznl3okl.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\npr pbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\Natasha\Application Data\Mozilla\Firefox\Profiles\nznl3okl.default\ext ensions\mozilladialer1019@bueno.com\plugins\npbuen o.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
************************************************** ************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-05-17 18:37
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-4121545613-1257170760-2841330525-1006\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\{3ED551B2-27E5-BB28-7579-46BEADF7C656}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oamnhdejnblncjkbpljmghngihapnl"=hex:64,61,6d,68,6 f,62,63,63,00,80
"oaiepdjmhloihidncbbcclnphhjfig"=hex:69,61,67,67,6 1,66,64,68,68,65,64,65,68,6f,
65,67,62,6a,00,00
"nacfncbbjbbonijahdgnneojdafp"=hex:69,61,67,67,61, 66,64,68,68,65,64,65,68,6f,
65,67,62,6a,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(8092)
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\LEXBCES.EXE
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Hotspot Shield\bin\openvpnas.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
.
************************************************** ************************
.
Completion time: 2009-05-17 18:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-17 17:43
ComboFix2.txt 2009-05-16 15:56
ComboFix3.txt 2009-05-12 22:26
ComboFix4.txt 2009-04-24 15:25
Pre-Run: 35,362,156,544 bytes free
Post-Run: 35,265,359,872 bytes free
273 --- E O F --- 2009-05-13 08:42

Malwarebytes' Anti-Malware 1.36
Database version: 2145
Windows 5.1.2600 Service Pack 3
17/05/2009 6:12:38 PM
mbam-log-2009-05-17 (18-12-38).txt
Scan type: Full Scan (C:\|)
Objects scanned: 182825
Time elapsed: 58 minute(s), 18 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 4
Registry Values Infected: 2
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 19
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\wafiguvu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\yosineku.dll (Trojan.Vundo.H) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{f276bd01-6daf-427b-a23d-e74199195624} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{f276bd01-6daf-427b-a23d-e74199195624} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{7c7efe99-c71f-48b8-8cc8-ba506ca76a33} (Password.Stealer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{f276bd01-6daf-427b-a23d-e74199195624} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\hikagejawi (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\yosineku.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\yosineku.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\syste m32\pavuppad.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\wafiguvu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\kabahigo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\yosineku.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\autorun.inf (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\RECYCLER\S-9-4-55-100015932-100011182-100029804-9317.com (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Documents and Settings\Natasha\Local Settings\temp\DivxFree.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Documents and Settings\Natasha\Local Settings\temp\prun.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Natasha\Local Settings\temp\rasesnet.tmp (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Natasha\Local Settings\temp\~nsu.tmp\Au_.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Documents and Settings\Natasha\Local Settings\Temporary Internet Files\Content.IE5\CHVCA2NO\MediaCodec[1].exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Documents and Settings\Natasha\Local Settings\Temporary Internet Files\Content.IE5\CHVCA2NO\logo[1].htm (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Natasha\Local Settings\Temporary Internet Files\Content.IE5\MGCV2Q8B\logo[1].htm (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Natasha\Local Settings\Temporary Internet Files\Content.IE5\RZSP9CYG\MediaCodec[1].exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\prnet.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rotirufe.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vefofodi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\7011968.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lebenesa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hodisuto.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

Crush · 05-18-2009

Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:

Code:

File::
c:\windows\system32\kizosewa.dll

Folder::
c:\windows\system32\bookls

Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please.

*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.Altering this script in any way could damage your computer*

weeksn · 05-19-2009

ComboFix 09-05-19.04 - Natasha 19/05/2009 20:29.9 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1014.497 [GMT 1:00]
Running from: c:\documents and settings\Natasha\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Natasha\Desktop\CFScript.txt
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
FILE ::
c:\windows\system32\kizosewa.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\bookls
c:\windows\system32\bookls\dooi.poc
c:\windows\system32\bookls\orde.poc
c:\windows\system32\kizosewa.dll
.
((((((((((((((((((((((((( Files Created from 2009-04-19 to 2009-05-19 )))))))))))))))))))))))))))))))
.
2009-05-18 13:17 . 2009-05-18 13:17 -------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-05-18 13:01 . 2009-05-18 13:01 -------- d-----w c:\program files\Common Files\Macrovision Shared
2009-05-18 12:49 . 2008-04-07 04:38 22872 ----a-r c:\windows\system32\AdobePDFUI.dll
2009-05-18 12:49 . 2008-04-07 04:38 45392 ----a-r c:\windows\system32\AdobePDF.dll
2009-05-18 11:53 . 2009-05-18 11:53 -------- d-----w c:\documents and settings\Natasha\Application Data\Download Manager
2009-05-17 18:18 . 2005-12-06 03:26 2010240 ----a-r c:\windows\system32\drivers\lvpopflt.sys
2009-05-17 18:18 . 2005-12-06 02:27 2112 ----a-r c:\windows\system32\Repository.reg
2009-05-17 18:18 . 2005-12-06 03:22 110592 ----a-r c:\windows\system32\lvcoinst.dll
2009-05-17 18:18 . 2005-12-06 03:26 39424 ----a-r c:\windows\system32\drivers\LVUSBSta.sys
2009-05-17 18:18 . 2005-12-06 03:26 380928 ----a-r c:\windows\system32\LVUI2RC.dll
2009-05-17 18:18 . 2005-12-06 03:25 217088 ----a-r c:\windows\system32\LVUI2.dll
2009-05-17 18:18 . 2005-12-06 03:25 204800 ----a-r c:\windows\system32\lvcodec2.dll
2009-05-17 18:18 . 2005-12-06 03:28 142848 ----a-r c:\windows\system32\drivers\lvmjpeg.sys
2009-05-17 18:18 . 2005-12-06 03:28 1103488 ----a-r c:\windows\system32\drivers\lvuvc.sys
2009-05-17 18:17 . 2005-12-06 03:28 14080 ----a-r c:\windows\system32\drivers\lvuvcflt.sys
2009-05-12 10:42 . 2008-06-19 16:24 28544 ----a-w c:\windows\system32\drivers\pavboot.sys
2009-05-04 10:27 . 2009-05-04 10:27 -------- d-----w c:\documents and settings\All Users\Application Data\Source
2009-05-04 10:27 . 2009-05-04 10:21 241 ----a-w c:\documents and settings\All Users\Application Data\Setting.dat
2009-04-27 12:17 . 2009-04-27 12:17 -------- d-----w c:\program files\Common Files\xing shared
2009-04-27 10:24 . 2009-04-27 10:24 -------- d-sh--w c:\documents and settings\Natasha\IECompatCache
2009-04-22 21:23 . 2009-04-22 21:23 -------- d-----w c:\documents and settings\Natasha\Application Data\Canneverbe_Limited
2009-04-22 21:21 . 2009-04-22 21:21 -------- d-----w c:\program files\CDBurnerXP
2009-04-22 21:13 . 2009-04-22 21:14 -------- d-----w C:\OS
2009-04-22 20:34 . 2009-04-22 20:34 -------- d-----w c:\program files\Microsoft Silverlight
2009-04-20 08:28 . 2009-05-12 15:24 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-04-20 07:10 . 2009-05-12 15:23 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-20 07:08 . 2009-04-20 07:08 -------- dc-h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-20 07:08 . 2009-04-20 07:08 -------- d-----w c:\program files\Lavasoft
2009-04-20 07:08 . 2009-04-20 07:10 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-05-19 19:10 . 2009-05-17 18:18 0 ----a-w c:\windows\system32\drivers\lvuvc.hs
2009-05-19 11:45 . 2007-07-27 00:32 -------- d-----w c:\program files\Lexmark 1200 Series
2009-05-18 13:01 . 2008-07-03 19:36 -------- d-----w c:\program files\Common Files\Adobe
2009-05-17 18:15 . 2006-11-26 19:26 -------- d-----w c:\program files\Common Files\Logitech
2009-05-17 18:12 . 2007-07-21 20:30 -------- d-----w c:\program files\Common Files\LogiShrd
2009-05-06 01:11 . 2007-03-26 20:17 -------- d-----w c:\program files\Yahoo!
2009-04-28 03:30 . 2009-01-21 15:19 -------- d-----w c:\program files\Hotspot Shield
2009-04-27 12:17 . 2007-05-16 10:48 -------- d-----w c:\program files\Common Files\Real
2009-04-20 20:05 . 2009-04-07 15:48 -------- d-----w c:\program files\Windows Live Safety Center
2009-04-20 08:55 . 2008-12-15 22:03 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-20 08:44 . 2006-11-26 21:35 -------- d-----w c:\program files\LimeWire
2009-04-14 13:29 . 2006-11-26 21:36 -------- d-----w c:\program files\Java
2009-04-07 00:58 . 2009-03-21 20:22 -------- d-----w c:\program files\ESET
2009-04-06 14:32 . 2008-12-15 22:03 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 14:32 . 2008-12-15 22:03 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-03 18:18 . 2009-02-06 20:12 33256 ----a-w c:\windows\system32\drivers\hssdrv.sys
2009-03-09 04:19 . 2008-12-18 19:54 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2006-07-04 23:51 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2005-10-19 22:12 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2009-04-09 11:04 78336 ----a-w c:\windows\system32\ieencode.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-05-12_22.22.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-19 19:15 . 2009-05-19 19:15 16384 c:\windows\Temp\Perflib_Perfdata_834.dat
+ 2009-05-19 19:10 . 2009-05-19 19:10 16384 c:\windows\Temp\Perflib_Perfdata_1ec.dat
+ 2009-05-18 13:01 . 2008-04-28 04:30 29312 c:\windows\system32\spool\drivers\w32x86\3\ADREGP. DLL
+ 2009-05-18 13:01 . 2008-04-07 04:38 22872 c:\windows\system32\spool\drivers\w32x86\3\AdobePD FUI.dll
+ 2009-05-18 13:01 . 2008-04-07 04:38 45392 c:\windows\system32\spool\drivers\w32x86\3\AdobePd f.dll
+ 2008-10-20 20:44 . 2009-05-17 23:16 88590 c:\windows\system32\Macromed\Flash\uninstall_activ eX.exe
- 2005-10-19 22:31 . 2009-05-12 20:08 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2005-10-19 22:31 . 2009-05-17 15:50 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-10-19 22:31 . 2009-05-12 20:08 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-10-19 22:31 . 2009-05-17 15:50 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-10-19 22:31 . 2009-05-12 20:08 32768 c:\windows\system32\config\systemprofile\Cookies\i ndex.dat
+ 2005-10-19 22:31 . 2009-05-17 15:50 32768 c:\windows\system32\config\systemprofile\Cookies\i ndex.dat
+ 2006-11-28 21:27 . 2009-05-13 08:42 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2006-11-28 21:27 . 2009-04-29 17:35 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2006-11-28 21:27 . 2009-04-29 17:35 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2006-11-28 21:27 . 2009-05-13 08:42 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2006-11-28 21:27 . 2009-05-13 08:42 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2006-11-28 21:27 . 2009-04-29 17:35 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2006-11-28 21:27 . 2009-04-29 17:35 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2006-11-28 21:27 . 2009-05-13 08:42 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2006-11-28 21:27 . 2009-04-29 17:35 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2006-11-28 21:27 . 2009-05-13 08:42 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2006-11-28 21:27 . 2009-05-13 08:42 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2006-11-28 21:27 . 2009-04-29 17:35 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2007-03-22 18:05 . 2007-03-22 18:05 97632 c:\windows\Installer\$PatchCache$\Managed\90401109 00063D11C8EF10054038389C\11.0.8173\PP7X32.DLL
+ 2006-11-28 21:27 . 2009-05-13 08:42 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2006-11-28 21:27 . 2009-04-29 17:35 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2009-05-17 18:18 . 2005-12-06 03:25 159744 c:\windows\twain_32\QuickCam\lvWIAext.dll
+ 2009-05-18 13:01 . 2008-04-13 23:12 543232 c:\windows\system32\spool\drivers\w32x86\3\PSCRIPT 5.DLL
+ 2009-05-18 13:01 . 2008-04-13 23:12 728576 c:\windows\system32\spool\drivers\w32x86\3\PS5UI.D LL
+ 2009-05-18 13:01 . 2008-04-07 04:37 193904 c:\windows\system32\spool\drivers\w32x86\3\ADUIGP. DLL
+ 2009-02-03 02:07 . 2009-02-03 02:07 240544 c:\windows\system32\Macromed\Flash\FlashUtil10b.ex e
+ 2005-10-19 15:19 . 2009-05-18 15:37 213672 c:\windows\system32\FNTCACHE.DAT
- 2006-11-26 19:34 . 2005-12-09 15:35 245824 c:\windows\Instexec.exe
+ 2006-11-26 19:34 . 2005-12-09 14:35 245824 c:\windows\Instexec.exe
+ 2009-05-18 13:01 . 2009-05-18 15:33 335872 c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000004}\SC_Designer_PFM.70DBED24_B579_40CB_A B0B_F1221A3E9EC5.exe
- 2006-11-28 21:27 . 2009-04-29 17:35 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2006-11-28 21:27 . 2009-05-13 08:42 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2006-11-28 21:27 . 2009-05-13 08:42 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2006-11-28 21:27 . 2009-04-29 17:35 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2006-11-28 21:27 . 2009-04-29 17:35 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2006-11-28 21:27 . 2009-05-13 08:42 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2006-11-28 21:27 . 2009-05-13 08:42 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2006-11-28 21:27 . 2009-04-29 17:35 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2006-11-28 21:27 . 2009-04-29 17:35 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2006-11-28 21:27 . 2009-05-13 08:42 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2006-11-28 21:27 . 2009-04-29 17:35 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2006-11-28 21:27 . 2009-05-13 08:42 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2008-06-05 17:40 . 2008-06-05 17:40 660856 c:\windows\Downloaded Program Files\Manager.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2009-03-24 17:20 215528 ----a-w c:\program files\Hotspot Shield\HssIE\HssIE.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-02-07 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-02-07 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-02-07 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-09-30 737370]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-04-14 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-04-14 602182]
"EOUApp"="c:\program files\Intel\Wireless\Bin\EOUWiz.exe" [2006-04-14 569413]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 563984]
"Keyboard Manager Utility"="c:\program files\Keyboard Manager\Manager Utility\KeyboardManager.exe" [2006-05-17 1200128]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-10-09 98304]
"BigDogPath"="c:\windows\VM_STI.EXE" [2004-06-09 40960]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2007-12-21 1443072]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-05-12 516440]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-04-27 198160]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-12-09 225280]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-02-27 38768]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-02-27 640376]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-04-28 61952]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system]
"EnableProfileQuota"= 1 (0x1)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TMMonitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\TMMonitor.lnk
backup=c:\windows\pss\TMMonitor.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AOL 9.0a\\waol.exe"=
"c:\\Program Files\\FreePhoneLine\\FreePhoneLine.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\StubInstaller.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr .exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"c:\\Program Files\\OpenCase\\OpenCASE Media Agent\\PandoBinaries\\NBCPandoREST.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"57779:TCP"= 57779:TCP:PandoRest Listening Port
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [20/04/2009 8:10 AM 64160]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboo t.sys [12/05/2009 11:42 AM 28544]
R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [21/12/2007 8:21 AM 468224]
R2 HssSrv;Hotspot Shield Helper Service;c:\program files\Hotspot Shield\HssWPR\hsssrv.exe [22/04/2009 2:12 AM 328752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 8:06 PM 953168]
R2 OpenCASE Media Agent;OpenCASE Media Agent;c:\program files\OpenCase\OpenCASE Media Agent\MediaAgent.exe [29/08/2008 6:29 PM 835208]
R3 HssDrv;Hotspot Shield Helper Miniport;c:\windows\system32\drivers\hssdrv.sys [06/02/2009 9:12 PM 33256]
S0 ggosz;ggosz;c:\windows\system32\drivers\kzvnows.sy s --> c:\windows\system32\drivers\kzvnows.sys [?]
S3 BDA_Capture_225;USB Digital-TV receiver Driver 2.0.1.8;c:\windows\system32\drivers\BDA_Capture_22 5.sys [03/01/2007 10:20 PM 14592]
S3 BDA_Loader_225;USB Digital-TV Receiver Firmware Loader 6.5.8.0;c:\windows\system32\drivers\BDA_Loader_225 .sys [03/01/2007 10:18 PM 18944]
S3 DrmRDriverV32;DrmRDriverV32;c:\windows\system32\dr ivers\DrmRDriverV32.sys [01/11/2007 10:09 PM 513152]
S3 DrmRVideo32;DrmRVideo32;c:\windows\system32\driver s\DrmRVideo32.sys [01/11/2007 10:09 PM 2688]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [06/10/2008 9:19 PM 33752]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [03/11/2008 6:15 PM 13352]
S3 HssTrayService;Hotspot Shield Tray Service;c:\program files\Hotspot Shield\bin\HssTrayService.exe [22/04/2009 10:34 PM 34352]
S3 MovRVDrv32;MovRVDrv32;c:\windows\system32\drivers\ MovRVDrv32.sys [01/11/2007 9:30 PM 2688]
S3 ZSMC302;VIMICRO USB PC Camera;c:\windows\system32\drivers\usbVM31b.sys [11/08/2008 11:42 PM 90568]
.
Contents of the 'Scheduled Tasks' folder
2009-05-04 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 15:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.mypixmania.com/partenaires/dsg/
uInternet Settings,ProxyOverride = local
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
DPF: {915757F8-5E16-4F58-9E9F-0443F0149041} - hxxp://bueno.com/Bueno.cab
DPF: {915757F8-5E16-4F58-9E9F-E4EFDCBAAAAA} - hxxp://bueno.com/Bueno.cab
DPF: {915757F8-5E16-4F58-9E9F-E4EFDCBACCCC} - hxxp://bueno.com/Buenonew.cab
DPF: {915757F8-5E16-4F58-9E9F-E4EFDCBADDDD} - hxxp://bueno.com/Buenonew.cab
DPF: {915757F8-5E16-4F58-9E9F-E4EFDCBAEEEE} - hxxp://bueno.com/Bueno.cab
DPF: {983A9C21-8207-4B58-BBB8-0EBC3D7C5505} - hxxps://my.londonexternal.ac.uk/webmail02/dwa8W.cab
FF - ProfilePath - c:\documents and settings\Natasha\Application Data\Mozilla\Firefox\Profiles\nznl3okl.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\npr pbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\Natasha\Application Data\Move Networks\plugins\npqmp071500000347.dll
FF - plugin: c:\documents and settings\Natasha\Application Data\Mozilla\Firefox\Profiles\nznl3okl.default\ext ensions\mozilladialer1019@bueno.com\plugins\npbuen o.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
************************************************** ************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-05-19 20:32
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-4121545613-1257170760-2841330525-1006\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\{3ED551B2-27E5-BB28-7579-46BEADF7C656}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oamnhdejnblncjkbpljmghngihapnl"=hex:64,61,6d,68,6 f,62,63,63,00,80
"oaiepdjmhloihidncbbcclnphhjfig"=hex:69,61,67,67,6 1,66,64,68,68,65,64,65,68,6f,
65,67,62,6a,00,00
"nacfncbbjbbonijahdgnneojdafp"=hex:69,61,67,67,61, 66,64,68,68,65,64,65,68,6f,
65,67,62,6a,00,00
.
Completion time: 2009-05-19 20:34
ComboFix-quarantined-files.txt 2009-05-19 19:33
ComboFix2.txt 2009-05-17 17:43
ComboFix3.txt 2009-05-16 15:56
ComboFix4.txt 2009-05-12 22:26
ComboFix5.txt 2009-05-19 19:28
Pre-Run: 31,771,635,712 bytes free
Post-Run: 31,771,160,576 bytes free
275 --- E O F --- 2009-05-13 08:42

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:55:21 PM, on 19/05/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\OpenCase\OpenCASE Media Agent\MediaAgent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Keyboard Manager\Manager Utility\KeyboardManager.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.mypixmania.com/partenaires/dsg/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\hssie\HssIE.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [Keyboard Manager Utility] "C:\Program Files\Keyboard Manager\Manager Utility\KeyboardManager.exe" /lang en /H
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/actives.../as2stubie.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.yorkphoto.com/YorkActivia.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanage...ex-2.2.4.1.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/re...s/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/.../GAME_UNO1.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1173874683625
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://express.foto.com/Newuploader/ImageUploader4.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {915757F8-5E16-4F58-9E9F-0443F0149041} (BuenoCtl Class) - http://bueno.com/Bueno.cab
O16 - DPF: {915757F8-5E16-4F58-9E9F-E4EFDCBAAAAA} (BuenoCtl Class) - http://bueno.com/Bueno.cab
O16 - DPF: {915757F8-5E16-4F58-9E9F-E4EFDCBACCCC} (BuenoCtl Class) - http://bueno.com/Buenonew.cab
O16 - DPF: {915757F8-5E16-4F58-9E9F-E4EFDCBADDDD} (BuenoCtl Class) - http://bueno.com/Buenonew.cab
O16 - DPF: {915757F8-5E16-4F58-9E9F-E4EFDCBAEEEE} (BuenoCtl Class) - http://bueno.com/Bueno.cab
O16 - DPF: {983A9C21-8207-4B58-BBB8-0EBC3D7C5505} (Domino Web Access 8 Control) - https://my.londonexternal.ac.uk/webmail02/dwa8W.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://ak.imgag.com/imgag/cp/install/Crusher.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup163.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Eset HTTP Server (EHttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe
O23 - Service: Hotspot Shield Helper Service (HssSrv) - AnchorFree Inc. - C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
O23 - Service: Hotspot Shield Tray Service (HssTrayService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: OpenCASE Media Agent - ExtendMedia Inc. - C:\Program Files\OpenCase\OpenCASE Media Agent\MediaAgent.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
--
End of file - 14506 bytes

Crush · 05-19-2009

Thanks Weeksn. I will look these over and get back to you ASAP

Crush · 06-12-2009

Hello,

I'm just following up. Do you still require assistance in removing your malware? Or can we put this one to bed?

If you are still in need of assistance please follow the procedure located at the top of the forum.

Regards,
Crush
PCHF Security Team Leader

05-16-2009	#8
weeksn Bronze Member Join Date: Sep 2008 Posts: 31 PC Experience: Some Experience	Re: A few logs to review I noticed the following was still not deleted after running Combo fix c:\windows\system32\pavuppad.exe So, I navigated to the file and I was manually able to delete it.

05-17-2009	#9
Crush Tech Support Team Join Date: Sep 2008 Location: Caldwell, New Jersey Posts: 10,112 PC Experience: Always Learning New Things	Re: A few logs to review Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. It's IMPORTANT to carry out the instructions in the sequence listed below. 1. Close any open browsers. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Open notepad and copy/paste the text in the quotebox below into it: Code: Driver:: lvuvc File:: c:\windows\system32\drivers\lvuvc.hs Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop. Refering to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you at C:\ComboFix.txt Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.Altering this script in any way could damage your computer __________________ Crush aka Chris [Prework][Afterwork][PCHF Rules][BSOD's][SFC][Screenshots][PC Specs][Donate] I am in fact, quite cool. My graphing calculator confirms this

05-18-2009	#11
Crush Tech Support Team Join Date: Sep 2008 Location: Caldwell, New Jersey Posts: 10,112 PC Experience: Always Learning New Things	Re: A few logs to review Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. It's IMPORTANT to carry out the instructions in the sequence listed below. 1. Close any open browsers. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Open notepad and copy/paste the text in the quotebox below into it: Code: File:: c:\windows\system32\kizosewa.dll Folder:: c:\windows\system32\bookls Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop. Refering to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you at C:\ComboFix.txt Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.Altering this script in any way could damage your computer __________________ Crush aka Chris [Prework][Afterwork][PCHF Rules][BSOD's][SFC][Screenshots][PC Specs][Donate] I am in fact, quite cool. My graphing calculator confirms this

05-19-2009	#13
Crush Tech Support Team Join Date: Sep 2008 Location: Caldwell, New Jersey Posts: 10,112 PC Experience: Always Learning New Things	Re: A few logs to review Thanks Weeksn. I will look these over and get back to you ASAP __________________ Crush aka Chris [Prework][Afterwork][PCHF Rules][BSOD's][SFC][Screenshots][PC Specs][Donate] I am in fact, quite cool. My graphing calculator confirms this

06-12-2009	#14
Crush Tech Support Team Join Date: Sep 2008 Location: Caldwell, New Jersey Posts: 10,112 PC Experience: Always Learning New Things	Re: A few logs to review Hello, I'm just following up. Do you still require assistance in removing your malware? Or can we put this one to bed? If you are still in need of assistance please follow the procedure located at the top of the forum. Regards, Crush PCHF Security Team Leader __________________ Crush aka Chris [Prework][Afterwork][PCHF Rules][BSOD's][SFC][Screenshots][PC Specs][Donate] I am in fact, quite cool. My graphing calculator confirms this

Similar discussions...
Thread	Thread Starter	Forum	Replies	Last Post
Question: Please Review These Logs, RE: intervalhehehe	wsteyert	[Pending] HJT Logs	11	04-03-2009 04:34 AM
Pending: Logs for review	woody258	[Pending] HJT Logs	2	04-02-2009 11:32 PM
Fixed: had malware; can someone review logs?	barbaram1954	[Fixed] Hijackthis! Logs	7	01-05-2009 09:39 PM
Review these logs	DrD	[Fixed] Hijackthis! Logs	16	01-10-2008 01:17 AM
[Resolved] Please review HJT logs	elvin815	[Fixed] Hijackthis! Logs	13	05-18-2006 01:02 AM

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode