Guys, about this "Adware Softomate".....

[reles]

There's something I'm not quite sure here. When you said this:

"Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled."

You mean that the action "word wrap" should not be clickable? Cause it is when I do what you told me.

[oldman]

There should be no check mark beside enable wordwrap.

[reles]

ComboFix 08-03-04.3 - il Dottore 2008-03-09 14:18:22.3 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.171 [GMT -7:00]
Running from: C:\Documents and Settings\il Dottore\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\il Dottore\Desktop\CFscript.txt
 * Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((   Files Created from 2008-02-09 to 2008-03-09  )))))))))))))))))))))))))))))))
.

2008-03-07 18:56 . 2008-03-07 18:56   <DIR>   d--------   C:\Program Files\Trend Micro
2008-03-06 23:27 . 2008-03-09 14:08   54,156   --ah-----   C:\WINDOWS\QTFont.qfn
2008-03-06 23:27 . 2008-03-06 23:27   1,409   --a------   C:\WINDOWS\QTFont.for
2008-03-06 23:24 . 2008-03-06 23:26   <DIR>   d--------   C:\Program Files\iTunes
2008-03-06 23:19 . 2008-03-06 23:21   <DIR>   d--------   C:\Program Files\QuickTime
2008-03-05 20:48 . 2008-02-22 03:33   69,632   --a------   C:\WINDOWS\system32\javacpl.cpl
2008-03-05 20:44 . 2008-03-05 20:45   15,918,488   --a------   C:\jre-6u5-windows-i586-p.exe
2008-02-23 17:55 . 2008-02-23 17:59   <DIR>   d--------   C:\Documents and Settings\il Dottore\Application Data\Sibelius Software

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-09 21:05   0   ----a-w   C:\WINDOWS\system32\drivers\lvuvc.hs
2008-03-07 06:25   ---------   d-----w   C:\Program Files\iPod
2008-03-06 03:48   ---------   d-----w   C:\Program Files\Java
2008-02-24 00:59   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Sibelius Software
2008-02-24 00:49   ---------   d-----w   C:\Program Files\Sibelius Software
2008-02-24 00:29   ---------   d-----w   C:\Program Files\Finale 2002
2008-01-30 06:43   ---------   d-----w   C:\Program Files\Common Files\Symantec Shared
2007-07-27 02:19   604   ---ha-w   C:\Program Files\STLL Notifier
2007-04-01 21:36   258   ----a-w   C:\Program Files\First Theorem.sn2
2004-04-13 16:13   35,456   ----a-w   C:\WINDOWS\Fonts\requiem1.zip
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{76FCFD22-C40A-4764-8420-AFE2C4654ECD}]
         C:\WINDOWS\system32\sstqo.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 04:24 65536]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2005-08-19 20:34 3084288]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-07-25 00:52 67128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"00THotkey"="C:\WINDOWS\System32\00THotkey.exe" [2003-04-15 21:01 258048]
"000StTHK"="000StTHK.exe" [2001-06-23 21:28 24576 C:\WINDOWS\system32\000StTHK.exe]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-21 19:00 126976]
"PadTouch"="C:\Program Files\TOSHIBA\PadTouch\PadExe.exe" [2003-10-31 16:01 1019904]
"Start RF Wireless Mouse"="C:\Program Files\RF Wireless Mouse\cm20.exe" [2002-01-31 11:59 61440]
"ezShieldProtector for Px"="C:\WINDOWS\system32\ezSP_Px.exe" [2002-08-20 11:29 40960]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2003-11-20 18:24 26112]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 06:00 79224]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-08-14 14:10 6731312]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 16:02 563984]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 16:06 2027792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]

C:\Documents and Settings\il Dottore\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2005-03-09 12:49:38 81920]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-04-11 08:23:36 113664]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-07-25 00:52:32 67128]
LUMIX Simple Viewer.lnk - C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2007-07-19 18:53:18 57344]
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2003-08-06 14:23:32 51776]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2003-11-20 17:58:56 155648]
SmartUI.lnk - C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe [2003-02-03 12:29:12 1568768]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\iTunes\\iTunes.exe"=

R0 BsStor;B.H.A Storage Helper Driver;C:\WINDOWS\system32\drivers\BsStor.sys [2002-06-06 02:07]
R4 BsUDF;B.H.A UDF Filesystem;C:\WINDOWS\system32\drivers\BsUDF.sys [2003-11-04 12:50]
S3 brfilt;Brother MFC Filter Driver;C:\WINDOWS\system32\Drivers\Brfilt.sys [2001-08-17 14:12]
S3 BrSerWDM;Brother WDM Serial driver;C:\WINDOWS\system32\Drivers\BrSerWdm.sys [2003-03-14 01:04]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;C:\WINDOWS\system32\Drivers\BrUsbMdm.sys [2001-08-17 14:12]
S3 BrUsbScn;Brother MFC USB Scanner driver;C:\WINDOWS\system32\Drivers\BrUsbScn.sys [2001-08-17 14:12]
S3 pciSd;pciSd;C:\WINDOWS\system32\DRIVERS\tossdpci.sys [2003-02-12 10:03]
S3 tsdhd;TOSHIBA SD Card Host Controller Driver;C:\WINDOWS\system32\DRIVERS\tsdhd.sys [2003-05-14 18:38]
S3 VVBETHERNET;Efficient Networks Virtual Bus Ethernet driver;C:\WINDOWS\system32\DRIVERS\vvbEthT.sys [2002-05-22 18:26]
S3 VvBusUsb;Efficient Networks USB Virtual Bus driver;C:\WINDOWS\system32\drivers\vvbususb.sys [2002-05-22 18:26]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-07 06:09:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-07 05:26:15 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-09 14:24:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-09 14:26:31
ComboFix-quarantined-files.txt  2008-03-09 21:26:07
ComboFix2.txt  2008-03-06 03:30:56
ComboFix3.txt  2008-02-21 08:40:32
.
2008-02-14 03:03:40   --- E O F --- 

[oldman]

Well that one just doesn't seem to want to die. So we go after it a little differently. Do these steps in the order posted.

Open HJT, run a system scan only, check mark these lines if present

O2 - BHO: (no name) - {76FCFD22-C40A-4764-8420-AFE2C4654ECD} - C:\WINDOWS\system32\sstqo.dll (file missing)

 

Close all other browsers/windows, click fix, close HJT.


Please follow all previous instructions regarding security programs.


Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks)  as the filename: "CFscript.txt" . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

File::
C:\WINDOWS\system32\sstqo.dll
C:\WINDOWS\system32\drivers\lvuvc.hs

Folder::
C:\WINDOWS\system32\drivers\lvuvc.hs

Driver::
lvuvc

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{76FCFD22-C40A-4764-8420-AFE2C4654ECD}]

This will start ComboFix again.Close  all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HJT log.


note when doing the combofix fix

A window may open with a warning. Type "1" (and Enter) to start the fix. When the scan completes Notepad will open with with your results log open. Click File,  click Exit and answer 'Yes' to save changes

Open HJT and run a scan and post that log along with the combofix log.

Also you should have a look in the hosts file, malware may have placed entries in it tp prevent you from reaching certain sites. You can copy and paste the contents into your next reply. We will be able to advise you if we see the contents. There isn't any personal info in it.

Thanks

[reles]

Well that one just doesn't seem to want to die.

Hehehe, which one doesn't seem to want to die?

Either way, I will run the scan again and post the results soon.

[reles]

Good day.

I have scanned once again with Hijack this. I have found and fixed (deleted?) file O2 - BHO: (no name) - {76FCFD22-C40A-4764-8420-AFE2C4654ECD} - C:\WINDOWS\system32\sstqo.dll (file missing). I have saved the log as "CFscript" and dragged it to combofix to start it again. Here's the results:

ComboFix 08-03-04.3 - il Dottore 2008-03-10 17:19:11.4 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.174 [GMT -7:00]
Running from: C:\Documents and Settings\il Dottore\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\il Dottore\Desktop\CFscript.txt
 * Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((   Files Created from 2008-02-11 to 2008-03-11  )))))))))))))))))))))))))))))))
.

2008-03-07 18:56 . 2008-03-07 18:56   <DIR>   d--------   C:\Program Files\Trend Micro
2008-03-06 23:27 . 2008-03-10 14:20   54,156   --ah-----   C:\WINDOWS\QTFont.qfn
2008-03-06 23:27 . 2008-03-06 23:27   1,409   --a------   C:\WINDOWS\QTFont.for
2008-03-06 23:24 . 2008-03-06 23:26   <DIR>   d--------   C:\Program Files\iTunes
2008-03-06 23:19 . 2008-03-06 23:21   <DIR>   d--------   C:\Program Files\QuickTime
2008-03-05 20:48 . 2008-02-22 03:33   69,632   --a------   C:\WINDOWS\system32\javacpl.cpl
2008-03-05 20:44 . 2008-03-05 20:45   15,918,488   --a------   C:\jre-6u5-windows-i586-p.exe
2008-02-23 17:55 . 2008-02-23 17:59   <DIR>   d--------   C:\Documents and Settings\il Dottore\Application Data\Sibelius Software

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-10 21:18   0   ----a-w   C:\WINDOWS\system32\drivers\lvuvc.hs
2008-03-07 06:25   ---------   d-----w   C:\Program Files\iPod
2008-03-06 03:48   ---------   d-----w   C:\Program Files\Java
2008-02-24 00:59   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Sibelius Software
2008-02-24 00:49   ---------   d-----w   C:\Program Files\Sibelius Software
2008-02-24 00:29   ---------   d-----w   C:\Program Files\Finale 2002
2008-01-30 06:43   ---------   d-----w   C:\Program Files\Common Files\Symantec Shared
2007-07-27 02:19   604   ---ha-w   C:\Program Files\STLL Notifier
2007-04-01 21:36   258   ----a-w   C:\Program Files\First Theorem.sn2
2004-04-13 16:13   35,456   ----a-w   C:\WINDOWS\Fonts\requiem1.zip
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 04:24 65536]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2005-08-19 20:34 3084288]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-07-25 00:52 67128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"00THotkey"="C:\WINDOWS\System32\00THotkey.exe" [2003-04-15 21:01 258048]
"000StTHK"="000StTHK.exe" [2001-06-23 21:28 24576 C:\WINDOWS\system32\000StTHK.exe]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-21 19:00 126976]
"PadTouch"="C:\Program Files\TOSHIBA\PadTouch\PadExe.exe" [2003-10-31 16:01 1019904]
"Start RF Wireless Mouse"="C:\Program Files\RF Wireless Mouse\cm20.exe" [2002-01-31 11:59 61440]
"ezShieldProtector for Px"="C:\WINDOWS\system32\ezSP_Px.exe" [2002-08-20 11:29 40960]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2003-11-20 18:24 26112]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 06:00 79224]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-08-14 14:10 6731312]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 16:02 563984]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 16:06 2027792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]

C:\Documents and Settings\il Dottore\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2005-03-09 12:49:38 81920]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-04-11 08:23:36 113664]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-07-25 00:52:32 67128]
LUMIX Simple Viewer.lnk - C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2007-07-19 18:53:18 57344]
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2003-08-06 14:23:32 51776]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2003-11-20 17:58:56 155648]
SmartUI.lnk - C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe [2003-02-03 12:29:12 1568768]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\iTunes\\iTunes.exe"=

R0 BsStor;B.H.A Storage Helper Driver;C:\WINDOWS\system32\drivers\BsStor.sys [2002-06-06 02:07]
R4 BsUDF;B.H.A UDF Filesystem;C:\WINDOWS\system32\drivers\BsUDF.sys [2003-11-04 12:50]
S3 brfilt;Brother MFC Filter Driver;C:\WINDOWS\system32\Drivers\Brfilt.sys [2001-08-17 14:12]
S3 BrSerWDM;Brother WDM Serial driver;C:\WINDOWS\system32\Drivers\BrSerWdm.sys [2003-03-14 01:04]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;C:\WINDOWS\system32\Drivers\BrUsbMdm.sys [2001-08-17 14:12]
S3 BrUsbScn;Brother MFC USB Scanner driver;C:\WINDOWS\system32\Drivers\BrUsbScn.sys [2001-08-17 14:12]
S3 pciSd;pciSd;C:\WINDOWS\system32\DRIVERS\tossdpci.sys [2003-02-12 10:03]
S3 tsdhd;TOSHIBA SD Card Host Controller Driver;C:\WINDOWS\system32\DRIVERS\tsdhd.sys [2003-05-14 18:38]
S3 VVBETHERNET;Efficient Networks Virtual Bus Ethernet driver;C:\WINDOWS\system32\DRIVERS\vvbEthT.sys [2002-05-22 18:26]
S3 VvBusUsb;Efficient Networks USB Virtual Bus driver;C:\WINDOWS\system32\drivers\vvbususb.sys [2002-05-22 18:26]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-07 06:09:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-10 04:26:15 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-10 17:24:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-10 17:25:51
ComboFix-quarantined-files.txt  2008-03-11 00:25:21
ComboFix2.txt  2008-03-09 21:26:31
ComboFix3.txt  2008-03-06 03:30:56
ComboFix4.txt  2008-02-21 08:40:32
.
2008-02-14 03:03:40   --- E O F --- 

[oldman]

Some of it when, some didn't. Let's find out where this one is living. There is a hidden driver holding that file.

1. Launch Notepad, and copy/paste the contents of the quote box below into a new Notepad file. Save it with file name options.txt and save as file type: all files to your desktop. 
 

RegSearch Options File 
 
[Search] 

lvuvc.hs


[Exclude] 
 

[Options] 
Filter=KVDLUI

 

2. Download Registry Search to your desktop.

• Right click on the compressed RegSearch folder, and choose "Extract All". In the box that pops open, click "Next", then "Next" again, and then "Finish". You now have another RegSearch folder on your desktop.
• Open the new folder, and double click on regsearch.exe
  
• Click "Import" in the lower left corner and browse to the options.txt file that you just saved on your desktop. Do not choose the one in the RegSearch folder itself.
  
• Click OK and Registry Search will scan your registry for the file(s), and a Notepad box will open with a report.
• Please reply here with the entire contents of the Notepad file from RegSearch.

[reles]

Some of it when, some didn't. Let's find out where this one is living. There is a hidden driver holding that file.

1. Launch Notepad, and copy/paste the contents of the quote box below into a new Notepad file. Save it with file name options.txt and save as file type: all files to your desktop. 
 

RegSearch Options File 
 
[Search] 

lvuvc.hs


[Exclude] 
 

[Options] 
Filter=KVDLUI

 

2. Download Registry Search to your desktop.

• Right click on the compressed RegSearch folder, and choose "Extract All". In the box that pops open, click "Next", then "Next" again, and then "Finish". You now have another RegSearch folder on your desktop.
• Open the new folder, and double click on regsearch.exe
  
• Click "Import" in the lower left corner and browse to the options.txt file that you just saved on your desktop. Do not choose the one in the RegSearch folder itself.
  
• Click OK and Registry Search will scan your registry for the file(s), and a Notepad box will open with a report.
• Please reply here with the entire contents of the Notepad file from RegSearch.

Ok, here we go again:

I clicked on your link for Regtistry Search and I got this message: "404 ERROR: Page Not Found!

The requested page http://www.bleepingcomputer.com/files/steelwerx/regsearch.zip could not be found on this server."

[polonus]

Hi reles,

Link location here: http://download.bleepingcomputer.com/steelwerx/regsearch.zip

So you can continue with Oldman's proposals,
Good luck,

polonus

[reles]

Umm guys...

Did the Hijackthis automatically delete everything that I had in my recycle bin? Cause it's empty and I didn't empty it. I had some stuff there that I wasn't sure about deleting!

[polonus]

Hi reles,

Consider this info here:
http://vil.nai.com/vil/content/v_133634.htm
or this one:
http://vil.nai.com/vil/content/v_131115.htm

polonus

[reles]

Hi reles,

Consider this info here:
http://vil.nai.com/vil/content/v_133634.htm
or this one:
http://vil.nai.com/vil/content/v_131115.htm

polonus

I'm not quite sure what you want me to look at but I'm given to understand that that was one of the Ads I had and that it was located in the recycle bin, therefore the bin had to be emptied, is that right?

Either way, here's the RegSearch Log:

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 10/03/2008 08:03:57 p.m. for strings:
;  'lvuvc.hs'
; Strings excluded from search:
;  (None)
; Search in:
; Registry Keys  Registry Values  Registry Data 
; HKEY_LOCAL_MACHINE  HKEY_USERS 


; End Of The Log...

[polonus]

Hi reles,

If you recognize one or saw it earlier on your comp tell me, because in one of these descriptions there is the removal instruction for the specific malware.
So we would know what registry adaptations to make or what to delete.
Do you see now why I posted this links, we will get there with a little help.
Just post this info, and see what "oldman"will instruct,

polonus

[polonus]

Hi reles,

Open notepad and copy/paste the text in the quotebox below into it:

Code: [Select]

File::
C:\WINDOWS\system32\drivers\lvuvc.hs

Driver::
lvuvc

Save this as "CFScript" as instructed in the picture below into ComboFix and run,

polonus

[oldman]

Sorry about the link, they changed it. I usually test my links from time to time, this one got by me.

Well that thing isn't associated with a reg key.

I'm still looking.

If it doesn't go away, lets test it.

Please submit these files for analysis

To submit a file to virustoal, please click om this link

www.virustotal.com

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

C:\WINDOWS\system32\drivers\lvuvc.hs

scroll down a bit and click "send file", wait for the results and post then in your next reply.

I've got bigger sticks to use.

Combofix probably emptied the recycle bin.

open HJT again and click Open the Misc Tools Section.  Near the top of the next window you'll see a button labled Generate Startuplist log.  Place a check mark in the two options next to this button ('List also minor Section' and "List Empty Sections"), then click the Generate Startuplist log button.  OK the warning dialogue and either post or attach the information that opens in notepad.