Pending: A few logs to review

weeksn · 05-12-2009

I ran the scans because I could not enter any data/text on websites I opened with internet explorer. I could click and select links but I was unable to input any information.

I was also suspicious of the information requested when I tried logging on to my internet banking account using Internet Explorer. When I opened the site with Firefox it did not require such information.

So far I've done the following:

Run MBAM
Run Hijackthis
Run Panda Security ActiveScan
Run Ad-Aware
Run MBAM
Run Hijackthis

Finally I reinstalled internet explorer 7. Everything appears to be running normally now. I would appreciate if you would have a look and give me the all clear.

Below you will find the reports of all these scans.

Malwarebytes' Anti-Malware 1.36
Database version: 2014
Windows 5.1.2600 Service Pack 3
12/05/2009 11:19:55 AM
mbam-log-2009-05-12 (11-19-55).txt
Scan type: Full Scan (C:\|)
Objects scanned: 186531
Time elapsed: 52 minute(s), 23 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 6
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{7c7efe99-c71f-48b8-8cc8-ba506ca76a33} (Trojan.Banker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7c7efe99-c71f-48b8-8cc8-ba506ca76a33} (Trojan.Banker) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\internat (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\syste m32\sdra64.exe,C:\WINDOWS\system32\pavuppad.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.
Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.Data) -> Delete on reboot.
Files Infected:
C:\WINDOWS\internat.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\local.ds (Stolen.Data) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.Data) -> Delete on reboot.
C:\WINDOWS\Temp\wpv071241460535.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\wpv241241994252.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Delete on reboot.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:25:30 AM, on 12/05/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\OpenCase\OpenCASE Media Agent\MediaAgent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Keyboard Manager\Manager Utility\KeyboardManager.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.mypixmania.com/partenaires/dsg/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDO WS\system32\pavuppad.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\hssie\HssIE.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [Keyboard Manager Utility] "C:\Program Files\Keyboard Manager\Manager Utility\KeyboardManager.exe" /lang en /H
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/actives.../as2stubie.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.yorkphoto.com/YorkActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/re...s/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/.../GAME_UNO1.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1173874683625
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://express.foto.com/Newuploader/ImageUploader4.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {915757F8-5E16-4F58-9E9F-0443F0149041} (BuenoCtl Class) - http://bueno.com/Bueno.cab
O16 - DPF: {915757F8-5E16-4F58-9E9F-E4EFDCBAAAAA} (BuenoCtl Class) - http://bueno.com/Bueno.cab
O16 - DPF: {915757F8-5E16-4F58-9E9F-E4EFDCBACCCC} (BuenoCtl Class) - http://bueno.com/Buenonew.cab
O16 - DPF: {915757F8-5E16-4F58-9E9F-E4EFDCBADDDD} (BuenoCtl Class) - http://bueno.com/Buenonew.cab
O16 - DPF: {915757F8-5E16-4F58-9E9F-E4EFDCBAEEEE} (BuenoCtl Class) - http://bueno.com/Bueno.cab
O16 - DPF: {983A9C21-8207-4B58-BBB8-0EBC3D7C5505} (Domino Web Access 8 Control) - https://my.londonexternal.ac.uk/webmail02/dwa8W.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://ak.imgag.com/imgag/cp/install/Crusher.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup163.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Eset HTTP Server (EHttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe
O23 - Service: Hotspot Shield Helper Service (HssSrv) - AnchorFree Inc. - C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
O23 - Service: Hotspot Shield Tray Service (HssTrayService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: OpenCASE Media Agent - ExtendMedia Inc. - C:\Program Files\OpenCase\OpenCASE Media Agent\MediaAgent.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
--
End of file - 13201 bytes

Panda Active Scan
;************************************************* ************************************************** ************************************************** ******************************
ANALYSIS: 2009-05-12 16:21:26
PROTECTIONS: 1
MALWARE: 36
SUSPECTS: 2
;************************************************* ************************************************** ************************************************** ******************************
PROTECTIONS
Description Version Active Updated
;================================================= ================================================== ================================================== ==============================
ESET Smart Security 3.0 3.0 Yes Yes
;================================================= ================================================== ================================================== ==============================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;================================================= ================================================== ================================================== ==============================
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@casalemedia[2].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@doubleclick[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@atdmt[2].txt
00145393 Cookie/Tradedoubler TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@tradedoubler[1].txt
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@247realmedia[2].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@fastclick[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@tribalfusion[1].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@mediaplex[2].txt
00145881 Cookie/NewMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@anm.co[1].txt
00159564 Cookie/WUpd TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@revenue[2].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@ad.yieldmanager[2].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@apmebf[1].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Natasha\Cookies\natasha@apmebf[2].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@serving-sys[2].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@bs.serving-sys[2].txt
00168095 Cookie/888 TrackingCookie No 0 Yes No C:\Documents and Settings\Natasha\Cookies\natasha@888[2].txt
00168109 Cookie/Adtech TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@adtech[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@advertising[1].txt
00169287 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@media.adrevolver[1].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@overture[1].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@realmedia[2].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@questionmarket[1].txt
00172483 Cookie/888 TrackingCookie No 0 Yes No C:\Documents and Settings\Natasha\Cookies\natasha@int.sitestat[1].txt
00172484 Cookie/Cassava TrackingCookie No 0 Yes No C:\Documents and Settings\Natasha\Cookies\natasha@int.sitestat[2].txt
00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@bluestreak[2].txt
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@adrevolver[1].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@go[2].txt
00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@searchportal.informat ion[2].txt
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@target[1].txt
00207936 Cookie/Adviva TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@adviva[1].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@atwola[2].txt
00273339 Cookie/Smartadserver TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@smartadserver[2].txt
00484705 Application/IEDefender HackTools No 0 Yes No C:\Documents and Settings\Natasha\Desktop\SmitfraudFix\IEDFix.C.exe
00590315 Rootkit/Agent.LNB HackTools No 0 Yes No C:\System Volume Information\_restore{A5F779F7-F7A5-44A5-88CC-084C6BB92F78}\RP18\A0006884.sys
00817320 Trj/Downloader.VVD Virus/Trojan No 0 Yes No C:\Documents and Settings\Natasha\Local Settings\temp\~TM203.tmp
00817320 Trj/Downloader.VVD Virus/Trojan No 0 Yes No C:\WINDOWS\system32\wbem\proquota.exe
02897073 Cookie/Revenue TrackingCookie No 0 Yes No C:\Documents and Settings\Natasha\Cookies\natasha@adsrevenue[2].txt
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\WINDOWS\system32\wbem\grpconv.exe
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Documents and Settings\Natasha\Local Settings\temp\~TM1F7.tmp
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Documents and Settings\Natasha\Desktop\SmitfraudFix.exe
;================================================= ================================================== ================================================== ==============================
SUSPECTS
Sent Location ͞
;================================================= ================================================== ================================================== ==============================
No C:\Documents and Settings\Natasha\Desktop\u93[1]\U94.exe ͞
No C:\Documents and Settings\Natasha\My Documents\Downloads\Nero 7.10.1.0\Nero-7.10.1.0_eng_full.exe[C:\Documents and Settings\Natasha\My Documents\Downloads\Nero 7.10.1.0\Nero-7.10.1.0_eng_full.exe][123.exe]
;================================================= ================================================== ================================================== ==============================
VULNERABILITIES
Id Severity Description ͞
;================================================= ================================================== ================================================== ==============================
;================================================= ================================================== ================================================== ==============================

Logfile created: 12/05/2009 16:28:30
Lavasoft Ad-Aware version: 8.0.4
Extended engine version: 8.1
User performing scan: Natasha
*********************** Definitions database information ***********************
Lavasoft definition file: 148.28
Extended engine definition file: 8.1
******************************** Scan results: *********************************
Scan profile name: Full Scan (ID: full)
Objects scanned: 136659
Objects detected: 48

Type Detected
==========================
Processes.......: 0
Registry entries: 0
Hostfile entries: 0
Files...........: 1
Folders.........: 0
LSPs............: 0
Cookies.........: 47
Browser hijacks.: 0
MRU objects.....: 0

Removed items:
Description: *2o7* Family Name: Cookies Clean status: Success Item ID: 408943 Family ID: 0
Description: *revenue* Family Name: Cookies Clean status: Success Item ID: 409138 Family ID: 0
Description: *apmebf* Family Name: Cookies Clean status: Success Item ID: 409163 Family ID: 0
Description: *clickshift* Family Name: Cookies Clean status: Success Item ID: 409273 Family ID: 0
Description: *estat* Family Name: Cookies Clean status: Success Item ID: 408873 Family ID: 0
Description: *webtrends* Family Name: Cookies Clean status: Success Item ID: 599640 Family ID: 0
Description: *partypoker* Family Name: Cookies Clean status: Success Item ID: 409141 Family ID: 0
Description: *wunderloop* Family Name: Cookies Clean status: Success Item ID: 599639 Family ID: 0
Description: *adbureau* Family Name: Cookies Clean status: Success Item ID: 409027 Family ID: 0
Description: *advertis* Family Name: Cookies Clean status: Success Item ID: 408918 Family ID: 0
Description: *advertising* Family Name: Cookies Clean status: Success Item ID: 409017 Family ID: 0
Description: *adserver* Family Name: Cookies Clean status: Success Item ID: 408737 Family ID: 0
Description: *adserv* Family Name: Cookies Clean status: Success Item ID: 408921 Family ID: 0
Description: *adserve* Family Name: Cookies Clean status: Success Item ID: 409020 Family ID: 0
Description: *real* Family Name: Cookies Clean status: Success Item ID: 408817 Family ID: 0
Description: *247realmedia* Family Name: Cookies Clean status: Success Item ID: 408945 Family ID: 0
Description: *realmedia* Family Name: Cookies Clean status: Success Item ID: 409139 Family ID: 0
Description: *ad.yieldmanager* Family Name: Cookies Clean status: Success Item ID: 409172 Family ID: 0
Description: *adrevolver* Family Name: Cookies Clean status: Success Item ID: 408932 Family ID: 0
Description: *adserver* Family Name: Cookies Clean status: Success Item ID: 408737 Family ID: 0
Description: *adserv* Family Name: Cookies Clean status: Success Item ID: 408921 Family ID: 0
Description: *adtech* Family Name: Cookies Clean status: Success Item ID: 409018 Family ID: 0
Description: *adserve* Family Name: Cookies Clean status: Success Item ID: 409020 Family ID: 0
Description: *advertis* Family Name: Cookies Clean status: Success Item ID: 408918 Family ID: 0
Description: *advertising* Family Name: Cookies Clean status: Success Item ID: 409017 Family ID: 0
Description: *adviva* Family Name: Cookies Clean status: Success Item ID: 409016 Family ID: 0
Description: *2o7* Family Name: Cookies Clean status: Success Item ID: 408943 Family ID: 0
Description: *apmebf* Family Name: Cookies Clean status: Success Item ID: 409163 Family ID: 0
Description: *atdmt* Family Name: Cookies Clean status: Success Item ID: 408910 Family ID: 0
Description: *bs.serving-sys* Family Name: Cookies Clean status: Success Item ID: 408902 Family ID: 0
Description: *serving-sys* Family Name: Cookies Clean status: Success Item ID: 409130 Family ID: 0
Description: *casalemedia* Family Name: Cookies Clean status: Success Item ID: 409152 Family ID: 0
Description: *adbureau* Family Name: Cookies Clean status: Success Item ID: 409027 Family ID: 0
Description: *doubleclick* Family Name: Cookies Clean status: Success Item ID: 408875 Family ID: 0
Description: *media.adrevolver* Family Name: Cookies Clean status: Success Item ID: 409144 Family ID: 0
Description: *fastclick* Family Name: Cookies Clean status: Success Item ID: 408869 Family ID: 0
Description: *kelkoo* Family Name: Cookies Clean status: Success Item ID: 408851 Family ID: 0
Description: *webtrends* Family Name: Cookies Clean status: Success Item ID: 599640 Family ID: 0
Description: *mediaplex* Family Name: Cookies Clean status: Success Item ID: 408991 Family ID: 0
Description: *overture* Family Name: Cookies Clean status: Success Item ID: 408834 Family ID: 0
Description: *questionmarket* Family Name: Cookies Clean status: Success Item ID: 408819 Family ID: 0
Description: *revenue* Family Name: Cookies Clean status: Success Item ID: 409138 Family ID: 0
Description: *searchportal.information* Family Name: Cookies Clean status: Success Item ID: 409134 Family ID: 0
Description: *specificclick* Family Name: Cookies Clean status: Success Item ID: 408807 Family ID: 0
Description: *tacoda* Family Name: Cookies Clean status: Success Item ID: 409123 Family ID: 0
Description: *tradedoubler* Family Name: Cookies Clean status: Success Item ID: 408964 Family ID: 0
Description: *tribalfusion* Family Name: Cookies Clean status: Success Item ID: 408785 Family ID: 0
Quarantined items:
Description: C:\System Volume Information\_restore{A5F779F7-F7A5-44A5-88CC-084C6BB92F78}\RP18\A0006982.exe Family Name: Win32.TrojanDownloader.Bredolab Clean status: Success Item ID: 754677 Family ID: 754676
Scan and cleaning complete: Finished correctly after 1954 seconds
*********************************** Settings ***********************************
Scan profile:
ID: full, enabled:1, value: Full Scan
ID: scancriticalareas, enabled:1, value: true
ID: scanrunningapps, enabled:1, value: true
ID: scanregistry, enabled:1, value: true
ID: scanlsp, enabled:1, value: true
ID: scanads, enabled:1, value: true
ID: scanhostsfile, enabled:1, value: true
ID: scanmru, enabled:1, value: true
ID: scanbrowserhijacks, enabled:1, value: true
ID: scantrackingcookies, enabled:1, value: true
ID: closebrowsers, enabled:1, value: false
ID: folderstoscan, enabled:1, value: C:\
ID: scanrootkits, enabled:1, value: true
ID: usespywareheuristics, enabled:1, value: true
ID: extendedengine, enabled:0, value: true
ID: useheuristics, enabled:0, value: true
ID: heuristicslevel, enabled:0, value: mild, domain: medium,mild,strict
ID: filescanningoptions, enabled:1
ID: archives, enabled:1, value: true
ID: onlyexecutables, enabled:1, value: false
ID: skiplargerthan, enabled:1, value: 20480
Scan global:
ID: global, enabled:1
ID: addtocontextmenu, enabled:1, value: true
ID: playsoundoninfection, enabled:1, value: false
ID: soundfile, enabled:0, value: *to be filled in automatically*\alert.wav
Scheduled scan settings:
<Empty>
Update settings:
ID: updates, enabled:1
ID: launchthreatworksafterscan, enabled:1, value: normal, domain: normal,off,silently
ID: displaystatus, enabled:1, value: false
ID: deffiles, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: autodetectproxy, enabled:1, value: false
ID: useautoconfigscript, enabled:1, value: false
ID: autoconfigurl, enabled:0, value:
ID: useproxy, enabled:1, value: false
ID: proxyserver, enabled:0, value:
ID: softwareupdates, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: licenseandinfo, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: schedules, enabled:1, value: true
ID: updatedaily, enabled:1, value: Daily
ID: time, enabled:1, value: Mon Apr 20 08:10:00 2009
ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false
ID: updateweekly, enabled:1, value: Weekly
ID: time, enabled:1, value: Mon Apr 20 08:10:00 2009
ID: frequency, enabled:1, value: weekly, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: true
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false
Appearance settings:
ID: appearance, enabled:1
ID: skin, enabled:1, value: default.egl, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Resource
ID: showtrayicon, enabled:1, value: true
ID: language, enabled:1, value: en, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Language
Realtime protection settings:
ID: realtime, enabled:1
ID: processprotection, enabled:1, value: true
ID: registryprotection, enabled:0, value: true
ID: networkprotection, enabled:0, value: true
ID: loadatstartup, enabled:1, value: true
ID: usespywareheuristics, enabled:0, value: true
ID: extendedengine, enabled:0, value: true
ID: useheuristics, enabled:0, value: true
ID: heuristicslevel, enabled:0, value: strict, domain: medium,mild,strict
ID: infomessages, enabled:1, value: onlyimportant, domain: display,dontnotify,onlyimportant

****************************** System information ******************************
Computer name: ADVENT
Processor name: Genuine Intel(R) CPU T2050 @ 1.60GHz
Processor identifier: x86 Family 6 Model 14 Stepping 8
Raw info: processorarchitecture 0, processortype 586, processorlevel 6, processor revision 3592, number of processors 2
Physical memory available: 398401536 bytes
Physical memory total: 1063366656 bytes
Virtual memory available: 2008797184 bytes
Virtual memory total: 2147352576 bytes
Memory load: 62%
Microsoft Windows XP Professional Service Pack 3 (build 2600)
Windows startup mode:
Running processes:
PID: 644 name: \??\C:\WINDOWS\system32\csrss.exe owner: SYSTEM domain: NT AUTHORITY
PID: 668 name: \??\C:\WINDOWS\system32\winlogon.exe owner: SYSTEM domain: NT AUTHORITY
PID: 716 name: C:\WINDOWS\system32\services.exe owner: SYSTEM domain: NT AUTHORITY
PID: 728 name: C:\WINDOWS\system32\lsass.exe owner: SYSTEM domain: NT AUTHORITY
PID: 900 name: C:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1028 name: C:\WINDOWS\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 1068 name: C:\WINDOWS\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1132 name: C:\Program Files\Intel\Wireless\Bin\EvtEng.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1160 name: C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1192 name: C:\WINDOWS\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 1496 name: C:\WINDOWS\system32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 2020 name: C:\WINDOWS\system32\LEXBCES.EXE owner: SYSTEM domain: NT AUTHORITY
PID: 152 name: C:\WINDOWS\system32\spoolsv.exe owner: SYSTEM domain: NT AUTHORITY
PID: 232 name: C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1368 name: C:\WINDOWS\system32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 452 name: C:\WINDOWS\system32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 484 name: C:\Program Files\ESET\ESET Smart Security\ekrn.exe owner: SYSTEM domain: NT AUTHORITY
PID: 516 name: C:\Program Files\Hotspot Shield\bin\openvpnas.exe owner: SYSTEM domain: NT AUTHORITY
PID: 632 name: C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe owner: SYSTEM domain: NT AUTHORITY
PID: 920 name: C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe owner: SYSTEM domain: NT AUTHORITY
PID: 952 name: C:\Program Files\Java\jre6\bin\jqs.exe owner: SYSTEM domain: NT AUTHORITY
PID: 976 name: C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1276 name: C:\Program Files\CDBurnerXP\NMSAccessU.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1404 name: C:\Program Files\OpenCase\OpenCASE Media Agent\MediaAgent.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1664 name: C:\WINDOWS\system32\HPZipm12.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1720 name: C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1776 name: C:\WINDOWS\system32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 1828 name: C:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1588 name: C:\WINDOWS\ehome\mcrdsvc.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 2412 name: C:\WINDOWS\System32\alg.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 2436 name: C:\WINDOWS\system32\wbem\wmiprvse.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 2596 name: C:\WINDOWS\system32\wbem\wmiprvse.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2508 name: C:\WINDOWS\Explorer.EXE owner: Natasha domain: ADVENT
PID: 4072 name: C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe owner: Natasha domain: ADVENT
PID: 376 name: C:\WINDOWS\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 200 name: C:\WINDOWS\ehome\ehtray.exe owner: Natasha domain: ADVENT
PID: 292 name: C:\WINDOWS\system32\igfxtray.exe owner: Natasha domain: ADVENT
PID: 2012 name: C:\WINDOWS\system32\hkcmd.exe owner: Natasha domain: ADVENT
PID: 340 name: C:\WINDOWS\system32\igfxpers.exe owner: Natasha domain: ADVENT
PID: 444 name: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe owner: Natasha domain: ADVENT
PID: 1336 name: C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe owner: Natasha domain: ADVENT
PID: 1436 name: C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe owner: Natasha domain: ADVENT
PID: 1600 name: C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe owner: Natasha domain: ADVENT
PID: 600 name: C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe owner: Natasha domain: ADVENT
PID: 2120 name: C:\WINDOWS\system32\rundll32.exe owner: Natasha domain: ADVENT
PID: 2336 name: C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe owner: Natasha domain: ADVENT
PID: 2540 name: C:\Program Files\Keyboard Manager\Manager Utility\KeyboardManager.exe owner: Natasha domain: ADVENT
PID: 2064 name: C:\Program Files\QuickTime\qttask.exe owner: Natasha domain: ADVENT
PID: 2860 name: C:\WINDOWS\VM_STI.EXE owner: Natasha domain: ADVENT
PID: 2896 name: C:\Program Files\ESET\ESET Smart Security\egui.exe owner: Natasha domain: ADVENT
PID: 2948 name: C:\Program Files\Java\jre6\bin\jusched.exe owner: Natasha domain: ADVENT
PID: 3012 name: C:\Program Files\Common Files\Real\Update_OB\realsched.exe owner: Natasha domain: ADVENT
PID: 3040 name: C:\WINDOWS\system32\ctfmon.exe owner: Natasha domain: ADVENT
PID: 3136 name: C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe owner: Natasha domain: ADVENT
PID: 1456 name: C:\WINDOWS\system32\igfxext.exe owner: Natasha domain: ADVENT
PID: 3820 name: C:\WINDOWS\system32\igfxsrvc.exe owner: Natasha domain: ADVENT
PID: 3680 name: C:\WINDOWS\system32\svchost.exe owner: Natasha domain: ADVENT
PID: 3488 name: C:\Program Files\Windows Live\Messenger\msnmsgr.exe owner: Natasha domain: ADVENT
PID: 1660 name: C:\Program Files\Windows Live\Contacts\wlcomm.exe owner: Natasha domain: ADVENT
PID: 3592 name: C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1376 name: C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe owner: Natasha domain: ADVENT
PID: 3024 name: C:\WINDOWS\system32\wbem\unsecapp.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1748 name: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe owner: Natasha domain: ADVENT
Startup items:
Name: PostBootReminder
imagepath: {7849596a-48ea-486e-8937-a2a3009f31a9}
Name: WebCheck
imagepath: {E6FB5E20-DE35-11CF-9C87-00AA005127ED}
Name: SysTray
imagepath: {35CEC8A3-2BE6-11D2-8773-92E220524153}
Name: WPDShServiceObj
imagepath: {AAA288BA-9A4C-45B0-95D7-94D524869DB5}
Name: CTFMON.EXE
imagepath: C:\WINDOWS\system32\CTFMON.EXE
Name: {438755C2-A8BA-11D1-B96B-00A0C90312E1}
imagepath: Browseui preloader
Name: {8C7461EF-2B13-11d2-BE35-3078302C2030}
imagepath: Component Categories cache daemon
Name: ehTray
imagepath: C:\WINDOWS\ehome\ehtray.exe
Name: Recguard
imagepath: C:\WINDOWS\SMINST\RECGUARD.EXE
Name: igfxtray
imagepath: C:\WINDOWS\system32\igfxtray.exe
Name: igfxhkcmd
imagepath: C:\WINDOWS\system32\hkcmd.exe
Name: igfxpers
imagepath: C:\WINDOWS\system32\igfxpers.exe
Name: High Definition Audio Property Page Shortcut
imagepath: CHDAudPropShortcut.exe
Name: SynTPEnh
imagepath: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
Name: IntelZeroConfig
imagepath: "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
Name: IntelWireless
imagepath: "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
Name: EOUApp
imagepath: "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
Name: IAAnotif
imagepath: C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
Name: BluetoothAuthenticationAgent
imagepath: rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
Name: LogitechCommunicationsManager
imagepath: "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
Name: Keyboard Manager Utility
imagepath: "C:\Program Files\Keyboard Manager\Manager Utility\KeyboardManager.exe" /lang en /H
Name: QuickTime Task
imagepath: "C:\Program Files\QuickTime\qttask.exe" -atboottime
Name: BigDogPath
imagepath: C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera
Name: egui
imagepath: "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
Name: SunJavaUpdateSched
imagepath: "C:\Program Files\Java\jre6\bin\jusched.exe"
Name: Ad-Watch
imagepath: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
Name: TkBellExe
imagepath: "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
Name:
imagepath: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
Name:
imagepath: C:\Documents and Settings\Default User\Start Menu\Programs\Startup\desktop.ini
Bootexecute items:
Name:
imagepath: autocheck autochk *
Name:
imagepath: lsdelete
Running services:
Name: ALG
displayname: Application Layer Gateway Service
Name: AudioSrv
displayname: Windows Audio
Name: BITS
displayname: Background Intelligent Transfer Service
Name: Browser
displayname: Computer Browser
Name: BthServ
displayname: Bluetooth Support Service
Name: CryptSvc
displayname: Cryptographic Services
Name: DcomLaunch
displayname: DCOM Server Process Launcher
Name: Dhcp
displayname: DHCP Client
Name: dmserver
displayname: Logical Disk Manager
Name: Dnscache
displayname: DNS Client
Name: ekrn
displayname: Eset Service
Name: ERSvc
displayname: Error Reporting Service
Name: Eventlog
displayname: Event Log
Name: EventSystem
displayname: COM+ Event System
Name: EvtEng
displayname: Intel(R) PROSet/Wireless Event Log
Name: FastUserSwitchingCompatibility
displayname: Fast User Switching Compatibility
Name: helpsvc
displayname: Help and Support
Name: HidServ
displayname: HID Input Service
Name: HotspotShieldService
displayname: Hotspot Shield Service
Name: HssSrv
displayname: Hotspot Shield Helper Service
Name: HTTPFilter
displayname: HTTP SSL
Name: IAANTMon
displayname: Intel(R) Matrix Storage Event Monitor
Name: JavaQuickStarterService
displayname: Java Quick Starter
Name: lanmanserver
displayname: Server
Name: lanmanworkstation
displayname: Workstation
Name: Lavasoft Ad-Aware Service
displayname: Lavasoft Ad-Aware Service
Name: LexBceS
displayname: LexBce Server
Name: LmHosts
displayname: TCP/IP NetBIOS Helper
Name: LVCOMSer
displayname: LVCOMSer
Name: LVPrcSrv
displayname: Process Monitor
Name: McrdSvc
displayname: Media Center Extender Service
Name: Netman
displayname: Network Connections
Name: Nla
displayname: Network Location Awareness (NLA)
Name: NMSAccessU
displayname: NMSAccessU
Name: OpenCASE Media Agent
displayname: OpenCASE Media Agent
Name: PlugPlay
displayname: Plug and Play
Name: Pml Driver HPZ12
displayname: Pml Driver HPZ12
Name: PolicyAgent
displayname: IPSEC Services
Name: ProtectedStorage
displayname: Protected Storage
Name: RasMan
displayname: Remote Access Connection Manager
Name: RegSrvc
displayname: Intel(R) PROSet/Wireless Registry Service
Name: RpcSs
displayname: Remote Procedure Call (RPC)
Name: S24EventMonitor
displayname: Intel(R) PROSet/Wireless Service
Name: SamSs
displayname: Security Accounts Manager
Name: Schedule
displayname: Task Scheduler
Name: seclogon
displayname: Secondary Logon
Name: SENS
displayname: System Event Notification
Name: SharedAccess
displayname: Windows Firewall/Internet Connection Sharing (ICS)
Name: ShellHWDetection
displayname: Shell Hardware Detection
Name: Spooler
displayname: Print Spooler
Name: srservice
displayname: System Restore Service
Name: SSDPSRV
displayname: SSDP Discovery Service
Name: stisvc
displayname: Windows Image Acquisition (WIA)
Name: TapiSrv
displayname: Telephony
Name: TermService
displayname: Terminal Services
Name: Themes
displayname: Themes
Name: TrkWks
displayname: Distributed Link Tracking Client
Name: W32Time
displayname: Windows Time
Name: WebClient
displayname: WebClient
Name: winmgmt
displayname: Windows Management Instrumentation
Name: wscsvc
displayname: Security Center
Name: wuauserv
displayname: Automatic Updates
Name: WZCSVC
displayname: Wireless Zero Configuration

Malwarebytes' Anti-Malware 1.36
Database version: 2116
Windows 5.1.2600 Service Pack 3
12/05/2009 6:21:08 PM
mbam-log-2009-05-12 (18-21-08).txt
Scan type: Full Scan (C:\|)
Objects scanned: 194493
Time elapsed: 51 minute(s), 58 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:22:08 PM, on 12/05/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\OpenCase\OpenCASE Media Agent\MediaAgent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Keyboard Manager\Manager Utility\KeyboardManager.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.mypixmania.com/partenaires/dsg/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDO WS\system32\pavuppad.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\hssie\HssIE.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [Keyboard Manager Utility] "C:\Program Files\Keyboard Manager\Manager Utility\KeyboardManager.exe" /lang en /H
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/actives.../as2stubie.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.yorkphoto.com/YorkActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/re...s/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/.../GAME_UNO1.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1173874683625
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://express.foto.com/Newuploader/ImageUploader4.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {915757F8-5E16-4F58-9E9F-0443F0149041} (BuenoCtl Class) - http://bueno.com/Bueno.cab
O16 - DPF: {915757F8-5E16-4F58-9E9F-E4EFDCBAAAAA} (BuenoCtl Class) - http://bueno.com/Bueno.cab
O16 - DPF: {915757F8-5E16-4F58-9E9F-E4EFDCBACCCC} (BuenoCtl Class) - http://bueno.com/Buenonew.cab
O16 - DPF: {915757F8-5E16-4F58-9E9F-E4EFDCBADDDD} (BuenoCtl Class) - http://bueno.com/Buenonew.cab
O16 - DPF: {915757F8-5E16-4F58-9E9F-E4EFDCBAEEEE} (BuenoCtl Class) - http://bueno.com/Bueno.cab
O16 - DPF: {983A9C21-8207-4B58-BBB8-0EBC3D7C5505} (Domino Web Access 8 Control) - https://my.londonexternal.ac.uk/webmail02/dwa8W.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://ak.imgag.com/imgag/cp/install/Crusher.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup163.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Eset HTTP Server (EHttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe
O23 - Service: Hotspot Shield Helper Service (HssSrv) - AnchorFree Inc. - C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
O23 - Service: Hotspot Shield Tray Service (HssTrayService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: OpenCASE Media Agent - ExtendMedia Inc. - C:\Program Files\OpenCase\OpenCASE Media Agent\MediaAgent.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
--
End of file - 13238 bytes

Crush · 05-12-2009

weeksn,

Wow. Thank you for being so thorough. It makes my job easier

. Let's just make sure there is no more malware.

Next, lets download ComboFix.exe. This will give me a better view to the files running, those that are hidden, and also those in the registry..Please download from one of these webpages .

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with our tools.

Double-click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.Recovery Console can be installed from your disc if you have Vista if you wish.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes to continue scanning for malware.

When finished, it shall produce a log for you. Please include the log in your next reply

weeksn · 05-13-2009

ComboFix 09-05-12.04 - Natasha 12/05/2009 23:14.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1014.501 [GMT 1:00]
Running from: c:\documents and settings\Natasha\Desktop\ComboFix.exe
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated)
FW: ESET Personal firewall *disabled*
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Natasha\Application Data\wiaserva.log
c:\windows\system32\inform.dat
.
((((((((((((((((((((((((( Files Created from 2009-04-12 to 2009-05-12 )))))))))))))))))))))))))))))))
.
2009-05-12 10:42 . 2008-06-19 16:24 28544 ----a-w c:\windows\system32\drivers\pavboot.sys
2009-05-04 10:27 . 2009-05-04 10:27 -------- d-----w c:\documents and settings\All Users\Application Data\Source
2009-05-04 10:27 . 2009-05-04 10:21 241 ----a-w c:\documents and settings\All Users\Application Data\Setting.dat
2009-04-27 12:17 . 2009-04-27 12:17 -------- d-----w c:\program files\Common Files\xing shared
2009-04-27 10:24 . 2009-04-27 10:24 -------- d-sh--w c:\documents and settings\Natasha\IECompatCache
2009-04-22 21:23 . 2009-04-22 21:23 -------- d-----w c:\documents and settings\Natasha\Application Data\Canneverbe_Limited
2009-04-22 21:21 . 2009-04-22 21:21 -------- d-----w c:\program files\CDBurnerXP
2009-04-22 21:13 . 2009-04-22 21:14 -------- d-----w C:\OS
2009-04-22 20:34 . 2009-04-22 20:34 -------- d-----w c:\program files\Microsoft Silverlight
2009-04-20 08:28 . 2009-05-12 15:24 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-04-20 07:10 . 2009-05-12 15:23 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-20 07:08 . 2009-04-20 07:08 -------- dc-h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-20 07:08 . 2009-04-20 07:08 -------- d-----w c:\program files\Lavasoft
2009-04-20 07:08 . 2009-04-20 07:10 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-04-16 18:44 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-16 18:44 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 18:44 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-16 18:44 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 18:44 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 18:44 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 18:44 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 18:44 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 18:44 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 18:43 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 18:43 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-13 16:08 . 2009-04-13 16:08 -------- d-sh--w c:\documents and settings\Guest\PrivacIE
2009-04-13 16:07 . 2009-04-13 16:07 -------- d-----w c:\documents and settings\Guest\Application Data\ESET
2009-04-13 16:06 . 2009-04-13 16:06 -------- d-sh--w c:\documents and settings\Guest\IETldCache
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-05-12 16:17 . 2009-04-21 18:19 0 ----a-w c:\windows\system32\drivers\lvuvc.hs
2009-05-06 01:11 . 2007-03-26 20:17 -------- d-----w c:\program files\Yahoo!
2009-04-28 21:50 . 2007-07-27 00:32 -------- d-----w c:\program files\Lexmark 1200 Series
2009-04-28 03:30 . 2009-01-21 15:19 -------- d-----w c:\program files\Hotspot Shield
2009-04-27 12:17 . 2007-05-16 10:48 -------- d-----w c:\program files\Common Files\Real
2009-04-20 20:05 . 2009-04-07 15:48 -------- d-----w c:\program files\Windows Live Safety Center
2009-04-20 08:55 . 2008-12-15 22:03 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-20 08:44 . 2006-11-26 21:35 -------- d-----w c:\program files\LimeWire
2009-04-14 13:29 . 2006-11-26 21:36 -------- d-----w c:\program files\Java
2009-04-07 00:58 . 2009-03-21 20:22 -------- d-----w c:\program files\ESET
2009-04-06 14:32 . 2008-12-15 22:03 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 14:32 . 2008-12-15 22:03 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-03 18:18 . 2009-02-06 20:12 33256 ----a-w c:\windows\system32\drivers\hssdrv.sys
2009-03-09 04:19 . 2008-12-18 19:54 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2006-07-04 23:51 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2005-10-19 22:12 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2009-04-09 11:04 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-15 21:27 . 2006-03-31 15:09 48648 -c--a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2009-03-24 17:20 215528 ----a-w c:\program files\Hotspot Shield\HssIE\HssIE.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-02-07 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-02-07 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-02-07 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-09-30 737370]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-04-14 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-04-14 602182]
"EOUApp"="c:\program files\Intel\Wireless\Bin\EOUWiz.exe" [2006-04-14 569413]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 563984]
"Keyboard Manager Utility"="c:\program files\Keyboard Manager\Manager Utility\KeyboardManager.exe" [2006-05-17 1200128]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-10-09 98304]
"BigDogPath"="c:\windows\VM_STI.EXE" [2004-06-09 40960]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2007-12-21 1443072]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-05-12 516440]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-04-27 198160]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-04-28 61952]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system]
"EnableProfileQuota"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,c:\wi ndows\system32\pavuppad.exe,"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TMMonitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\TMMonitor.lnk
backup=c:\windows\pss\TMMonitor.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AOL 9.0a\\waol.exe"=
"c:\\Program Files\\FreePhoneLine\\FreePhoneLine.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\StubInstaller.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr .exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"c:\\Program Files\\OpenCase\\OpenCASE Media Agent\\PandoBinaries\\NBCPandoREST.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"57779:TCP"= 57779:TCP:PandoRest Listening Port
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [20/04/2009 8:10 AM 64160]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboo t.sys [12/05/2009 11:42 AM 28544]
R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [21/12/2007 8:21 AM 468224]
R2 HssSrv;Hotspot Shield Helper Service;c:\program files\Hotspot Shield\HssWPR\hsssrv.exe [22/04/2009 2:12 AM 328752]
R2 OpenCASE Media Agent;OpenCASE Media Agent;c:\program files\OpenCase\OpenCASE Media Agent\MediaAgent.exe [29/08/2008 6:29 PM 835208]
R3 HssDrv;Hotspot Shield Helper Miniport;c:\windows\system32\drivers\hssdrv.sys [06/02/2009 9:12 PM 33256]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 8:06 PM 953168]
S3 BDA_Capture_225;USB Digital-TV receiver Driver 2.0.1.8;c:\windows\system32\drivers\BDA_Capture_22 5.sys [03/01/2007 10:20 PM 14592]
S3 BDA_Loader_225;USB Digital-TV Receiver Firmware Loader 6.5.8.0;c:\windows\system32\drivers\BDA_Loader_225 .sys [03/01/2007 10:18 PM 18944]
S3 DrmRDriverV32;DrmRDriverV32;c:\windows\system32\dr ivers\DrmRDriverV32.sys [01/11/2007 10:09 PM 513152]
S3 DrmRVideo32;DrmRVideo32;c:\windows\system32\driver s\DrmRVideo32.sys [01/11/2007 10:09 PM 2688]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [06/10/2008 9:19 PM 33752]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [03/11/2008 6:15 PM 13352]
S3 HssTrayService;Hotspot Shield Tray Service;c:\program files\Hotspot Shield\bin\HssTrayService.exe [22/04/2009 10:34 PM 34352]
S3 MovRVDrv32;MovRVDrv32;c:\windows\system32\drivers\ MovRVDrv32.sys [01/11/2007 9:30 PM 2688]
S3 ZSMC302;VIMICRO USB PC Camera;c:\windows\system32\drivers\usbVM31b.sys [11/08/2008 11:42 PM 90568]
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{18591042-0b79-11db-a0d7-806d6172696f}]
\Shell\AutoRun\command - D:\OEMBranding.exe
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{2268821f-6056-11dc-b271-0016368b3df4}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{231f04f0-5c09-11dc-b269-0016368b3df4}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{26b1a6da-895c-11dd-b4d7-0016368b3df4}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{dfab8afe-f590-11db-b177-0016368b3df4}]
\Shell\AutoRun\command - E:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder
2009-05-04 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 15:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.mypixmania.com/partenaires/dsg/
uInternet Settings,ProxyOverride = local
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
DPF: {915757F8-5E16-4F58-9E9F-0443F0149041} - hxxp://bueno.com/Bueno.cab
DPF: {915757F8-5E16-4F58-9E9F-E4EFDCBAAAAA} - hxxp://bueno.com/Bueno.cab
DPF: {915757F8-5E16-4F58-9E9F-E4EFDCBACCCC} - hxxp://bueno.com/Buenonew.cab
DPF: {915757F8-5E16-4F58-9E9F-E4EFDCBADDDD} - hxxp://bueno.com/Buenonew.cab
DPF: {915757F8-5E16-4F58-9E9F-E4EFDCBAEEEE} - hxxp://bueno.com/Bueno.cab
DPF: {983A9C21-8207-4B58-BBB8-0EBC3D7C5505} - hxxps://my.londonexternal.ac.uk/webmail02/dwa8W.cab
FF - ProfilePath - c:\documents and settings\Natasha\Application Data\Mozilla\Firefox\Profiles\nznl3okl.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\npr pbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\Natasha\Application Data\Mozilla\Firefox\Profiles\nznl3okl.default\ext ensions\mozilladialer1019@bueno.com\plugins\npbuen o.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
************************************************** ************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-05-12 23:22
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...

c:\windows\system32\bookls
c:\windows\system32\pavuppad.exe 361472 bytes executable
scan completed successfully
hidden files: 2
************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-4121545613-1257170760-2841330525-1006\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\{3ED551B2-27E5-BB28-7579-46BEADF7C656}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oamnhdejnblncjkbpljmghngihapnl"=hex:64,61,6d,68,6 f,62,63,63,00,80
"oaiepdjmhloihidncbbcclnphhjfig"=hex:69,61,67,67,6 1,66,64,68,68,65,64,65,68,6f,
65,67,62,6a,00,00
"nacfncbbjbbonijahdgnneojdafp"=hex:69,61,67,67,61, 66,64,68,68,65,64,65,68,6f,
65,67,62,6a,00,00
.
Completion time: 2009-05-12 23:26
ComboFix-quarantined-files.txt 2009-05-12 22:25
ComboFix2.txt 2009-04-24 15:25
Pre-Run: 35,141,709,824 bytes free
Post-Run: 35,444,809,728 bytes free
217 --- E O F --- 2009-05-12 20:01

Crush · 05-13-2009

Weeksn,

Please navigate to the following files/folders and delete them

c:\windows\system32\bookls
c:\windows\system32\pavuppad.exe

Then, right click on your recycle bin and empty it to completely remove them fror your machine

weeksn · 05-14-2009

I performed a search and could not locate the following file/folder:
c:\windows\system32\bookls

I tried deleting the following file but got a message saying: Cannot delete file: Cannot read from source file or disk
c:\windows\system32\pavuppad.exe

Crush · 05-15-2009

This ought to get rid of them

Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:

Code:

File::
 c:\windows\system32\pavuppad.exe

Folder::
c:\windows\system32\bookls

Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please.

*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.Altering this script in any way could damage your computer*

weeksn · 05-16-2009

ComboFix 09-05-12.04 - Natasha 16/05/2009 16:45.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1014.521 [GMT 1:00]
Running from: c:\documents and settings\Natasha\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Natasha\Desktop\CFScript.txt
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated)
FW: ESET Personal firewall *disabled*
* Created a new restore point
FILE ::
c:\windows\system32\pavuppad.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\bookls
c:\windows\system32\bookls\dooi.poc
c:\windows\system32\bookls\orde.poc
.
((((((((((((((((((((((((( Files Created from 2009-04-16 to 2009-05-16 )))))))))))))))))))))))))))))))
.
2009-05-12 10:42 . 2008-06-19 16:24 28544 ----a-w c:\windows\system32\drivers\pavboot.sys
2009-05-04 10:27 . 2009-05-04 10:27 -------- d-----w c:\documents and settings\All Users\Application Data\Source
2009-05-04 10:27 . 2009-05-04 10:21 241 ----a-w c:\documents and settings\All Users\Application Data\Setting.dat
2009-04-27 12:17 . 2009-04-27 12:17 -------- d-----w c:\program files\Common Files\xing shared
2009-04-27 10:24 . 2009-04-27 10:24 -------- d-sh--w c:\documents and settings\Natasha\IECompatCache
2009-04-22 21:23 . 2009-04-22 21:23 -------- d-----w c:\documents and settings\Natasha\Application Data\Canneverbe_Limited
2009-04-22 21:21 . 2009-04-22 21:21 -------- d-----w c:\program files\CDBurnerXP
2009-04-22 21:13 . 2009-04-22 21:14 -------- d-----w C:\OS
2009-04-22 20:34 . 2009-04-22 20:34 -------- d-----w c:\program files\Microsoft Silverlight
2009-04-20 08:28 . 2009-05-12 15:24 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-04-20 07:10 . 2009-05-12 15:23 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-20 07:08 . 2009-04-20 07:08 -------- dc-h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-20 07:08 . 2009-04-20 07:08 -------- d-----w c:\program files\Lavasoft
2009-04-20 07:08 . 2009-04-20 07:10 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-04-16 18:44 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-16 18:44 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 18:44 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-16 18:44 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 18:44 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 18:44 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 18:44 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 18:44 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 18:44 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 18:43 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 18:43 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-05-16 15:24 . 2009-04-21 18:19 0 ----a-w c:\windows\system32\drivers\lvuvc.hs
2009-05-06 01:11 . 2007-03-26 20:17 -------- d-----w c:\program files\Yahoo!
2009-04-28 21:50 . 2007-07-27 00:32 -------- d-----w c:\program files\Lexmark 1200 Series
2009-04-28 03:30 . 2009-01-21 15:19 -------- d-----w c:\program files\Hotspot Shield
2009-04-27 12:17 . 2007-05-16 10:48 -------- d-----w c:\program files\Common Files\Real
2009-04-20 20:05 . 2009-04-07 15:48 -------- d-----w c:\program files\Windows Live Safety Center
2009-04-20 08:55 . 2008-12-15 22:03 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-20 08:44 . 2006-11-26 21:35 -------- d-----w c:\program files\LimeWire
2009-04-14 13:29 . 2006-11-26 21:36 -------- d-----w c:\program files\Java
2009-04-07 00:58 . 2009-03-21 20:22 -------- d-----w c:\program files\ESET
2009-04-06 14:32 . 2008-12-15 22:03 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 14:32 . 2008-12-15 22:03 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-03 18:18 . 2009-02-06 20:12 33256 ----a-w c:\windows\system32\drivers\hssdrv.sys
2009-03-09 04:19 . 2008-12-18 19:54 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2006-07-04 23:51 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2005-10-19 22:12 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2009-04-09 11:04 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-15 21:27 . 2006-03-31 15:09 48648 -c--a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((( SnapShot@2009-05-12_22.22.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-16 15:24 . 2009-05-16 15:24 16384 c:\windows\Temp\Perflib_Perfdata_1f8.dat
- 2005-10-19 22:31 . 2009-05-12 20:08 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2005-10-19 22:31 . 2009-05-16 15:25 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-10-19 22:31 . 2009-05-12 20:08 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-10-19 22:31 . 2009-05-16 15:25 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-10-19 22:31 . 2009-05-12 20:08 32768 c:\windows\system32\config\systemprofile\Cookies\i ndex.dat
+ 2005-10-19 22:31 . 2009-05-16 15:25 32768 c:\windows\system32\config\systemprofile\Cookies\i ndex.dat
- 2006-11-28 21:27 . 2009-04-29 17:35 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2006-11-28 21:27 . 2009-05-13 08:42 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2006-11-28 21:27 . 2009-04-29 17:35 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2006-11-28 21:27 . 2009-05-13 08:42 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2006-11-28 21:27 . 2009-04-29 17:35 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2006-11-28 21:27 . 2009-05-13 08:42 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2006-11-28 21:27 . 2009-05-13 08:42 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2006-11-28 21:27 . 2009-04-29 17:35 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2006-11-28 21:27 . 2009-04-29 17:35 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2006-11-28 21:27 . 2009-05-13 08:42 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2006-11-28 21:27 . 2009-05-13 08:42 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2006-11-28 21:27 . 2009-04-29 17:35 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2007-03-22 18:05 . 2007-03-22 18:05 97632 c:\windows\Installer\$PatchCache$\Managed\90401109 00063D11C8EF10054038389C\11.0.8173\PP7X32.DLL
- 2006-11-28 21:27 . 2009-04-29 17:35 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2006-11-28 21:27 . 2009-05-13 08:42 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2006-11-28 21:27 . 2009-05-13 08:42 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2006-11-28 21:27 . 2009-04-29 17:35 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2006-11-28 21:27 . 2009-05-13 08:42 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2006-11-28 21:27 . 2009-04-29 17:35 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2006-11-28 21:27 . 2009-04-29 17:35 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2006-11-28 21:27 . 2009-05-13 08:42 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2006-11-28 21:27 . 2009-04-29 17:35 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2006-11-28 21:27 . 2009-05-13 08:42 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2006-11-28 21:27 . 2009-04-29 17:35 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2006-11-28 21:27 . 2009-05-13 08:42 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2006-11-28 21:27 . 2009-05-13 08:42 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2006-11-28 21:27 . 2009-04-29 17:35 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2006-11-29 21:52 . 2009-05-07 07:16 24699336 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2009-03-24 17:20 215528 ----a-w c:\program files\Hotspot Shield\HssIE\HssIE.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-02-07 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-02-07 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-02-07 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-09-30 737370]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-04-14 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-04-14 602182]
"EOUApp"="c:\program files\Intel\Wireless\Bin\EOUWiz.exe" [2006-04-14 569413]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 563984]
"Keyboard Manager Utility"="c:\program files\Keyboard Manager\Manager Utility\KeyboardManager.exe" [2006-05-17 1200128]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-10-09 98304]
"BigDogPath"="c:\windows\VM_STI.EXE" [2004-06-09 40960]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2007-12-21 1443072]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-05-12 516440]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-04-27 198160]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-04-28 61952]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system]
"EnableProfileQuota"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,c:\wi ndows\system32\pavuppad.exe,"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TMMonitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\TMMonitor.lnk
backup=c:\windows\pss\TMMonitor.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AOL 9.0a\\waol.exe"=
"c:\\Program Files\\FreePhoneLine\\FreePhoneLine.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\StubInstaller.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr .exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"c:\\Program Files\\OpenCase\\OpenCASE Media Agent\\PandoBinaries\\NBCPandoREST.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"57779:TCP"= 57779:TCP:PandoRest Listening Port
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [20/04/2009 8:10 AM 64160]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboo t.sys [12/05/2009 11:42 AM 28544]
R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [21/12/2007 8:21 AM 468224]
R2 HssSrv;Hotspot Shield Helper Service;c:\program files\Hotspot Shield\HssWPR\hsssrv.exe [22/04/2009 2:12 AM 328752]
R2 OpenCASE Media Agent;OpenCASE Media Agent;c:\program files\OpenCase\OpenCASE Media Agent\MediaAgent.exe [29/08/2008 6:29 PM 835208]
R3 HssDrv;Hotspot Shield Helper Miniport;c:\windows\system32\drivers\hssdrv.sys [06/02/2009 9:12 PM 33256]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 8:06 PM 953168]
S3 BDA_Capture_225;USB Digital-TV receiver Driver 2.0.1.8;c:\windows\system32\drivers\BDA_Capture_22 5.sys [03/01/2007 10:20 PM 14592]
S3 BDA_Loader_225;USB Digital-TV Receiver Firmware Loader 6.5.8.0;c:\windows\system32\drivers\BDA_Loader_225 .sys [03/01/2007 10:18 PM 18944]
S3 DrmRDriverV32

rmRDriverV32;c:\windows\system32\dr ivers\DrmRDriverV32.sys [01/11/2007 10:09 PM 513152]
S3 DrmRVideo32

rmRVideo32;c:\windows\system32\driver s\DrmRVideo32.sys [01/11/2007 10:09 PM 2688]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [06/10/2008 9:19 PM 33752]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [03/11/2008 6:15 PM 13352]
S3 HssTrayService;Hotspot Shield Tray Service;c:\program files\Hotspot Shield\bin\HssTrayService.exe [22/04/2009 10:34 PM 34352]
S3 MovRVDrv32;MovRVDrv32;c:\windows\system32\drivers\ MovRVDrv32.sys [01/11/2007 9:30 PM 2688]
S3 ZSMC302;VIMICRO USB PC Camera;c:\windows\system32\drivers\usbVM31b.sys [11/08/2008 11:42 PM 90568]
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{18591042-0b79-11db-a0d7-806d6172696f}]
\Shell\AutoRun\command - D:\OEMBranding.exe
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{2268821f-6056-11dc-b271-0016368b3df4}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{231f04f0-5c09-11dc-b269-0016368b3df4}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{26b1a6da-895c-11dd-b4d7-0016368b3df4}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{dfab8afe-f590-11db-b177-0016368b3df4}]
\Shell\AutoRun\command - E:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder
2009-05-04 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 15:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.mypixmania.com/partenaires/dsg/
uInternet Settings,ProxyOverride = local
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
DPF: {915757F8-5E16-4F58-9E9F-0443F0149041} - hxxp://bueno.com/Bueno.cab
DPF: {915757F8-5E16-4F58-9E9F-E4EFDCBAAAAA} - hxxp://bueno.com/Bueno.cab
DPF: {915757F8-5E16-4F58-9E9F-E4EFDCBACCCC} - hxxp://bueno.com/Buenonew.cab
DPF: {915757F8-5E16-4F58-9E9F-E4EFDCBADDDD} - hxxp://bueno.com/Buenonew.cab
DPF: {915757F8-5E16-4F58-9E9F-E4EFDCBAEEEE} - hxxp://bueno.com/Bueno.cab
DPF: {983A9C21-8207-4B58-BBB8-0EBC3D7C5505} - hxxps://my.londonexternal.ac.uk/webmail02/dwa8W.cab
FF - ProfilePath - c:\documents and settings\Natasha\Application Data\Mozilla\Firefox\Profiles\nznl3okl.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\npr pbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\Natasha\Application Data\Mozilla\Firefox\Profiles\nznl3okl.default\ext ensions\mozilladialer1019@bueno.com\plugins\npbuen o.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
************************************************** ************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-05-16 16:52
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-4121545613-1257170760-2841330525-1006\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\{3ED551B2-27E5-BB28-7579-46BEADF7C656}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oamnhdejnblncjkbpljmghngihapnl"=hex:64,61,6d,68,6 f,62,63,63,00,80
"oaiepdjmhloihidncbbcclnphhjfig"=hex:69,61,67,67,6 1,66,64,68,68,65,64,65,68,6f,
65,67,62,6a,00,00
"nacfncbbjbbonijahdgnneojdafp"=hex:69,61,67,67,61, 66,64,68,68,65,64,65,68,6f,
65,67,62,6a,00,00
.
Completion time: 2009-05-16 16:56
ComboFix-quarantined-files.txt 2009-05-16 15:56
ComboFix2.txt 2009-05-12 22:26
ComboFix3.txt 2009-04-24 15:25
Pre-Run: 35,342,176,256 bytes free
Post-Run: 35,324,428,288 bytes free
256 --- E O F --- 2009-05-13 08:42

05-12-2009	#1
weeksn Bronze Member Join Date: Sep 2008 Posts: 31 PC Experience: Some Experience	A few logs to review I ran the scans because I could not enter any data/text on websites I opened with internet explorer. I could click and select links but I was unable to input any information. I was also suspicious of the information requested when I tried logging on to my internet banking account using Internet Explorer. When I opened the site with Firefox it did not require such information. So far I've done the following: Run MBAM Run Hijackthis Run Panda Security ActiveScan Run Ad-Aware Run MBAM Run Hijackthis Finally I reinstalled internet explorer 7. Everything appears to be running normally now. I would appreciate if you would have a look and give me the all clear. Below you will find the reports of all these scans. Malwarebytes' Anti-Malware 1.36 Database version: 2014 Windows 5.1.2600 Service Pack 3 12/05/2009 11:19:55 AM mbam-log-2009-05-12 (11-19-55).txt Scan type: Full Scan (C:\\|) Objects scanned: 186531 Time elapsed: 52 minute(s), 23 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 2 Registry Values Infected: 2 Registry Data Items Infected: 2 Folders Infected: 1 Files Infected: 6 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{7c7efe99-c71f-48b8-8cc8-ba506ca76a33} (Trojan.Banker) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{7c7efe99-c71f-48b8-8cc8-ba506ca76a33} (Trojan.Banker) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\internat (Trojan.FakeAlert.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\syste m32\sdra64.exe,C:\WINDOWS\system32\pavuppad.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully. Folders Infected: C:\WINDOWS\system32\lowsec (Stolen.Data) -> Delete on reboot. Files Infected: C:\WINDOWS\internat.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\lowsec\local.ds (Stolen.Data) -> Delete on reboot. C:\WINDOWS\system32\lowsec\user.ds (Stolen.Data) -> Delete on reboot. C:\WINDOWS\Temp\wpv071241460535.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\wpv241241994252.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Delete on reboot. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:25:30 AM, on 12/05/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16827) Boot mode: Normal Running processes: C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\ESET\ESET Smart Security\ekrn.exe C:\Program Files\Hotspot Shield\bin\openvpnas.exe C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe C:\Program Files\CDBurnerXP\NMSAccessU.exe C:\Program Files\OpenCase\OpenCASE Media Agent\MediaAgent.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\ehome\mcrdsvc.exe C:\WINDOWS\system32\wbem\unsecapp.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe C:\Program Files\Keyboard Manager\Manager Utility\KeyboardManager.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\VM_STI.EXE C:\Program Files\ESET\ESET Smart Security\egui.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe C:\WINDOWS\system32\igfxext.exe C:\WINDOWS\system32\igfxsrvc.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.mypixmania.com/partenaires/dsg/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = local F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDO WS\system32\pavuppad.exe, O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\hssie\HssIE.dll O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" O4 - HKLM\..\Run: [Keyboard Manager Utility] "C:\Program Files\Keyboard Manager\Manager Utility\KeyboardManager.exe" /lang en /H O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/actives.../as2stubie.cab O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.yorkphoto.com/YorkActivia.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/re...s/MSNPUpld.cab O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/.../GAME_UNO1.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1173874683625 O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://express.foto.com/Newuploader/ImageUploader4.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {915757F8-5E16-4F58-9E9F-0443F0149041} (BuenoCtl Class) - http://bueno.com/Bueno.cab O16 - DPF: {915757F8-5E16-4F58-9E9F-E4EFDCBAAAAA} (BuenoCtl Class) - http://bueno.com/Bueno.cab O16 - DPF: {915757F8-5E16-4F58-9E9F-E4EFDCBACCCC} (BuenoCtl Class) - http://bueno.com/Buenonew.cab O16 - DPF: {915757F8-5E16-4F58-9E9F-E4EFDCBADDDD} (BuenoCtl Class) - http://bueno.com/Buenonew.cab O16 - DPF: {915757F8-5E16-4F58-9E9F-E4EFDCBAEEEE} (BuenoCtl Class) - http://bueno.com/Bueno.cab O16 - DPF: {983A9C21-8207-4B58-BBB8-0EBC3D7C5505} (Domino Web Access 8 Control) - https://my.londonexternal.ac.uk/webmail02/dwa8W.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://ak.imgag.com/imgag/cp/install/Crusher.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup163.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Eset HTTP Server (EHttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe O23 - Service: Hotspot Shield Helper Service (HssSrv) - AnchorFree Inc. - C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe O23 - Service: Hotspot Shield Tray Service (HssTrayService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing) O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe O23 - Service: OpenCASE Media Agent - ExtendMedia Inc. - C:\Program Files\OpenCase\OpenCASE Media Agent\MediaAgent.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- End of file - 13201 bytes Panda Active Scan ;*********************************************** ********************************************** ********************************************** ************************** ANALYSIS: 2009-05-12 16:21:26 PROTECTIONS: 1 MALWARE: 36 SUSPECTS: 2 ;********************************************* ********************************************** ********************************************** ************************** PROTECTIONS Description Version Active Updated ;================================================= ================================================== ================================================== ============================== ESET Smart Security 3.0 3.0 Yes Yes ;================================================= ================================================== ================================================== ============================== MALWARE Id Description Type Active Severity Disinfectable Disinfected Location ;================================================= ================================================== ================================================== ============================== 00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@casalemedia[2].txt 00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@doubleclick[2].txt 00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@atdmt[2].txt 00145393 Cookie/Tradedoubler TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@tradedoubler[1].txt 00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@247realmedia[2].txt 00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@fastclick[1].txt 00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@tribalfusion[1].txt 00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@mediaplex[2].txt 00145881 Cookie/NewMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@anm.co[1].txt 00159564 Cookie/WUpd TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@revenue[2].txt 00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@ad.yieldmanager[2].txt 00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@apmebf[1].txt 00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Natasha\Cookies\natasha@apmebf[2].txt 00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@serving-sys[2].txt 00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@bs.serving-sys[2].txt 00168095 Cookie/888 TrackingCookie No 0 Yes No C:\Documents and Settings\Natasha\Cookies\natasha@888[2].txt 00168109 Cookie/Adtech TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@adtech[1].txt 00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@advertising[1].txt 00169287 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@media.adrevolver[1].txt 00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@overture[1].txt 00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@realmedia[2].txt 00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@questionmarket[1].txt 00172483 Cookie/888 TrackingCookie No 0 Yes No C:\Documents and Settings\Natasha\Cookies\natasha@int.sitestat[1].txt 00172484 Cookie/Cassava TrackingCookie No 0 Yes No C:\Documents and Settings\Natasha\Cookies\natasha@int.sitestat[2].txt 00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@bluestreak[2].txt 00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@adrevolver[1].txt 00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@go[2].txt 00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@searchportal.informat ion[2].txt 00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@target[1].txt 00207936 Cookie/Adviva TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@adviva[1].txt 00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@atwola[2].txt 00273339 Cookie/Smartadserver TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@smartadserver[2].txt 00484705 Application/IEDefender HackTools No 0 Yes No C:\Documents and Settings\Natasha\Desktop\SmitfraudFix\IEDFix.C.exe 00590315 Rootkit/Agent.LNB HackTools No 0 Yes No C:\System Volume Information\_restore{A5F779F7-F7A5-44A5-88CC-084C6BB92F78}\RP18\A0006884.sys 00817320 Trj/Downloader.VVD Virus/Trojan No 0 Yes No C:\Documents and Settings\Natasha\Local Settings\temp\~TM203.tmp 00817320 Trj/Downloader.VVD Virus/Trojan No 0 Yes No C:\WINDOWS\system32\wbem\proquota.exe 02897073 Cookie/Revenue TrackingCookie No 0 Yes No C:\Documents and Settings\Natasha\Cookies\natasha@adsrevenue[2].txt 03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\WINDOWS\system32\wbem\grpconv.exe 03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Documents and Settings\Natasha\Local Settings\temp\~TM1F7.tmp 03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Documents and Settings\Natasha\Desktop\SmitfraudFix.exe ;================================================= ================================================== ================================================== ============================== SUSPECTS Sent Location ͞ ;================================================= ================================================== ================================================== ============================== No C:\Documents and Settings\Natasha\Desktop\u93[1]\U94.exe ͞ No C:\Documents and Settings\Natasha\My Documents\Downloads\Nero 7.10.1.0\Nero-7.10.1.0_eng_full.exe[C:\Documents and Settings\Natasha\My Documents\Downloads\Nero 7.10.1.0\Nero-7.10.1.0_eng_full.exe][123.exe] ;================================================= ================================================== ================================================== ============================== VULNERABILITIES Id Severity Description ͞ ;================================================= ================================================== ================================================== ============================== ;================================================= ================================================== ================================================== ============================== Logfile created: 12/05/2009 16:28:30 Lavasoft Ad-Aware version: 8.0.4 Extended engine version: 8.1 User performing scan: Natasha ******************* Definitions database information ******************* Lavasoft definition file: 148.28 Extended engine definition file: 8.1 **************************** Scan results: ******************************* Scan profile name: Full Scan (ID: full) Objects scanned: 136659 Objects detected: 48 Type Detected ========================== Processes.......: 0 Registry entries: 0 Hostfile entries: 0 Files...........: 1 Folders.........: 0 LSPs............: 0 Cookies.........: 47 Browser hijacks.: 0 MRU objects.....: 0 Removed items: Description: 2o7 Family Name: Cookies Clean status: Success Item ID: 408943 Family ID: 0 Description: revenue Family Name: Cookies Clean status: Success Item ID: 409138 Family ID: 0 Description: apmebf Family Name: Cookies Clean status: Success Item ID: 409163 Family ID: 0 Description: clickshift Family Name: Cookies Clean status: Success Item ID: 409273 Family ID: 0 Description: estat Family Name: Cookies Clean status: Success Item ID: 408873 Family ID: 0 Description: webtrends Family Name: Cookies Clean status: Success Item ID: 599640 Family ID: 0 Description: partypoker Family Name: Cookies Clean status: Success Item ID: 409141 Family ID: 0 Description: wunderloop Family Name: Cookies Clean status: Success Item ID: 599639 Family ID: 0 Description: adbureau Family Name: Cookies Clean status: Success Item ID: 409027 Family ID: 0 Description: advertis Family Name: Cookies Clean status: Success Item ID: 408918 Family ID: 0 Description: advertising Family Name: Cookies Clean status: Success Item ID: 409017 Family ID: 0 Description: adserver Family Name: Cookies Clean status: Success Item ID: 408737 Family ID: 0 Description: adserv Family Name: Cookies Clean status: Success Item ID: 408921 Family ID: 0 Description: adserve Family Name: Cookies Clean status: Success Item ID: 409020 Family ID: 0 Description: real Family Name: Cookies Clean status: Success Item ID: 408817 Family ID: 0 Description: 247realmedia Family Name: Cookies Clean status: Success Item ID: 408945 Family ID: 0 Description: realmedia Family Name: Cookies Clean status: Success Item ID: 409139 Family ID: 0 Description: ad.yieldmanager Family Name: Cookies Clean status: Success Item ID: 409172 Family ID: 0 Description: adrevolver Family Name: Cookies Clean status: Success Item ID: 408932 Family ID: 0 Description: adserver Family Name: Cookies Clean status: Success Item ID: 408737 Family ID: 0 Description: adserv Family Name: Cookies Clean status: Success Item ID: 408921 Family ID: 0 Description: adtech Family Name: Cookies Clean status: Success Item ID: 409018 Family ID: 0 Description: adserve Family Name: Cookies Clean status: Success Item ID: 409020 Family ID: 0 Description: advertis Family Name: Cookies Clean status: Success Item ID: 408918 Family ID: 0 Description: advertising Family Name: Cookies Clean status: Success Item ID: 409017 Family ID: 0 Description: adviva Family Name: Cookies Clean status: Success Item ID: 409016 Family ID: 0 Description: 2o7 Family Name: Cookies Clean status: Success Item ID: 408943 Family ID: 0 Description: apmebf Family Name: Cookies Clean status: Success Item ID: 409163 Family ID: 0 Description: atdmt Family Name: Cookies Clean status: Success Item ID: 408910 Family ID: 0 Description: bs.serving-sys Family Name: Cookies Clean status: Success Item ID: 408902 Family ID: 0 Description: serving-sys Family Name: Cookies Clean status: Success Item ID: 409130 Family ID: 0 Description: casalemedia Family Name: Cookies Clean status: Success Item ID: 409152 Family ID: 0 Description: adbureau Family Name: Cookies Clean status: Success Item ID: 409027 Family ID: 0 Description: doubleclick Family Name: Cookies Clean status: Success Item ID: 408875 Family ID: 0 Description: media.adrevolver Family Name: Cookies Clean status: Success Item ID: 409144 Family ID: 0 Description: fastclick Family Name: Cookies Clean status: Success Item ID: 408869 Family ID: 0 Description: kelkoo Family Name: Cookies Clean status: Success Item ID: 408851 Family ID: 0 Description: webtrends Family Name: Cookies Clean status: Success Item ID: 599640 Family ID: 0 Description: mediaplex Family Name: Cookies Clean status: Success Item ID: 408991 Family ID: 0 Description: overture Family Name: Cookies Clean status: Success Item ID: 408834 Family ID: 0 Description: questionmarket Family Name: Cookies Clean status: Success Item ID: 408819 Family ID: 0 Description: revenue Family Name: Cookies Clean status: Success Item ID: 409138 Family ID: 0 Description: searchportal.information Family Name: Cookies Clean status: Success Item ID: 409134 Family ID: 0 Description: specificclick Family Name: Cookies Clean status: Success Item ID: 408807 Family ID: 0 Description: tacoda Family Name: Cookies Clean status: Success Item ID: 409123 Family ID: 0 Description: tradedoubler Family Name: Cookies Clean status: Success Item ID: 408964 Family ID: 0 Description: tribalfusion Family Name: Cookies Clean status: Success Item ID: 408785 Family ID: 0 Quarantined items: Description: C:\System Volume Information\_restore{A5F779F7-F7A5-44A5-88CC-084C6BB92F78}\RP18\A0006982.exe Family Name: Win32.TrojanDownloader.Bredolab Clean status: Success Item ID: 754677 Family ID: 754676 Scan and cleaning complete: Finished correctly after 1954 seconds ********************************* Settings ********************************* Scan profile: ID: full, enabled:1, value: Full Scan ID: scancriticalareas, enabled:1, value: true ID: scanrunningapps, enabled:1, value: true ID: scanregistry, enabled:1, value: true ID: scanlsp, enabled:1, value: true ID: scanads, enabled:1, value: true ID: scanhostsfile, enabled:1, value: true ID: scanmru, enabled:1, value: true ID: scanbrowserhijacks, enabled:1, value: true ID: scantrackingcookies, enabled:1, value: true ID: closebrowsers, enabled:1, value: false ID: folderstoscan, enabled:1, value: C:\ ID: scanrootkits, enabled:1, value: true ID: usespywareheuristics, enabled:1, value: true ID: extendedengine, enabled:0, value: true ID: useheuristics, enabled:0, value: true ID: heuristicslevel, enabled:0, value: mild, domain: medium,mild,strict ID: filescanningoptions, enabled:1 ID: archives, enabled:1, value: true ID: onlyexecutables, enabled:1, value: false ID: skiplargerthan, enabled:1, value: 20480 Scan global: ID: global, enabled:1 ID: addtocontextmenu, enabled:1, value: true ID: playsoundoninfection, enabled:1, value: false ID: soundfile, enabled:0, value: to be filled in automatically\alert.wav Scheduled scan settings: <Empty> Update settings: ID: updates, enabled:1 ID: launchthreatworksafterscan, enabled:1, value: normal, domain: normal,off,silently ID: displaystatus, enabled:1, value: false ID: deffiles, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall ID: autodetectproxy, enabled:1, value: false ID: useautoconfigscript, enabled:1, value: false ID: autoconfigurl, enabled:0, value: ID: useproxy, enabled:1, value: false ID: proxyserver, enabled:0, value: ID: softwareupdates, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall ID: licenseandinfo, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall ID: schedules, enabled:1, value: true ID: updatedaily, enabled:1, value: Daily ID: time, enabled:1, value: Mon Apr 20 08:10:00 2009 ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly ID: weekdays, enabled:1 ID: monday, enabled:1, value: false ID: tuesday, enabled:1, value: false ID: wednesday, enabled:1, value: false ID: thursday, enabled:1, value: false ID: friday, enabled:1, value: false ID: saturday, enabled:1, value: false ID: sunday, enabled:1, value: false ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31 ID: scanprofile, enabled:1, value: ID: auto_deal_with_infections, enabled:1, value: false ID: updateweekly, enabled:1, value: Weekly ID: time, enabled:1, value: Mon Apr 20 08:10:00 2009 ID: frequency, enabled:1, value: weekly, domain: daily,monthly,once,systemstart,weekly ID: weekdays, enabled:1 ID: monday, enabled:1, value: true ID: tuesday, enabled:1, value: false ID: wednesday, enabled:1, value: false ID: thursday, enabled:1, value: false ID: friday, enabled:1, value: false ID: saturday, enabled:1, value: false ID: sunday, enabled:1, value: false ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31 ID: scanprofile, enabled:1, value: ID: auto_deal_with_infections, enabled:1, value: false Appearance settings: ID: appearance, enabled:1 ID: skin, enabled:1, value: default.egl, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Resource ID: showtrayicon, enabled:1, value: true ID: language, enabled:1, value: en, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Language Realtime protection settings: ID: realtime, enabled:1 ID: processprotection, enabled:1, value: true ID: registryprotection, enabled:0, value: true ID: networkprotection, enabled:0, value: true ID: loadatstartup, enabled:1, value: true ID: usespywareheuristics, enabled:0, value: true ID: extendedengine, enabled:0, value: true ID: useheuristics, enabled:0, value: true ID: heuristicslevel, enabled:0, value: strict, domain: medium,mild,strict ID: infomessages, enabled:1, value: onlyimportant, domain: display,dontnotify,onlyimportant **************************** System information **************************** Computer name: ADVENT Processor name: Genuine Intel(R) CPU T2050 @ 1.60GHz Processor identifier: x86 Family 6 Model 14 Stepping 8 Raw info: processorarchitecture 0, processortype 586, processorlevel 6, processor revision 3592, number of processors 2 Physical memory available: 398401536 bytes Physical memory total: 1063366656 bytes Virtual memory available: 2008797184 bytes Virtual memory total: 2147352576 bytes Memory load: 62% Microsoft Windows XP Professional Service Pack 3 (build 2600) Windows startup mode: Running processes: PID: 644 name: \??\C:\WINDOWS\system32\csrss.exe owner: SYSTEM domain: NT AUTHORITY PID: 668 name: \??\C:\WINDOWS\system32\winlogon.exe owner: SYSTEM domain: NT AUTHORITY PID: 716 name: C:\WINDOWS\system32\services.exe owner: SYSTEM domain: NT AUTHORITY PID: 728 name: C:\WINDOWS\system32\lsass.exe owner: SYSTEM domain: NT AUTHORITY PID: 900 name: C:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY PID: 1028 name: C:\WINDOWS\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY PID: 1068 name: C:\WINDOWS\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY PID: 1132 name: C:\Program Files\Intel\Wireless\Bin\EvtEng.exe owner: SYSTEM domain: NT AUTHORITY PID: 1160 name: C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe owner: SYSTEM domain: NT AUTHORITY PID: 1192 name: C:\WINDOWS\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY PID: 1496 name: C:\WINDOWS\system32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY PID: 2020 name: C:\WINDOWS\system32\LEXBCES.EXE owner: SYSTEM domain: NT AUTHORITY PID: 152 name: C:\WINDOWS\system32\spoolsv.exe owner: SYSTEM domain: NT AUTHORITY PID: 232 name: C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe owner: SYSTEM domain: NT AUTHORITY PID: 1368 name: C:\WINDOWS\system32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY PID: 452 name: C:\WINDOWS\system32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY PID: 484 name: C:\Program Files\ESET\ESET Smart Security\ekrn.exe owner: SYSTEM domain: NT AUTHORITY PID: 516 name: C:\Program Files\Hotspot Shield\bin\openvpnas.exe owner: SYSTEM domain: NT AUTHORITY PID: 632 name: C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe owner: SYSTEM domain: NT AUTHORITY PID: 920 name: C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe owner: SYSTEM domain: NT AUTHORITY PID: 952 name: C:\Program Files\Java\jre6\bin\jqs.exe owner: SYSTEM domain: NT AUTHORITY PID: 976 name: C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe owner: SYSTEM domain: NT AUTHORITY PID: 1276 name: C:\Program Files\CDBurnerXP\NMSAccessU.exe owner: SYSTEM domain: NT AUTHORITY PID: 1404 name: C:\Program Files\OpenCase\OpenCASE Media Agent\MediaAgent.exe owner: SYSTEM domain: NT AUTHORITY PID: 1664 name: C:\WINDOWS\system32\HPZipm12.exe owner: SYSTEM domain: NT AUTHORITY PID: 1720 name: C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe owner: SYSTEM domain: NT AUTHORITY PID: 1776 name: C:\WINDOWS\system32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY PID: 1828 name: C:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY PID: 1588 name: C:\WINDOWS\ehome\mcrdsvc.exe owner: LOCAL SERVICE domain: NT AUTHORITY PID: 2412 name: C:\WINDOWS\System32\alg.exe owner: LOCAL SERVICE domain: NT AUTHORITY PID: 2436 name: C:\WINDOWS\system32\wbem\wmiprvse.exe owner: NETWORK SERVICE domain: NT AUTHORITY PID: 2596 name: C:\WINDOWS\system32\wbem\wmiprvse.exe owner: SYSTEM domain: NT AUTHORITY PID: 2508 name: C:\WINDOWS\Explorer.EXE owner: Natasha domain: ADVENT PID: 4072 name: C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe owner: Natasha domain: ADVENT PID: 376 name: C:\WINDOWS\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY PID: 200 name: C:\WINDOWS\ehome\ehtray.exe owner: Natasha domain: ADVENT PID: 292 name: C:\WINDOWS\system32\igfxtray.exe owner: Natasha domain: ADVENT PID: 2012 name: C:\WINDOWS\system32\hkcmd.exe owner: Natasha domain: ADVENT PID: 340 name: C:\WINDOWS\system32\igfxpers.exe owner: Natasha domain: ADVENT PID: 444 name: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe owner: Natasha domain: ADVENT PID: 1336 name: C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe owner: Natasha domain: ADVENT PID: 1436 name: C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe owner: Natasha domain: ADVENT PID: 1600 name: C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe owner: Natasha domain: ADVENT PID: 600 name: C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe owner: Natasha domain: ADVENT PID: 2120 name: C:\WINDOWS\system32\rundll32.exe owner: Natasha domain: ADVENT PID: 2336 name: C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe owner: Natasha domain: ADVENT PID: 2540 name: C:\Program Files\Keyboard Manager\Manager Utility\KeyboardManager.exe owner: Natasha domain: ADVENT PID: 2064 name: C:\Program Files\QuickTime\qttask.exe owner: Natasha domain: ADVENT PID: 2860 name: C:\WINDOWS\VM_STI.EXE owner: Natasha domain: ADVENT PID: 2896 name: C:\Program Files\ESET\ESET Smart Security\egui.exe owner: Natasha domain: ADVENT PID: 2948 name: C:\Program Files\Java\jre6\bin\jusched.exe owner: Natasha domain: ADVENT PID: 3012 name: C:\Program Files\Common Files\Real\Update_OB\realsched.exe owner: Natasha domain: ADVENT PID: 3040 name: C:\WINDOWS\system32\ctfmon.exe owner: Natasha domain: ADVENT PID: 3136 name: C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe owner: Natasha domain: ADVENT PID: 1456 name: C:\WINDOWS\system32\igfxext.exe owner: Natasha domain: ADVENT PID: 3820 name: C:\WINDOWS\system32\igfxsrvc.exe owner: Natasha domain: ADVENT PID: 3680 name: C:\WINDOWS\system32\svchost.exe owner: Natasha domain: ADVENT PID: 3488 name: C:\Program Files\Windows Live\Messenger\msnmsgr.exe owner: Natasha domain: ADVENT PID: 1660 name: C:\Program Files\Windows Live\Contacts\wlcomm.exe owner: Natasha domain: ADVENT PID: 3592 name: C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe owner: SYSTEM domain: NT AUTHORITY PID: 1376 name: C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe owner: Natasha domain: ADVENT PID: 3024 name: C:\WINDOWS\system32\wbem\unsecapp.exe owner: SYSTEM domain: NT AUTHORITY PID: 1748 name: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe owner: Natasha domain: ADVENT Startup items: Name: PostBootReminder imagepath: {7849596a-48ea-486e-8937-a2a3009f31a9} Name: WebCheck imagepath: {E6FB5E20-DE35-11CF-9C87-00AA005127ED} Name: SysTray imagepath: {35CEC8A3-2BE6-11D2-8773-92E220524153} Name: WPDShServiceObj imagepath: {AAA288BA-9A4C-45B0-95D7-94D524869DB5} Name: CTFMON.EXE imagepath: C:\WINDOWS\system32\CTFMON.EXE Name: {438755C2-A8BA-11D1-B96B-00A0C90312E1} imagepath: Browseui preloader Name: {8C7461EF-2B13-11d2-BE35-3078302C2030} imagepath: Component Categories cache daemon Name: ehTray imagepath: C:\WINDOWS\ehome\ehtray.exe Name: Recguard imagepath: C:\WINDOWS\SMINST\RECGUARD.EXE Name: igfxtray imagepath: C:\WINDOWS\system32\igfxtray.exe Name: igfxhkcmd imagepath: C:\WINDOWS\system32\hkcmd.exe Name: igfxpers imagepath: C:\WINDOWS\system32\igfxpers.exe Name: High Definition Audio Property Page Shortcut imagepath: CHDAudPropShortcut.exe Name: SynTPEnh imagepath: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe Name: IntelZeroConfig imagepath: "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" Name: IntelWireless imagepath: "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless Name: EOUApp imagepath: "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" Name: IAAnotif imagepath: C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe Name: BluetoothAuthenticationAgent imagepath: rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent Name: LogitechCommunicationsManager imagepath: "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" Name: Keyboard Manager Utility imagepath: "C:\Program Files\Keyboard Manager\Manager Utility\KeyboardManager.exe" /lang en /H Name: QuickTime Task imagepath: "C:\Program Files\QuickTime\qttask.exe" -atboottime Name: BigDogPath imagepath: C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera Name: egui imagepath: "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice Name: SunJavaUpdateSched imagepath: "C:\Program Files\Java\jre6\bin\jusched.exe" Name: Ad-Watch imagepath: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe Name: TkBellExe imagepath: "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot Name: imagepath: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini Name: imagepath: C:\Documents and Settings\Default User\Start Menu\Programs\Startup\desktop.ini Bootexecute items: Name: imagepath: autocheck autochk * Name: imagepath: lsdelete Running services: Name: ALG displayname: Application Layer Gateway Service Name: AudioSrv displayname: Windows Audio Name: BITS displayname: Background Intelligent Transfer Service Name: Browser displayname: Computer Browser Name: BthServ displayname: Bluetooth Support Service Name: CryptSvc displayname: Cryptographic Services Name: DcomLaunch displayname: DCOM Server Process Launcher Name: Dhcp displayname: DHCP Client Name: dmserver displayname: Logical Disk Manager Name: Dnscache displayname: DNS Client Name: ekrn displayname: Eset Service Name: ERSvc displayname: Error Reporting Service Name: Eventlog displayname: Event Log Name: EventSystem displayname: COM+ Event System Name: EvtEng displayname: Intel(R) PROSet/Wireless Event Log Name: FastUserSwitchingCompatibility displayname: Fast User Switching Compatibility Name: helpsvc displayname: Help and Support Name: HidServ displayname: HID Input Service Name: HotspotShieldService displayname: Hotspot Shield Service Name: HssSrv displayname: Hotspot Shield Helper Service Name: HTTPFilter displayname: HTTP SSL Name: IAANTMon displayname: Intel(R) Matrix Storage Event Monitor Name: JavaQuickStarterService displayname: Java Quick Starter Name: lanmanserver displayname: Server Name: lanmanworkstation displayname: Workstation Name: Lavasoft Ad-Aware Service displayname: Lavasoft Ad-Aware Service Name: LexBceS displayname: LexBce Server Name: LmHosts displayname: TCP/IP NetBIOS Helper Name: LVCOMSer displayname: LVCOMSer Name: LVPrcSrv displayname: Process Monitor Name: McrdSvc displayname: Media Center Extender Service Name: Netman displayname: Network Connections Name: Nla displayname: Network Location Awareness (NLA) Name: NMSAccessU displayname: NMSAccessU Name: OpenCASE Media Agent displayname: OpenCASE Media Agent Name: PlugPlay displayname: Plug and Play Name: Pml Driver HPZ12 displayname: Pml Driver HPZ12 Name: PolicyAgent displayname: IPSEC Services Name: ProtectedStorage displayname: Protected Storage Name: RasMan displayname: Remote Access Connection Manager Name: RegSrvc displayname: Intel(R) PROSet/Wireless Registry Service Name: RpcSs displayname: Remote Procedure Call (RPC) Name: S24EventMonitor displayname: Intel(R) PROSet/Wireless Service Name: SamSs displayname: Security Accounts Manager Name: Schedule displayname: Task Scheduler Name: seclogon displayname: Secondary Logon Name: SENS displayname: System Event Notification Name: SharedAccess displayname: Windows Firewall/Internet Connection Sharing (ICS) Name: ShellHWDetection displayname: Shell Hardware Detection Name: Spooler displayname: Print Spooler Name: srservice displayname: System Restore Service Name: SSDPSRV displayname: SSDP Discovery Service Name: stisvc displayname: Windows Image Acquisition (WIA) Name: TapiSrv displayname: Telephony Name: TermService displayname: Terminal Services Name: Themes displayname: Themes Name: TrkWks displayname: Distributed Link Tracking Client Name: W32Time displayname: Windows Time Name: WebClient displayname: WebClient Name: winmgmt displayname: Windows Management Instrumentation Name: wscsvc displayname: Security Center Name: wuauserv displayname: Automatic Updates Name: WZCSVC displayname: Wireless Zero Configuration Malwarebytes' Anti-Malware 1.36 Database version: 2116 Windows 5.1.2600 Service Pack 3 12/05/2009 6:21:08 PM mbam-log-2009-05-12 (18-21-08).txt Scan type: Full Scan (C:\\|) Objects scanned: 194493 Time elapsed: 51 minute(s), 58 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 1 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:22:08 PM, on 12/05/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16827) Boot mode: Normal Running processes: C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\ESET\ESET Smart Security\ekrn.exe C:\Program Files\Hotspot Shield\bin\openvpnas.exe C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe C:\Program Files\CDBurnerXP\NMSAccessU.exe C:\Program Files\OpenCase\OpenCASE Media Agent\MediaAgent.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\ehome\mcrdsvc.exe C:\WINDOWS\system32\wbem\unsecapp.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe C:\Program Files\Keyboard Manager\Manager Utility\KeyboardManager.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\VM_STI.EXE C:\Program Files\ESET\ESET Smart Security\egui.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe C:\WINDOWS\system32\igfxext.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Program Files\Windows Live\Contacts\wlcomm.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.mypixmania.com/partenaires/dsg/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = local F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDO WS\system32\pavuppad.exe, O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\hssie\HssIE.dll O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" O4 - HKLM\..\Run: [Keyboard Manager Utility] "C:\Program Files\Keyboard Manager\Manager Utility\KeyboardManager.exe" /lang en /H O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/actives.../as2stubie.cab O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.yorkphoto.com/YorkActivia.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/re...s/MSNPUpld.cab O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/.../GAME_UNO1.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1173874683625 O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://express.foto.com/Newuploader/ImageUploader4.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {915757F8-5E16-4F58-9E9F-0443F0149041} (BuenoCtl Class) - http://bueno.com/Bueno.cab O16 - DPF: {915757F8-5E16-4F58-9E9F-E4EFDCBAAAAA} (BuenoCtl Class) - http://bueno.com/Bueno.cab O16 - DPF: {915757F8-5E16-4F58-9E9F-E4EFDCBACCCC} (BuenoCtl Class) - http://bueno.com/Buenonew.cab O16 - DPF: {915757F8-5E16-4F58-9E9F-E4EFDCBADDDD} (BuenoCtl Class) - http://bueno.com/Buenonew.cab O16 - DPF: {915757F8-5E16-4F58-9E9F-E4EFDCBAEEEE} (BuenoCtl Class) - http://bueno.com/Bueno.cab O16 - DPF: {983A9C21-8207-4B58-BBB8-0EBC3D7C5505} (Domino Web Access 8 Control) - https://my.londonexternal.ac.uk/webmail02/dwa8W.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://ak.imgag.com/imgag/cp/install/Crusher.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup163.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Eset HTTP Server (EHttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe O23 - Service: Hotspot Shield Helper Service (HssSrv) - AnchorFree Inc. - C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe O23 - Service: Hotspot Shield Tray Service (HssTrayService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing) O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe O23 - Service: OpenCASE Media Agent - ExtendMedia Inc. - C:\Program Files\OpenCase\OpenCASE Media Agent\MediaAgent.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- End of file - 13238 bytes

05-12-2009	#2
Crush Tech Support Team Join Date: Sep 2008 Location: Caldwell, New Jersey Posts: 10,112 PC Experience: Always Learning New Things	Re: A few logs to review weeksn, Wow. Thank you for being so thorough. It makes my job easier . Let's just make sure there is no more malware. Next, lets download ComboFix.exe. This will give me a better view to the files running, those that are hidden, and also those in the registry..Please download from one of these webpages . http://download.bleepingcomputer.com/sUBs/ComboFix.exe http://www.forospyware.com/sUBs/ComboFix.exe http://subs.geekstogo.com/ComboFix.exe * IMPORTANT !!! Save ComboFix.exe to your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with our tools. Double-click on ComboFix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.Recovery Console can be installed from your disc if you have Vista if you wish. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes to continue scanning for malware. When finished, it shall produce a log for you. Please include the log in your next reply __________________ Crush aka Chris [Prework][Afterwork][PCHF Rules][BSOD's][SFC][Screenshots][PC Specs][Donate] I am in fact, quite cool. My graphing calculator confirms this**

05-13-2009	#4
Crush Tech Support Team Join Date: Sep 2008 Location: Caldwell, New Jersey Posts: 10,112 PC Experience: Always Learning New Things	Re: A few logs to review Weeksn, Please navigate to the following files/folders and delete them c:\windows\system32\bookls c:\windows\system32\pavuppad.exe Then, right click on your recycle bin and empty it to completely remove them fror your machine __________________ Crush aka Chris [Prework][Afterwork][PCHF Rules][BSOD's][SFC][Screenshots][PC Specs][Donate] I am in fact, quite cool. My graphing calculator confirms this

05-14-2009	#5
weeksn Bronze Member Join Date: Sep 2008 Posts: 31 PC Experience: Some Experience	Re: A few logs to review I performed a search and could not locate the following file/folder: c:\windows\system32\bookls I tried deleting the following file but got a message saying: Cannot delete file: Cannot read from source file or disk c:\windows\system32\pavuppad.exe

05-15-2009	#6
Crush Tech Support Team Join Date: Sep 2008 Location: Caldwell, New Jersey Posts: 10,112 PC Experience: Always Learning New Things	Re: A few logs to review This ought to get rid of them Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. It's IMPORTANT to carry out the instructions in the sequence listed below. 1. Close any open browsers. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Open notepad and copy/paste the text in the quotebox below into it: Code: File:: c:\windows\system32\pavuppad.exe Folder:: c:\windows\system32\bookls Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop. Refering to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you at C:\ComboFix.txt Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.Altering this script in any way could damage your computer __________________ Crush aka Chris [Prework][Afterwork][PCHF Rules][BSOD's][SFC][Screenshots][PC Specs][Donate] I am in fact, quite cool. My graphing calculator confirms this

Similar discussions...
Thread	Thread Starter	Forum	Replies	Last Post
Question: Please Review These Logs, RE: intervalhehehe	wsteyert	[Pending] HJT Logs	11	04-03-2009 04:34 AM
Pending: Logs for review	woody258	[Pending] HJT Logs	2	04-02-2009 11:32 PM
Fixed: had malware; can someone review logs?	barbaram1954	[Fixed] Hijackthis! Logs	7	01-05-2009 09:39 PM
Review these logs	DrD	[Fixed] Hijackthis! Logs	16	01-10-2008 01:17 AM
[Resolved] Please review HJT logs	elvin815	[Fixed] Hijackthis! Logs	13	05-18-2006 01:02 AM

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode