Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


A problem with LUIS.exe

  • This topic is locked This topic is locked
9 replies to this topic

#1 Nauticus


  • Members
  • 18 posts
  • Gender:Male
  • Location:Sofia, Bulgaria
  • Local time:09:18 PM

Posted 03 December 2008 - 06:35 PM

Hello everyone! I'm not that familiar with spyware, malware etc., but I recently noticed the file LUIS.exe making a problem while trying to run. When I done some research it seems it's a type of virus. I'm with NOD32 and I also use Ad-Aware, but none of them detected anything. That was until today when I almost got a very important account of mine almost hijacked. Thanks to the higher security level of the site I was able to act on time, although I don't know if I should feel safe anymore. So with a drop of despair I want to post here the logs that are needed. I also apologize for my incompetence!

Logfile of random's system information tool 1.04 (written by random/random)
Run by Yanis at 2008-12-04 01:32:35
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 137 GB (93%) free of 148 GB
Total RAM: 1012 MB (53% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:32:53 AM, on 12/4/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Datecs\FlexType 2K\FType2K.exe
C:\Program Files\Opera\opera.exe
C:\Documents and Settings\Yanis\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Yanis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=ACAW&a...08&m=aoa150
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\Audio\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [PLFSetL] C:\WINDOWS\PLFSetL.exe
O4 - HKLM\..\Run: [snp2uvc] C:\WINDOWS\vsnp2uvc.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [LUIS Agent] C:\WINDOWS\system32\28463\LUIS.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: FlexType 2K.lnk = C:\Program Files\Datecs\FlexType 2K\FType2K.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\prevxcsi.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

End of file - 6493 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-12 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-07-07 1562448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2007-08-24 2212224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java™ Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2008-11-13 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-11-13 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2008-11-13 73728]

"LaunchApp"=Alaunch []
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2008-02-28 141848]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2008-02-28 166424]
"Persistence"=C:\WINDOWS\system32\igfxpers.exe [2008-02-28 137752]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2008-05-16 16862720]
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2005-05-03 69632]
"AzMixerSel"=C:\Program Files\Realtek\Audio\InstallShield\AzMixerSel.exe [2006-07-17 53248]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2008-04-25 1044480]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]
"IMJPMIG8.1"=C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [2008-04-15 208952]
"MSPY2002"=C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe [2008-04-15 59392]
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2008-04-15 455168]
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2008-04-15 455168]
"LManager"=C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE [2008-05-14 821768]
"PLFSetL"=C:\WINDOWS\PLFSetL.exe [2007-07-05 94208]
"snp2uvc"=C:\WINDOWS\vsnp2uvc.exe []
"eRecoveryService"=C:\Acer\Empowering Technology\eRecovery\eRAgent.exe [2008-05-22 425984]
"egui"=C:\Program Files\ESET\ESET Smart Security\egui.exe [2008-06-10 1447168]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2008-11-13 136600]
"GrooveMonitor"=C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2007-08-24 33648]
"LUIS Agent"=C:\WINDOWS\system32\28463\LUIS.exe []

"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-15 15360]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-07-07 2156368]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
FlexType 2K.lnk - C:\Program Files\Datecs\FlexType 2K\FType2K.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2008-02-15 208896]

"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2007-08-24 2212224]



"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE"="C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\Program Files\Opera\opera.exe"="C:\Program Files\Opera\opera.exe:*:Enabled:Opera Internet Browser"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"

"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2008-12-04 01:12:17 ----A---- C:\WINDOWS\wininit.ini
2008-12-04 00:57:42 ----D---- C:\rsit
2008-12-04 00:42:06 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-12-04 00:42:06 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-04 00:31:07 ----D---- C:\WINDOWS\system32\SoftwareDistribution
2008-12-03 23:26:13 ----D---- C:\Program Files\Trend Micro
2008-12-03 22:36:54 ----D---- C:\Program Files\PrevxCSI
2008-12-03 22:36:50 ----D---- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-12-03 22:11:37 ----A---- C:\WINDOWS\ntbtlog.txt
2008-12-01 10:31:02 ----D---- C:\Documents and Settings\Yanis\Application Data\skypePM
2008-12-01 10:30:08 ----D---- C:\Documents and Settings\Yanis\Application Data\Skype
2008-12-01 10:29:56 ----D---- C:\Program Files\Skype
2008-12-01 10:29:56 ----D---- C:\Program Files\Common Files\Skype
2008-12-01 10:29:41 ----D---- C:\Documents and Settings\All Users\Application Data\Skype
2008-11-28 19:39:57 ----D---- C:\WINDOWS\system32\28463
2008-11-14 23:29:45 ----D---- C:\Documents and Settings\Yanis\Application Data\Media Player Classic
2008-11-14 07:21:32 ----A---- C:\WINDOWS\system32\vfwwdm32.dll
2008-11-14 07:19:54 ----AD---- C:\WINDOWS\AcerStore
2008-11-13 22:42:47 ----D---- C:\Program Files\Microsoft Works
2008-11-13 22:42:32 ----D---- C:\Program Files\MSBuild
2008-11-13 22:42:01 ----D---- C:\Program Files\Microsoft Visual Studio
2008-11-13 22:42:01 ----D---- C:\Program Files\Common Files\DESIGNER
2008-11-13 22:41:03 ----D---- C:\Program Files\Microsoft.NET
2008-11-13 22:38:45 ----D---- C:\Program Files\Microsoft Visual Studio 8
2008-11-13 22:38:01 ----D---- C:\WINDOWS\SHELLNEW
2008-11-13 22:37:20 ----D---- C:\Program Files\Microsoft Office
2008-11-13 22:36:54 ----RHD---- C:\MSOCache
2008-11-13 22:29:13 ----D---- C:\Program Files\DAEMON Tools Lite
2008-11-13 22:26:43 ----D---- C:\Documents and Settings\Yanis\Application Data\DAEMON Tools
2008-11-13 19:29:05 ----A---- C:\WINDOWS\system32\javaws.exe
2008-11-13 19:29:05 ----A---- C:\WINDOWS\system32\javaw.exe
2008-11-13 19:29:05 ----A---- C:\WINDOWS\system32\java.exe
2008-11-13 19:29:05 ----A---- C:\WINDOWS\system32\deploytk.dll
2008-11-13 19:28:50 ----D---- C:\Program Files\Java
2008-11-13 19:28:22 ----D---- C:\Documents and Settings\Yanis\Application Data\Sun
2008-11-13 19:26:12 ----D---- C:\Program Files\Gomez
2008-11-13 19:09:34 ----D---- C:\Program Files\uTorrent
2008-11-13 19:09:24 ----D---- C:\Documents and Settings\Yanis\Application Data\uTorrent
2008-11-13 19:08:55 ----A---- C:\Program Files\utorrent.exe
2008-11-13 18:56:15 ----A---- C:\WINDOWS\system32\unrar.dll
2008-11-13 18:56:01 ----A---- C:\WINDOWS\system32\yv12vfw.dll
2008-11-13 18:56:01 ----A---- C:\WINDOWS\system32\xvidvfw.dll
2008-11-13 18:56:01 ----A---- C:\WINDOWS\system32\xvidcore.dll
2008-11-13 18:56:00 ----A---- C:\WINDOWS\system32\qt-dx331.dll
2008-11-13 18:56:00 ----A---- C:\WINDOWS\system32\dpl100.dll
2008-11-13 18:55:51 ----A---- C:\WINDOWS\system32\divx.dll
2008-11-13 18:55:49 ----A---- C:\WINDOWS\system32\ff_vfw.dll.manifest
2008-11-13 18:55:48 ----A---- C:\WINDOWS\system32\ff_vfw.dll
2008-11-13 18:55:47 ----A---- C:\WINDOWS\system32\msvcr71.dll
2008-11-13 18:55:46 ----D---- C:\Program Files\K-Lite Codec Pack
2008-11-13 18:52:59 ----D---- C:\Program Files\CursorXP
2008-11-13 18:48:18 ----D---- C:\Program Files\DirectX
2008-11-13 18:38:04 ----A---- C:\WINDOWS\PROTOCOL.INI
2008-11-13 18:37:50 ----D---- C:\Program Files\SA Dictionary 2004 Datacenter
2008-11-13 18:37:25 ----A---- C:\WINDOWS\uninst.exe
2008-11-13 18:28:20 ----N---- C:\WINDOWS\system32\vxblock.dll
2008-11-13 18:28:20 ----N---- C:\WINDOWS\system32\pxwave.dll
2008-11-13 18:28:20 ----N---- C:\WINDOWS\system32\pxmas.dll
2008-11-13 18:28:20 ----N---- C:\WINDOWS\system32\pxhpinst.exe
2008-11-13 18:28:20 ----N---- C:\WINDOWS\system32\pxdrv.dll
2008-11-13 18:28:20 ----N---- C:\WINDOWS\system32\px.dll
2008-11-13 18:27:52 ----D---- C:\Program Files\Winamp
2008-11-13 18:27:52 ----A---- C:\WINDOWS\winamp.ini
2008-11-13 18:25:27 ----D---- C:\Program Files\WinRAR
2008-11-13 18:19:09 ----A---- C:\WINDOWS\system32\kbdinori.Dll
2008-11-13 18:19:06 ----A---- C:\WINDOWS\system32\kbdinasa.Dll
2008-11-13 18:19:06 ----A---- C:\WINDOWS\system32\kbdhebx.Dll
2008-11-13 18:19:05 ----A---- C:\WINDOWS\system32\Kbddll.dll
2008-11-13 18:19:05 ----A---- C:\WINDOWS\system32\kbdbphz.dLL
2008-11-13 18:19:05 ----A---- C:\WINDOWS\system32\KBDBPH.dLL
2008-11-13 18:19:05 ----A---- C:\WINDOWS\system32\kbdbp.Dll
2008-11-13 18:19:05 ----A---- C:\WINDOWS\system32\kbdbds.Dll
2008-11-13 18:19:01 ----A---- C:\WINDOWS\system32\newdll.dll
2008-11-13 18:18:58 ----D---- C:\Program Files\Datecs
2008-11-13 18:16:28 ----D---- C:\Documents and Settings\Yanis\Application Data\BSplayer PRO
2008-11-13 18:16:21 ----D---- C:\Program Files\Webteh
2008-11-13 18:12:14 ----D---- C:\Program Files\Lavasoft
2008-11-13 17:57:41 ----D---- C:\Program Files\Varchev Financial Brokers
2008-11-13 17:45:33 ----D---- C:\Documents and Settings\Yanis\Application Data\Opera
2008-11-13 17:36:23 ----D---- C:\Documents and Settings\Yanis\Application Data\ESET
2008-11-13 17:35:02 ----D---- C:\Program Files\ESET
2008-11-13 17:35:02 ----D---- C:\Documents and Settings\All Users\Application Data\ESET
2008-11-13 17:30:04 ----D---- C:\Program Files\IrfanView
2008-11-13 17:27:49 ----D---- C:\Program Files\Opera
2008-11-13 17:23:10 ----D---- C:\My Stuff
2008-11-13 17:15:50 ----SHD---- C:\RECYCLER
2008-11-13 16:50:30 ----A---- C:\WINDOWS\system32\Uninstall_eRecovery.exe
2008-11-13 16:50:30 ----A---- C:\WINDOWS\system32\ERUpdateHidden.EXE
2008-11-13 16:50:30 ----A---- C:\WINDOWS\system32\CloseProcessWindow.dll
2008-11-13 16:50:30 ----A---- C:\WINDOWS\system32\ClearEvent.exe
2008-11-13 16:50:29 ----A---- C:\WINDOWS\system32\CheckD2DSystem.exe
2008-11-13 16:50:29 ----A---- C:\WINDOWS\system32\Acer EULA.txt
2008-11-13 16:49:28 ----A---- C:\WINDOWS\xUninstall.bat
2008-11-13 16:49:26 ----D---- C:\WINDOWS\JMCR_DIR
2008-11-13 16:49:26 ----A---- C:\WINDOWS\system32\JmCrIcon.dll
2008-11-13 16:46:32 ----D---- C:\Program Files\Common Files\SNP2UVC
2008-11-13 16:46:31 ----D---- C:\WINDOWS\SUYIN NB Cam
2008-11-13 16:43:53 ----D---- C:\Documents and Settings\All Users\Application Data\Google
2008-11-13 16:40:43 ----D---- C:\Program Files\Launch Manager
2008-11-13 16:33:30 ----ASH---- C:\Documents and Settings\Yanis\Application Data\desktop.ini
2008-11-13 16:33:29 ----D---- C:\Documents and Settings\Yanis\Application Data\Macromedia
2008-11-13 16:33:29 ----D---- C:\Documents and Settings\Yanis\Application Data\InstallShield
2008-11-13 16:33:29 ----D---- C:\Documents and Settings\Yanis\Application Data\Identities
2008-11-13 16:33:29 ----D---- C:\Documents and Settings\Yanis\Application Data\Adobe
2008-11-13 16:33:28 ----SD---- C:\Documents and Settings\Yanis\Application Data\Microsoft

======List of files/folders modified in the last 1 months======

2008-12-04 01:28:09 ----D---- C:\WINDOWS\Temp
2008-12-04 01:26:18 ----AD---- C:\WINDOWS\system32
2008-12-04 01:26:17 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-12-04 01:25:18 ----D---- C:\WINDOWS\Prefetch
2008-12-04 01:20:32 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-12-04 01:20:28 ----D---- C:\WINDOWS
2008-12-04 01:20:27 ----D---- C:\WINDOWS\system32\CatRoot2
2008-12-04 01:19:24 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-12-04 00:42:06 ----RD---- C:\Program Files
2008-12-04 00:31:20 ----D---- C:\WINDOWS\SoftwareDistribution
2008-12-04 00:31:19 ----D---- C:\WINDOWS\Help
2008-12-04 00:31:12 ----HD---- C:\WINDOWS\inf
2008-12-03 22:42:17 ----AD---- C:\VALUEADD
2008-12-03 22:37:04 ----AD---- C:\WINDOWS\system32\drivers
2008-12-03 22:18:15 ----D---- C:\WINDOWS\system32\Restore
2008-12-01 10:30:05 ----SHD---- C:\WINDOWS\Installer
2008-12-01 10:29:56 ----D---- C:\Program Files\Common Files
2008-11-23 15:10:37 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-11-14 07:22:17 ----D---- C:\WINDOWS\system32\CatRoot
2008-11-14 07:20:23 ----D---- C:\WINDOWS\repair
2008-11-14 07:19:58 ----A---- C:\WINDOWS\HotFix2.bat
2008-11-14 07:19:58 ----A---- C:\WINDOWS\HotFix.bat
2008-11-14 07:19:49 ----D---- C:\WINDOWS\WLAN
2008-11-14 07:19:47 ----RD---- C:\WINDOWS\Web
2008-11-14 07:19:46 ----D---- C:\WINDOWS\WBEM
2008-11-14 07:19:11 ----D---- C:\WINDOWS\system32\wbem
2008-11-14 07:19:09 ----D---- C:\WINDOWS\system32\usmt
2008-11-14 07:19:08 ----D---- C:\WINDOWS\system32\URTTemp
2008-11-14 07:19:08 ----D---- C:\WINDOWS\system32\spool
2008-11-14 07:19:08 ----D---- C:\WINDOWS\system32\Setup
2008-11-14 07:19:07 ----D---- C:\WINDOWS\system32\scripting
2008-11-14 07:19:07 ----D---- C:\WINDOWS\system32\RTCOM
2008-11-14 07:19:07 ----D---- C:\WINDOWS\system32\ReinstallBackups
2008-11-14 07:19:07 ----D---- C:\WINDOWS\system32\ras
2008-11-14 07:19:07 ----AD---- C:\WINDOWS\system32\oobe
2008-11-14 07:19:05 ----SD---- C:\WINDOWS\system32\Microsoft
2008-11-14 07:19:05 ----D---- C:\WINDOWS\system32\npp
2008-11-14 07:19:05 ----D---- C:\WINDOWS\system32\mui
2008-11-14 07:19:05 ----D---- C:\WINDOWS\system32\MsDtc
2008-11-14 07:19:02 ----D---- C:\WINDOWS\system32\IME
2008-11-14 07:19:02 ----D---- C:\WINDOWS\system32\icsxml
2008-11-14 07:19:02 ----D---- C:\WINDOWS\system32\ias
2008-11-14 07:19:01 ----D---- C:\WINDOWS\system32\en-US
2008-11-14 07:19:01 ----D---- C:\WINDOWS\system32\en
2008-11-14 07:18:12 ----D---- C:\WINDOWS\system32\DirectX
2008-11-14 07:18:11 ----D---- C:\WINDOWS\system32\Com
2008-11-14 07:18:09 ----D---- C:\WINDOWS\system32\1033
2008-11-14 07:18:09 ----D---- C:\WINDOWS\srchasst
2008-11-14 07:18:09 ----AD---- C:\WINDOWS\system
2008-11-14 07:18:07 ----D---- C:\WINDOWS\Resources
2008-11-14 07:18:07 ----D---- C:\WINDOWS\Provisioning
2008-11-14 07:18:06 ----D---- C:\WINDOWS\PeerNet
2008-11-14 07:18:03 ----RD---- C:\WINDOWS\Offline Web Pages
2008-11-14 07:18:03 ----D---- C:\WINDOWS\pchealth
2008-11-14 07:18:03 ----D---- C:\WINDOWS\OPTIONS
2008-11-14 07:18:03 ----D---- C:\WINDOWS\Network Diagnostic
2008-11-14 07:18:03 ----D---- C:\WINDOWS\msapps
2008-11-14 07:18:03 ----D---- C:\WINDOWS\msagent
2008-11-14 07:18:00 ----D---- C:\WINDOWS\Media
2008-11-14 07:18:00 ----D---- C:\WINDOWS\L2Schemas
2008-11-14 07:18:00 ----D---- C:\WINDOWS\java
2008-11-14 07:17:18 ----D---- C:\WINDOWS\ime
2008-11-14 07:17:14 ----HDC---- C:\WINDOWS\ie7
2008-11-14 07:16:55 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-11-14 07:16:55 ----D---- C:\WINDOWS\Driver Cache
2008-11-14 07:16:55 ----D---- C:\WINDOWS\Debug
2008-11-14 07:16:55 ----D---- C:\WINDOWS\Cursors
2008-11-14 07:16:55 ----D---- C:\WINDOWS\Camera
2008-11-14 07:16:52 ----HDC---- C:\WINDOWS\$NtUninstallKB951978$
2008-11-14 07:16:52 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2008-11-14 07:16:52 ----D---- C:\WINDOWS\AppPatch
2008-11-14 07:16:52 ----D---- C:\WINDOWS\addins
2008-11-14 07:16:51 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
2008-11-14 07:16:51 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2008-11-14 07:16:51 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2008-11-14 07:16:51 ----HDC---- C:\WINDOWS\$NtUninstallKB950760$
2008-11-14 07:16:51 ----HDC---- C:\WINDOWS\$NtUninstallKB942763$
2008-11-14 07:16:51 ----HDC---- C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$
2008-11-14 07:16:51 ----HDC---- C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$
2008-11-14 07:16:51 ----HD---- C:\WINDOWS\$hf_mig$
2008-11-14 07:16:50 ----D---- C:\temp
2008-11-14 07:16:50 ----D---- C:\Program Files\xerox
2008-11-14 07:16:50 ----D---- C:\Program Files\Windows NT
2008-11-14 07:16:50 ----AD---- C:\Sysinfo
2008-11-14 07:16:49 ----D---- C:\Program Files\Windows Media Player
2008-11-14 07:16:48 ----D---- C:\Program Files\Synaptics
2008-11-14 07:16:47 ----D---- C:\Program Files\Realtek
2008-11-14 07:16:44 ----D---- C:\Program Files\Outlook Express
2008-11-14 07:16:44 ----D---- C:\Program Files\Online Services
2008-11-14 07:16:44 ----D---- C:\Program Files\NetMeeting
2008-11-14 07:16:44 ----D---- C:\Program Files\MSN Gaming Zone
2008-11-14 07:16:42 ----D---- C:\Program Files\MSN
2008-11-14 07:16:42 ----D---- C:\Program Files\Movie Maker
2008-11-14 07:16:06 ----D---- C:\Program Files\microsoft frontpage
2008-11-14 07:16:06 ----D---- C:\Program Files\Messenger
2008-11-14 07:15:57 ----D---- C:\Program Files\Intel
2008-11-14 07:15:54 ----D---- C:\Program Files\Common Files\SpeechEngines
2008-11-14 07:15:54 ----D---- C:\Program Files\Common Files\Services
2008-11-14 07:15:54 ----D---- C:\Program Files\Common Files\ODBC
2008-11-14 07:15:54 ----D---- C:\Program Files\Common Files\MSSoap
2008-11-14 07:15:42 ----D---- C:\Program Files\Common Files\InstallShield
2008-11-14 07:15:42 ----D---- C:\Program Files\Common Files\Adobe AIR
2008-11-14 07:15:39 ----D---- C:\Program Files\Common Files\Adobe
2008-11-14 07:15:39 ----D---- C:\Program Files\Atheros
2008-11-14 07:15:24 ----D---- C:\Program Files\Adobe
2008-11-14 07:14:55 ----D---- C:\Intel
2008-11-14 07:14:55 ----AD---- C:\I386
2008-11-14 07:14:12 ----D---- C:\Documents and Settings\All Users\Application Data\Atheros
2008-11-14 07:14:12 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2008-11-14 07:14:12 ----AD---- C:\Book
2008-11-13 22:54:06 ----RSD---- C:\WINDOWS\assembly
2008-11-13 22:49:07 ----D---- C:\Program Files\Common Files\Microsoft Shared
2008-11-13 22:49:04 ----D---- C:\WINDOWS\WinSxS
2008-11-13 22:46:42 ----A---- C:\WINDOWS\win.ini
2008-11-13 22:41:26 ----RSD---- C:\WINDOWS\Fonts
2008-11-13 22:41:03 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-11-13 22:38:15 ----D---- C:\Program Files\Common Files\System
2008-11-13 21:23:59 ----D---- C:\WINDOWS\Microsoft.NET
2008-11-13 17:06:04 ----D---- C:\Documents and Settings\All Users\Application Data\McAfee
2008-11-13 17:04:19 ----SD---- C:\WINDOWS\Tasks
2008-11-13 16:53:58 ----A---- C:\WINDOWS\ALaunch.ini
2008-11-13 16:53:32 ----D---- C:\WINDOWS\system32\config
2008-11-13 16:52:21 ----D---- C:\WINDOWS\security
2008-11-13 16:50:15 ----D---- C:\Acer
2008-11-13 16:49:27 ----HD---- C:\Program Files\InstallShield Installation Information
2008-11-13 16:46:40 ----DC---- C:\WINDOWS\system32\DRVSTORE
2008-11-13 16:37:30 ----D---- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-11-13 16:35:59 ----D---- C:\Program Files\Internet Explorer
2008-11-13 16:34:20 ----A---- C:\WINDOWS\OEWABLog.txt
2008-11-13 16:33:26 ----D---- C:\Documents and Settings
2008-11-13 16:32:31 ----A---- C:\WINDOWS\setuplog.txt
2008-11-13 16:32:22 ----SHD---- C:\System Volume Information
2008-11-13 16:32:16 ----RASH---- C:\boot.ini
2008-11-13 16:30:37 ----D---- C:\WINDOWS\Registration

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 easdrv;easdrv; C:\WINDOWS\system32\DRIVERS\easdrv.sys [2008-06-10 53256]
R1 epfwtdi;epfwtdi; C:\WINDOWS\system32\DRIVERS\epfwtdi.sys [2008-06-10 54280]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-15 36352]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2008-04-14 8832]
R2 eamon;EAMON; C:\WINDOWS\system32\DRIVERS\eamon.sys [2008-06-10 39944]
R2 epfw;epfw; C:\WINDOWS\system32\DRIVERS\epfw.sys [2008-06-10 71688]
R3 AR5416;Atheros AR5008 Wireless Network Adapter Service; C:\WINDOWS\system32\DRIVERS\athw.sys [2008-05-21 1312576]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-14 13952]
R3 DKbFltr;Dritek Keyboard Filter Driver; C:\WINDOWS\system32\DRIVERS\DKbFltr.sys [2004-12-08 16896]
R3 Epfwndis;Eset Personal Firewall; C:\WINDOWS\system32\DRIVERS\Epfwndis.sys [2008-06-10 30728]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-15 144384]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-15 10368]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\igxpmp32.sys [2008-02-15 5854752]
R3 int15.sys;int15.sys; \??\C:\Acer\Empowering Technology\eRecovery\int15.sys []
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2008-05-20 4800000]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 RTLE8023xp;Realtek 10/100/1000 PCI-E NIC Family NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys [2008-07-01 108800]
R3 SNP2UVC;USB2.0 PC Camera (SNP2UVC); C:\WINDOWS\system32\DRIVERS\snp2uvc.sys [2007-10-01 1769984]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2008-04-25 225024]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608]
S3 acurhoc8;acurhoc8; C:\WINDOWS\system32\drivers\acurhoc8.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-14 17024]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-14 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-14 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-14 10880]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-15 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-15 15232]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-15 26368]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-14 19200]
S4 sr;System Restore Filter Driver; C:\WINDOWS\system32\DRIVERS\sr.sys [2008-04-15 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 CSIScanner;CSIScanner; C:\Program Files\PrevxCSI\prevxcsi.exe [2008-12-03 920632]
R2 ekrn;Eset Service; C:\Program Files\ESET\ESET Smart Security\ekrn.exe [2008-06-10 468224]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2008-11-13 152984]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-15 267776]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 EhttpSrv;Eset HTTP Server; C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe [2008-06-10 19200]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2007-08-24 68464]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-24 443776]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]


I'll gladly provide anything else if it is needed. Thank you very much for your support!

BC AdBot (Login to Remove)


#2 PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • Gender:Male
  • Local time:03:18 PM

Posted 10 December 2008 - 10:21 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you with your log.

I apologize for the delay in response. We get overwhelmed with logs at times, but we are trying our best to keep up. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following so I can have a look at the current condition of your machine.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files before we run OTScanIt. You will likely be logged out of the forum where you are recieving help.

This program is for XP and Windows 2000 only.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
  • If you use any other browsers, select them appropriately from the top and empty all items.
Download and Run OTScanIt
Download OTScanIt by OldTimer to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program. If you are running on Vista then right-click the program and choose Run as Administrator.
  • Check the Scan all users box at the top left.
  • Change the Rootkit Scan setting from "No" to Yes.
  • Click the Extras button under "Additional Scans".
  • Now click the Run Scan button on the toolbar.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Close Notepad (saving the change if necessary).
  • Use the Add Reply button in the forum and Attach the scan back here (do not copy/paste it as it will be too big to fit into the post). It will be located in the OTScanIt folder and named OTScanIt.txt.

Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

This scan is for Internet Explorer Only.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.

In your next reply include:
-the OTScanIt log (attached)
-the Kaspersky log (pasted directly into your reply)

Please also tell me of any changes you have made to your computer since your topic was started.

If you do not make a reply in 5 days, we will need to close your topic.

With Regards,
The Panda

Important Note to Other Users Reading this Topic: The instructions provided in this topic below this point are for the original topic starter only. Even if you have similar problems or log entries to those given here, please do not follow the directions, especially those involving specific tools and scripts. Doing so can result in serious damage to your computer. Instead, please start your own topic. Feel free to link to any relevant topics as needed.

#3 Nauticus

  • Topic Starter

  • Members
  • 18 posts
  • Gender:Male
  • Location:Sofia, Bulgaria
  • Local time:09:18 PM

Posted 11 December 2008 - 12:24 PM

Thank you very much for taking your time to help me with this, I appreciate it! Unfortunately circumstances pushed me to take some (probably unneccesary) actions to get rid of this, since I do all of my work on this computer. I've done much things and I will write them down exactly as I remember them to see how much the situation has changed.

1) Even before writing this topic (sorry this is my first time) in a burst of panic I deleted the file LUIS.exe although I haven't changed any registries. I found it using the windows search, but this didn't help since the file kept coming back and multipying itself with 001, 002 etc. added to it's name.

2) I installed Spybot SD which is recommended here and tried to clear the problem. It found a program called Ardamax installed on my computer and fixed it. Given that this program is a key logger I figured this was how it was able to get my passowords. After that I haven't been getting the LIUS.exe error, which was the thing that pointed me to that fact that I might be having malware on my computer in the first place.

3) I have installed a couple of programs after that which are not ralated in any way to spyware removal. Some of them are Avast Antivirus, Microsoft Expression Web etc.

So should I do the things you requested from me and how does this change the situation?

#4 PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • Gender:Male
  • Local time:03:18 PM

Posted 11 December 2008 - 08:49 PM


Please continue with OTScanIt and Kaspersky scan.

With Regards,
The Panda

#5 Nauticus

  • Topic Starter

  • Members
  • 18 posts
  • Gender:Male
  • Location:Sofia, Bulgaria
  • Local time:09:18 PM

Posted 12 December 2008 - 02:20 PM

Ok it's all done here's the report from Kaspersky. Thanks once again ;)

Friday, December 12, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version:
Program database last update: Friday, December 12, 2008 14:32:44
Records in database: 1454842

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:

Scan statistics:
Files scanned: 41753
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:20:08

No malware has been detected. The scan area is clean.

The selected area was scanned.

Attached Files

#6 PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • Gender:Male
  • Local time:03:18 PM

Posted 12 December 2008 - 10:26 PM

Hello Nauticus.

You logs are clean. I do see leftovers of that infection you meantioned though.

Disable Realtime Protection
Antimalware programs can interfere with the tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Disable Avast!'s realtime protection by right clicking on the try icon beside your clock that looks like Posted Image and selecting Stop On-Access Protection.

In the settings:
Posted Image

To disable SpyBot's TeaTimer:
You can find instructions with visuals here.
  • Run Spybot-S&D in Advanced Mode. If it is not already set to do this Go to the Mode menu select Advanced Mode.
  • On the left hand side, Click on Tools.
  • Click on the Resident icon in the list.
  • Uncheck Resident TeaTimer and OK any prompts.
  • Download ResetTeaTimer.bat and run it to remove entries set by TeaTimer. If you are not using Internet Explorer, you may not be prompted to download the file when you click it. In that case, right click it and select "Save Target/Link as" and save the file onto your desktop.
    The file should take only a second to finish. Delete this file after use.
Restart your computer for the changes to take affect.

Run Fix with OTScanIt
We will run OTScanIt with directives. If you have lost your copy of OTScanIt, download it here and extract it like you did last time.
  • Double click the OTScanIt.exe icon in the OTScanIt folder on your desktop. If you are using Windows Vista, right click OTScanIt.exe and select Run as Administrator.
  • Copy the contents of the codebox below into the "Paste fix here" box.
    [Registry - Safe List]
    < Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    YN -> "LUIS Agent" -> %SystemRoot%\system32\28463\LUIS.exe [C:\WINDOWS\system32\28463\LUIS.exe]
    YN -> "MSPY2002" -> [C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC]
    YN -> "snp2uvc" -> %SystemRoot%\vsnp2uvc.exe [C:\WINDOWS\vsnp2uvc.exe]
    [CatchMe Rootkit Scan by GMER]
    NY -> C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 65536 bytes ->
  • Close all windows except OTScanIt.
  • Click it Run Fix button.
When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click OK and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt2 will finish moving any files that could not be moved during the fix. Notepad will open with the final results at that time. Post that log back here in your next reply.

Re-enable your protection at this time.

Please post back with a new HijackThis log.

Do you still have any signs of infection?

With Regards,
The Panda

#7 Nauticus

  • Topic Starter

  • Members
  • 18 posts
  • Gender:Male
  • Location:Sofia, Bulgaria
  • Local time:09:18 PM

Posted 13 December 2008 - 04:46 AM

Ok I did what you asked. Here is the log after running the fix with OTScanIT:

[Registry - Safe List]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\LUIS Agent deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\MSPY2002 deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\PHIME2002ASync deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\snp2uvc deleted successfully.
< End of fix log >
OTScanIt2 by OldTimer - Version fix logfile created on 12132008_114224

I haven't seen any signs from the malware for some time now actually. I've also attached the HijackThis log file to this post.

Attached Files

Edited by Nauticus, 13 December 2008 - 04:52 AM.

#8 PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • Gender:Male
  • Local time:03:18 PM

Posted 13 December 2008 - 05:22 AM


HijackThis log looks good.

Run Cleanup with OTScantIt
This will remove all the tools we used.
  • Double click the OTScanIt.exe icon in the OTScanIt folder on your desktop. If you are using Windows Vista, right click OTScanIt.exe and select Run as Administrator.
  • Click the CleanUp bottun.
  • Restart if prompted.
Set New System Restore Point
Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click System Restore.
  • Choose the radio button marked "Create a Restore Point" on the first screen then click Next. Give the R.P. a name then click Create. The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type:
  • Click OK.
  • Click the More Options Tab.
  • Click Clean Up in the System Restore section to remove all previous restore points except the newly created one.
Preventing Malware Infection in the Future
Please also have a look at the following links, giving some advice and suggestions for preventing future infections: Visit the Windows Update Site regularly.
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish, you can also use automatic updates. This is a good thing to have if you want to be up-to-date all the time, but can also be a bit of an annoyance due to its handling and the sizes of the updates. If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
    Note that it will download them for you, but you still have to actually click install.
    If you do not want to have automatic updates turned on, or are on dial-up, you can always download updates separately at: http://windowsupdate.microsoft.com.
It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet

For general slowness problems, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.

Do you have any further questions or concerns?

With Regards,
The Panda

#9 Nauticus

  • Topic Starter

  • Members
  • 18 posts
  • Gender:Male
  • Location:Sofia, Bulgaria
  • Local time:09:18 PM

Posted 13 December 2008 - 09:01 AM

Yes I did what you asked and everything seems ok. I feel like my system is now cleared and this makes me very happy. Thank you for all your assistance, you really are a professional man (panda) :thumbsup: Thank you for all the additional information you gave me, this place seems to provide answer for anything. I learned so many new things just by spending a few hours here.

I can't thank you enough PP for all your help!

#10 PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • Gender:Male
  • Local time:03:18 PM

Posted 13 December 2008 - 08:45 PM

No problem :thumbsup: .

Since this issue appears to be resolved, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda

Now it is closed

Edited by PropagandaPanda, 13 December 2008 - 08:46 PM.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users