"Error loading...lidanufu.dll" after malware cleanup

**ken545** · 2009-04-10, 13:27

Good Morning,

Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::

Code:

File::
c:\windows\system32\drivers\ovfsthnkdgaibgovmompknbalqmglteqlkfiff.sys
c:\windows\system32\drivers\ovfsth.sys
c:\windows\system32\ovfsthtuebwjuybimxocpxvvkappkfvrsbodok.dll
c:\windows\system32\ovfsthnytawdlkmimtybcexduelkamkouqufej.dat
c:\windows\system32\ovfsthskosjwvxwywnkdqbxaqjaxedeoomihav.dll
c:\windows\system32\ovfsthkpxufibsbnkkfirjcxdhiejxnfgxbrwv.dll
c:\windows\system32\ovfsthybxccaoxhlptnhabnflnbnksfyixvwnb.dat
c:\docume~1\Peter\LOCALS~1\Temp\ovfsthacxbvwbpss.tmp
c:\docume~1\Peter\LOCALS~1\Temp\ovfsthdrndvnnqqp.tmp
c:\docume~1\Peter\LOCALS~1\Temp\ovfsthbtrtfpmhqi.tmp
c:\docume~1\Peter\LOCALS~1\Temp\ovfsthfhdltuhrmuynirqodguxhlsmrvkrrulv000

Registry::
[-HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ovfsthfhdltuhrmuynirqodguxhlsmrvkrrulv]

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

**pw2245** · 2009-04-10, 21:38

ComboFix Log
------------------------------------------------
ComboFix 09-04-04.01 - Peter 2009-04-10 20:31:03.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1471 [GMT 1:00]
Running from: c:\documents and settings\Peter\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Peter\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)

FILE ::
c:\docume~1\Peter\LOCALS~1\Temp\ovfsthacxbvwbpss.tmp
c:\docume~1\Peter\LOCALS~1\Temp\ovfsthbtrtfpmhqi.tmp
c:\docume~1\Peter\LOCALS~1\Temp\ovfsthdrndvnnqqp.tmp
c:\docume~1\Peter\LOCALS~1\Temp\ovfsthfhdltuhrmuynirqodguxhlsmrvkrrulv000
c:\windows\system32\drivers\ovfsth.sys
c:\windows\system32\drivers\ovfsthnkdgaibgovmompknbalqmglteqlkfiff.sys
c:\windows\system32\ovfsthkpxufibsbnkkfirjcxdhiejxnfgxbrwv.dll
c:\windows\system32\ovfsthnytawdlkmimtybcexduelkamkouqufej.dat
c:\windows\system32\ovfsthskosjwvxwywnkdqbxaqjaxedeoomihav.dll
c:\windows\system32\ovfsthtuebwjuybimxocpxvvkappkfvrsbodok.dll
c:\windows\system32\ovfsthybxccaoxhlptnhabnflnbnksfyixvwnb.dat
.
The following files were disabled during the run:
c:\program files\Common Files\Logitech\LVMVFM\LVPrcInj.dll

((((((((((((((((((((((((( Files Created from 2009-03-10 to 2009-04-10 )))))))))))))))))))))))))))))))
.

2009-04-07 22:04 . 2009-04-07 22:05 <DIR> d-------- C:\Postgraduate Conference 2009
2009-04-07 21:47 . 2009-04-09 17:01 84,045 --a------ c:\windows\system32\ftp_non_crp.exe
2009-04-07 21:47 . 2009-04-09 17:01 155 --a------ c:\windows\system32\SelfDel.bat
2009-04-07 21:27 . 2009-04-07 21:27 56,320 --a------ c:\windows\system32\ldr_CRYPTED.exe
2009-04-07 21:26 . 2009-04-07 21:26 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-04-07 21:26 . 2009-04-07 21:26 <DIR> d-------- c:\documents and settings\Peter\Application Data\Malwarebytes
2009-04-07 21:26 . 2009-04-07 21:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-07 21:26 . 2009-04-06 15:32 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-07 21:26 . 2009-04-06 15:32 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-04-06 22:49 . 2009-04-06 22:49 <DIR> d-------- c:\program files\ERUNT
2009-03-18 22:06 . 2009-03-18 22:06 <DIR> d--h----- C:\$AVG8.VAULT$
2009-03-18 21:35 . 2009-03-18 21:35 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-03-18 21:35 . 2009-03-18 21:35 <DIR> d-------- c:\program files\AVG
2009-03-18 21:35 . 2009-03-18 21:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-03-18 21:35 . 2009-03-18 21:35 325,640 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-03-18 21:35 . 2009-03-27 19:16 108,552 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-03-18 21:35 . 2009-03-18 21:35 10,520 --a------ c:\windows\system32\avgrsstx.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-12 20:59 --------- d-----w c:\documents and settings\Peter\Application Data\QuosaDDM
2009-02-12 19:13 --------- d-----w c:\program files\Virtual Earth 3D
2007-10-15 20:53 109 ----a-w c:\program files\detail.txt
2007-02-18 21:44 251 ----a-w c:\program files\wt3d.ini
.

((((((((((((((((((((((((((((( SnapShot@2009-04-09_ 0.26.10.24 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 11:02:28 163,328 ----a-w c:\windows\ERDNT\10-04-2009\ERDNT.EXE
+ 2009-04-10 19:23:32 1,355,776 ----a-w c:\windows\ERDNT\10-04-2009\Users\00000001\NTUSER.DAT
+ 2009-04-10 19:23:32 3,002,368 ----a-w c:\windows\ERDNT\10-04-2009\Users\00000002\UsrClass.dat
+ 2009-04-10 19:23:32 9,461,760 ----a-w c:\windows\ERDNT\10-04-2009\Users\00000003\NTUSER.DAT
+ 2009-04-10 19:23:32 3,149,824 ----a-w c:\windows\ERDNT\10-04-2009\Users\00000004\UsrClass.dat
+ 2009-04-10 19:23:34 1,355,776 ----a-w c:\windows\ERDNT\10-04-2009\Users\00000005\NTUSER.DAT
+ 2009-04-10 19:23:34 3,002,368 ----a-w c:\windows\ERDNT\10-04-2009\Users\00000006\UsrClass.dat
- 2009-04-08 23:06:56 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-04-10 19:02:54 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-04-08 23:06:56 32,768 ------w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-04-10 19:02:54 32,768 ------w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-04-08 23:06:56 49,152 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-04-10 19:02:54 49,152 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-04-10 19:03:02 16,384 ----a-w c:\windows\Temp\Perflib_Perfdata_60c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-19 68856]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-12-21 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761946]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2006-05-15 45056]
"ADMTray.exe"="c:\acer\Empowering Technology\admtray.exe" [2005-10-24 2462208]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-10-12 26112]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-20 7581696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-20 86016]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-08-10 352256]
"Acer ePower Management"="c:\acer\Empowering Technology\ePower\Acer ePower Management.exe" [2006-05-22 3080704]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2006-07-20 593920]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\Monitor.exe" [2006-01-24 397312]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2006-06-23 225280]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-12-27 69632]
"LogitechCameraAssistant"="c:\program files\Acer\OrbiCam\CameraAssistant.exe" [2006-06-26 331776]
"LogitechVideo[inspector]"="c:\program files\Acer\OrbiCam\InstallHelper.exe" [2006-06-26 15:55 73728]
"LogitechCameraService(E)"="c:\windows\system32\ElkCtrl.exe" [2004-11-01 262144]
"4oD"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-12-11 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-12-11 267048]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-11-24 487424]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-18 1932568]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 c:\windows\system32\bthprops.cpl]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 c:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]
"nwiz"="nwiz.exe" [2006-07-20 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-10 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-04-10 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-18 21:35 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon]
[BU]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Documents and Settings\\Peter\\My Documents\\Programs\\utorrent.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Real\\RealPlayer\\REALPLAY.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Applied Biosystems\\SeqScanner\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG8\\AVGTRAY.EXE"=
"c:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"=
"c:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AcroRd32.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"46329:TCP"= 46329:TCP:gnutella
"46329:UDP"= 46329:UDP:gnutella

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-03-18 325640]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-03-18 108552]
R1 OsaFsLoc;OsaFsLoc;c:\windows\system32\drivers\OsaFsLoc.sys [2005-10-15 12106]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-03-18 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-03-18 298264]
R2 EpmPsd;Acer EPM Power Scheme Driver;c:\windows\system32\drivers\epm-psd.sys [2007-02-19 4096]
R2 EpmShd;Acer EPM System Hardware Driver;c:\windows\system32\drivers\epm-shd.sys [2007-02-19 78208]
R2 osaio;osaio;c:\windows\system32\drivers\osaio.sys [2008-10-08 7296]
R2 osanbm;osanbm;c:\windows\system32\drivers\osanbm.sys [2005-01-14 4010]
R3 lv321av;Logitech USB PC Camera (VC0321);c:\windows\system32\drivers\lv321av.sys [2006-06-19 1097728]
R3 NdisFilt;OSA NdisFilter Protocol;c:\windows\system32\drivers\NdisFilt.sys [2005-09-13 4392]
S3 BDA_Capture_225;USB Digital-TV receiver Driver 2.0.1.8;c:\windows\system32\drivers\BDA_Capture_225.sys [2007-02-18 14592]
S3 BDA_Loader_225;USB Digital-TV Receiver Firmware Loader 6.5.8.0;c:\windows\system32\drivers\BDA_Loader_225.sys [2007-02-18 18944]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - INT15.SYS
.
Contents of the 'Scheduled Tasks' folder

2009-04-10 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-24 23:20]
.
- - - - ORPHANS REMOVED - - - -

BHO-{5edefd71-a1c4-41e3-a6b5-2132eb56ecef} - (no file)

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bbc.co.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-10 20:33:22
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\system32\drivers\ovfsthnkdgaibgovmompknbalqmglteqlkfiff.sys 98304 bytes
c:\windows\system32\drivers\ovfsthfvpbnsqfdtcwaiscyvhtqmfqndmthqfo.sys 0 bytes
c:\docume~1\Peter\LOCALS~1\Temp\ovfsthacxbvwbpss.tmp 163840 bytes
c:\docume~1\Peter\LOCALS~1\Temp\ovfsthdrndvnnqqp.tmp 131072 bytes
c:\docume~1\Peter\LOCALS~1\Temp\ovfsthbtrtfpmhqi.tmp 360448 bytes
c:\docume~1\Peter\LOCALS~1\Temp\ovfsthfhdltuhrmuynirqodguxhlsmrvkrrulv000 0 bytes
c:\windows\system32\ovfsthybxccaoxhlptnhabnflnbnksfyixvwnb.dat 32768 bytes
c:\windows\system32\ovfsthtuebwjuybimxocpxvvkappkfvrsbodok.dll 65536 bytes
c:\windows\system32\ovfsthnytawdlkmimtybcexduelkamkouqufej.dat 65536 bytes
c:\windows\system32\ovfsthskosjwvxwywnkdqbxaqjaxedeoomihav.dll 32768 bytes
c:\windows\system32\ovfsthkpxufibsbnkkfirjcxdhiejxnfgxbrwv.dll 32768 bytes

scan completed successfully
hidden files: 11

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ovfsthfhdltuhrmuynirqodguxhlsmrvkrrulv]
"imagepath"="\systemroot\system32\drivers\ovfsthfvpbnsqfdtcwaiscyvhtqmfqndmthqfo.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ovfsthfhdltuhrmuynirqodguxhlsmrvkrrulv]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\ovfsthfvpbnsqfdtcwaiscyvhtqmfqndmthqfo.sys"
.
Completion time: 2009-04-10 20:34:34
ComboFix-quarantined-files.txt 2009-04-10 19:34:34
ComboFix2.txt 2009-04-08 23:27:16

Pre-Run: 11,075,452,928 bytes free
Post-Run: 11,096,522,752 bytes free

210 --- E O F --- 2009-01-22 20:26:04

------------------------------------------------------

Hijack This Log
----------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:35:35, on 10/04/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Acer\Empowering Technology\admServ.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Acer\Empowering Technology\admtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\Acer\OrbiCam\CameraAssistant.exe
C:\WINDOWS\system32\ElkCtrl.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Peter\My Documents\Programs\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Acer\OrbiCam\CameraAssistant.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Acer\OrbiCam\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\system32\ElkCtrl.exe /automation
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1232392821781
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 11156 bytes

**ken545** · 2009-04-10, 23:27

Hi,

Something is putting those bad files back, lets run the full version of GMER

Download GMER's application from here:
http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

**pw2245** · 2009-04-13, 00:10

Sorry for the delay. I've been away for a bit.
Here's the GMER log

---------------------------------------------------
GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-12 23:07:41
Windows 5.1.2600 Service Pack 2

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\Explorer.EXE[564] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [10002E40] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech)
IAT C:\WINDOWS\Explorer.EXE[564] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [10002C10] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech)
IAT C:\WINDOWS\Explorer.EXE[564] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [10002C30] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech)
IAT C:\WINDOWS\Explorer.EXE[564] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [10002C20] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech)
IAT C:\WINDOWS\system32\wbem\unsecapp.exe[2996] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [10002E40] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech)
IAT C:\WINDOWS\system32\wbem\unsecapp.exe[2996] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [10002C10] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech)
IAT C:\WINDOWS\system32\wbem\unsecapp.exe[2996] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [10002C30] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech)
IAT C:\WINDOWS\system32\wbem\unsecapp.exe[2996] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [10002C20] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech)
IAT C:\Program Files\internet explorer\iexplore.exe[4388] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [10002E40] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech)
IAT C:\Program Files\internet explorer\iexplore.exe[4388] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [10002C10] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech)
IAT C:\Program Files\internet explorer\iexplore.exe[4388] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [10002C30] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech)
IAT C:\Program Files\internet explorer\iexplore.exe[4388] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [10002C20] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech)
IAT C:\WINDOWS\system32\wuauclt.exe[4428] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [10002E40] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech)
IAT C:\WINDOWS\system32\wuauclt.exe[4428] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [10002C10] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech)
IAT C:\WINDOWS\system32\wuauclt.exe[4428] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [10002C30] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech)
IAT C:\WINDOWS\system32\wuauclt.exe[4428] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [10002C20] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech)
IAT C:\Documents and Settings\Peter\Desktop\gmer\gmer.exe[4544] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [10002E40] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech)
IAT C:\Documents and Settings\Peter\Desktop\gmer\gmer.exe[4544] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [10002C10] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech)
IAT C:\Documents and Settings\Peter\Desktop\gmer\gmer.exe[4544] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [10002C30] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech)
IAT C:\Documents and Settings\Peter\Desktop\gmer\gmer.exe[4544] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [10002C20] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech)
IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe[5632] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [10002E40] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech)
IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe[5632] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [10002C10] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech)
IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe[5632] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [10002C30] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech)
IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe[5632] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [10002C20] C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll (Logitech Helper Library./Logitech)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Cdrom \Device\CdRom0 OsaFsLoc.sys (Filesystem Lock driver/OSA Technologies)

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat OsaFsLoc.sys (Filesystem Lock driver/OSA Technologies)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\ovfsthfvpbnsqfdtcwaiscyvhtqmfqndmthqfo.sys (*** hidden *** ) [SYSTEM] ovfsthfhdltuhrmuynirqodguxhlsmrvkrrulv <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001060d3054f
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0014a4fde349
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthfhdltuhrmuynirqodguxhlsmrvkrrulv@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthfhdltuhrmuynirqodguxhlsmrvkrrulv@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthfhdltuhrmuynirqodguxhlsmrvkrrulv@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthfhdltuhrmuynirqodguxhlsmrvkrrulv@imagepath \systemroot\system32\drivers\ovfsthfvpbnsqfdtcwaiscyvhtqmfqndmthqfo.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthfhdltuhrmuynirqodguxhlsmrvkrrulv\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthfhdltuhrmuynirqodguxhlsmrvkrrulv\modules@ovfsth.dll \systemroot\system32\ovfsthmxrknvqfduqxuncvypwbljhsruepondr.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthfhdltuhrmuynirqodguxhlsmrvkrrulv\modules@ovfsth.sys \systemroot\system32\drivers\ovfsthfvpbnsqfdtcwaiscyvhtqmfqndmthqfo.sys
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001060d3054f
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0014a4fde349
Reg HKLM\SYSTEM\ControlSet002\Services\ovfsthfhdltuhrmuynirqodguxhlsmrvkrrulv@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\ovfsthfhdltuhrmuynirqodguxhlsmrvkrrulv@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\ovfsthfhdltuhrmuynirqodguxhlsmrvkrrulv@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\ovfsthfhdltuhrmuynirqodguxhlsmrvkrrulv@imagepath \systemroot\system32\drivers\ovfsthfvpbnsqfdtcwaiscyvhtqmfqndmthqfo.sys
Reg HKLM\SYSTEM\ControlSet002\Services\ovfsthfhdltuhrmuynirqodguxhlsmrvkrrulv\modules
Reg HKLM\SYSTEM\ControlSet002\Services\ovfsthfhdltuhrmuynirqodguxhlsmrvkrrulv\modules@ovfsth.dll \systemroot\system32\ovfsthmxrknvqfduqxuncvypwbljhsruepondr.dll
Reg HKLM\SYSTEM\ControlSet002\Services\ovfsthfhdltuhrmuynirqodguxhlsmrvkrrulv\modules@ovfsth.sys \systemroot\system32\drivers\ovfsthfvpbnsqfdtcwaiscyvhtqmfqndmthqfo.sys

---- EOF - GMER 1.0.15 ----

**ken545** · 2009-04-13, 04:08

Hi,

Hope you had a nice holiday weekend.

Drag Combofix to the trash and grab fresh copy as its updated on a regular basis.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Rootkit::

Code:

Rootkit::
C:\windows\system32\drivers\ovfsthfvpbnsqfdtcwaiscyvhtqmfqndmthqfo.sys
C:\windows\system32\ovfsthmxrknvqfduqxuncvypwbljhsruepondr.dll
c:\windows\system32\drivers\ovfsth.sys

Registry::
[-HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ovfsthfhdltuhrmuynirqodguxhlsmrvkrrulv]

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

**pw2245** · 2009-04-13, 23:46

ComboFix Log
----------------------------------------------------
ComboFix 09-04-13.A2 - Peter 2009-04-13 22:21.3 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1473 [GMT 1:00]
Running from: c:\documents and settings\Peter\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Peter\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\ovfsth.sys
c:\windows\system32\drivers\ovfsthfvpbnsqfdtcwaiscyvhtqmfqndmthqfo.sys
c:\windows\system32\ovfsthkpxufibsbnkkfirjcxdhiejxnfgxbrwv.dll
c:\windows\system32\ovfsthnytawdlkmimtybcexduelkamkouqufej.dat
c:\windows\system32\ovfsthskosjwvxwywnkdqbxaqjaxedeoomihav.dll
c:\windows\system32\ovfsthtuebwjuybimxocpxvvkappkfvrsbodok.dll
c:\windows\system32\ovfsthybxccaoxhlptnhabnflnbnksfyixvwnb.dat

.
((((((((((((((((((((((((( Files Created from 2009-03-13 to 2009-04-13 )))))))))))))))))))))))))))))))
.

2009-04-07 21:04 . 2009-04-07 21:05 -------- d-----w C:\Postgraduate Conference 2009
2009-04-07 20:47 . 2009-04-09 16:01 155 ----a-w c:\windows\system32\SelfDel.bat
2009-04-07 20:47 . 2009-04-09 16:01 84045 ----a-w c:\windows\system32\ftp_non_crp.exe
2009-04-07 20:27 . 2009-04-07 20:27 56320 ----a-w c:\windows\system32\ldr_CRYPTED.exe
2009-04-07 20:26 . 2009-04-07 20:26 -------- d-----w c:\documents and settings\Peter\Application Data\Malwarebytes
2009-04-07 20:26 . 2009-04-06 14:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-07 20:26 . 2009-04-06 14:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-07 20:26 . 2009-04-07 20:26 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-18 21:06 . 2009-03-18 21:06 -------- d--h--w C:\$AVG8.VAULT$
2009-03-18 20:35 . 2009-03-18 20:35 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-03-18 20:35 . 2009-03-27 18:16 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-03-18 20:35 . 2009-03-18 20:35 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-03-18 20:35 . 2009-03-18 20:35 -------- d-----w c:\windows\system32\drivers\Avg
2009-03-18 20:35 . 2009-03-18 20:35 -------- d-----w c:\documents and settings\All Users\Application Data\avg8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-07 20:26 . 2009-04-07 20:26 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-06 21:49 . 2009-04-06 21:49 -------- d-----w c:\program files\ERUNT
2009-03-18 20:35 . 2009-03-18 20:35 -------- d-----w c:\program files\AVG
2009-01-09 19:36 . 2007-02-19 04:43 76880 ----a-w c:\documents and settings\Peter\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-01-06 21:02 . 2009-01-06 21:02 0 ----a-w c:\documents and settings\All Users\Application Data\ISx4.tmp
2007-10-15 20:53 . 2007-06-02 22:34 109 ----a-w c:\program files\detail.txt
2007-04-01 15:37 . 2007-04-01 15:37 0 ----a-w c:\documents and settings\All Users\Application Data\ISx2E.tmp
2007-03-03 12:22 . 2007-03-03 12:22 0 ----a-w c:\documents and settings\All Users\Application Data\ISx29.tmp
2007-03-03 11:25 . 2007-03-03 11:24 0 ----a-w c:\documents and settings\All Users\Application Data\ISx28.tmp
2007-02-18 23:20 . 2007-02-18 23:20 0 ----a-w c:\documents and settings\All Users\Application Data\ISx14.tmp
2007-02-18 21:44 . 2007-02-18 21:44 251 ----a-w c:\program files\wt3d.ini
2007-02-18 18:52 . 2007-02-19 04:42 128 ----a-w c:\documents and settings\Peter\Local Settings\Application Data\fusioncache.dat
2006-08-18 21:08 . 2006-08-18 21:08 136 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-19 68856]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-12-21 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761946]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2006-05-15 45056]
"ADMTray.exe"="c:\acer\Empowering Technology\admtray.exe" [2005-10-24 2462208]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-10-12 26112]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-20 7581696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-20 86016]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-08-10 352256]
"Acer ePower Management"="c:\acer\Empowering Technology\ePower\Acer ePower Management.exe" [2006-05-22 3080704]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2006-07-20 593920]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\Monitor.exe" [2006-01-24 397312]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2006-06-23 225280]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-12-27 69632]
"LogitechCameraAssistant"="c:\program files\Acer\OrbiCam\CameraAssistant.exe" [2006-06-26 331776]
"LogitechVideo[inspector]"="c:\program files\Acer\OrbiCam\InstallHelper.exe" [2006-06-26 15:55 73728]
"LogitechCameraService(E)"="c:\windows\system32\ElkCtrl.exe" [2004-11-01 262144]
"4oD"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-12-11 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-12-11 267048]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-11-24 487424]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-18 1932568]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 c:\windows\system32\bthprops.cpl]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 c:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]
"nwiz"="nwiz.exe" [2006-07-20 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-10 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-04-10 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-18 21:35 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon]
[BU]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Documents and Settings\\Peter\\My Documents\\Programs\\utorrent.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Real\\RealPlayer\\REALPLAY.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Applied Biosystems\\SeqScanner\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG8\\AVGTRAY.EXE"=
"c:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"=
"c:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AcroRd32.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"46329:TCP"= 46329:TCP:gnutella
"46329:UDP"= 46329:UDP:gnutella

R3 BDA_Capture_225;USB Digital-TV receiver Driver 2.0.1.8;c:\windows\system32\Drivers\BDA_Capture_225.sys [2006-04-04 14592]
R3 BDA_Loader_225;USB Digital-TV Receiver Firmware Loader 6.5.8.0;c:\windows\system32\Drivers\BDA_Loader_225.sys [2006-05-08 18944]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-03-18 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-03-27 108552]
S1 OsaFsLoc;OsaFsLoc;c:\windows\system32\drivers\OsaFsLoc.sys [2005-10-15 12106]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-03-18 908056]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-03-18 298264]
S2 EpmPsd;Acer EPM Power Scheme Driver;c:\windows\system32\drivers\epm-psd.sys [2006-01-23 4096]
S2 EpmShd;Acer EPM System Hardware Driver;c:\windows\system32\drivers\epm-shd.sys [2006-01-23 78208]
S2 osaio;osaio;c:\windows\system32\drivers\osaio.sys [2005-06-30 7296]
S2 osanbm;osanbm;c:\windows\system32\drivers\osanbm.sys [2005-01-14 4010]
S3 lv321av;Logitech USB PC Camera (VC0321);c:\windows\system32\DRIVERS\lv321av.sys [2006-06-19 1097728]
S3 NdisFilt;OSA NdisFilter Protocol;c:\windows\system32\Drivers\NdisFilt.sys [2005-09-13 4392]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - INT15.SYS
.
Contents of the 'Scheduled Tasks' folder

2009-04-13 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-24 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bbc.co.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-13 22:27
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(6712)
c:\program files\Common Files\Logitech\LVMVFM\LVPrcInj.dll
c:\windows\system32\MSNChatHook.dll
c:\windows\system32\sysenv.dll
c:\windows\system32\MSVCR71.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\acer\Empowering Technology\ePower\SysHook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\INTEL\WIRELESS\BIN\EVTENG.EXE
c:\program files\INTEL\WIRELESS\BIN\S24EVMON.EXE
c:\program files\COMMON FILES\LOGITECH\LVMVFM\LVPRCSRV.EXE
c:\program files\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE
c:\program files\AVG\AVG8\AVGWDSVC.EXE
c:\acer\EMPOWERING TECHNOLOGY\ADMSERV.EXE
c:\program files\AVG\AVG8\AVGRSX.EXE
c:\program files\AVG\AVG8\AVGNSX.EXE
c:\windows\EHOME\EHRECVR.EXE
c:\windows\EHOME\EHSCHED.EXE
c:\program files\KONTIKI\KSERVICE.EXE
c:\program files\COMMON FILES\LIGHTSCRIBE\LSSRVC.EXE
c:\windows\SYSTEM32\NVSVC32.EXE
c:\program files\INTEL\WIRELESS\BIN\REGSRVC.EXE
c:\program files\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
c:\program files\AVG\AVG8\AVGEMC.EXE
c:\windows\EHOME\MCRDSVC.EXE
c:\program files\AVG\AVG8\AVGCSRVX.EXE
c:\windows\system32\wscntfy.exe
c:\windows\SYSTEM32\DLLHOST.EXE
c:\windows\SYSTEM32\RUNDLL32.EXE
c:\windows\EHOME\EHMSAS.EXE
c:\program files\LAUNCH MANAGER\LMANAGER.EXE
c:\windows\system32\wbem\unsecapp.exe
c:\docume~1\Peter\LOCALS~1\Temp\RtkBtMnt.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-04-13 22:31 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-13 21:31
ComboFix2.txt 2009-04-10 19:34
ComboFix3.txt 2009-04-08 23:27

Pre-Run: 10,884,382,720 bytes free
Post-Run: 10,908,073,984 bytes free

220 --- E O F --- 2009-01-22 20:26

------------------------------------------------------------

HijackThis Log
-------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:45:13, on 13/04/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Acer\Empowering Technology\admServ.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Acer\Empowering Technology\admtray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\Acer\OrbiCam\CameraAssistant.exe
C:\WINDOWS\system32\ElkCtrl.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\DOCUME~1\Peter\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Peter\My Documents\Programs\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Acer\OrbiCam\CameraAssistant.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Acer\OrbiCam\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\system32\ElkCtrl.exe /automation
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1232392821781
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 11455 bytes

**ken545** · 2009-04-14, 01:36

That did it, looking good

Your Java is outdated and outdated versions let these type of infections onto your system, we need to update it.

Download the latest version Here save it, do not install it yet.

JRE 6 Update 13 <--This is what you need

Go to your Add Remove Programs in the Control Panel and uninstall any previous versions of Java
Reboot your computer
Install the latest version

You can verify the installation Here

How are things running now??

**pw2245** · 2009-04-14, 22:21

OK that's the updatd version of Java installed and verified. The machine is running well, and USB devices are working again so it looks like we might've removed what was disrupting them.

Anything else to be done?

**ken545** · 2009-04-14, 22:54

Hi,

That's great

You can run this cleaner to clean out all the not needed garbage. Make sure you follow the instructions below for System Restore as most of what we removed is most likely backed up in that program.

Please download ATF Cleaner by Atribune to your desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.

System Restore makes regular backups of all your settings, if you ever had to use this program to restore your system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points

Turn off System Restore.

Right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore on all Drives.
Click Apply, and then click OK.

Reboot your computer

Turn ON System Restore.

Right-click My Computer.
ClickProperties.
Click the System Restore tab.
UN-Check Turn off System Restore on all Drives.
Click Apply, and then click OK.

Create a new Restore Point <-- Very Important

Go to Start> All Programs> Assesories> System Tools> System Restore and create a New Restore Point

System Restore Tutorial <-- If you need it

GMER <---Drag it to the trash

ATF Cleaner <-- Yours to keep, run it now and then to clean out the clutter.

Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.

Combofix <---Is not a general cleaning tool, just run it with supervision or you can bork your system

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
When shown the disclaimer, Select "2"

The above procedure will:

Delete the following:
- ComboFix and its associated files and folders.
- VundoFix backups, if present
- The C:\Deckard folder, if present
- The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.

How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore <-- Do this first to prevent yourself from being reinfected.
WhattheTech
Grinler BleepingComputer
GeeksTo Go
Dslreports

Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .

Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community

Spybot Search and Destroy 1.6
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
Spyware Blaster It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
Spyware Guard It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
IE-Spyad
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 3 It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.

Safe Surfn
Ken

**pw2245** · 2009-04-15, 23:18

That's all done now. Thanks very much for taking the time to help me out. Much appreciated. Hopefully I'll not be needing your assistance again for a good while.

Cheers
Pete

Thread: "Error loading...lidanufu.dll" after malware cleanup

Thread Tools

Display

Posting Permissions