asked on

Need help after removing Malware

Hi Experts,

I have spent the past 2 nights with my friends PC trying to get rid of some bad spyware/malware and a few trojans. The PC (Vista x86) cannot run Malwarebytes, it just comes with a stopped working error, same goes for Vundofix which says its not a valid Win32 app.Combofix starts and then closes with a stopped working popup.
Ad-aware Free found Virtumonde and removed it (maybe). LSP-Fix finds no errors. Ad-aware finds nothing now just some cookies and ESET online scan comes up with nothing. Now to the problems :-)

AVG finds 11 rootkits (see AVG.txt) but cannot remove them (access denied).

The CD rom drive and the DVD RW drive both can run fine after inserting a disk, but I cannot burn to the dvd rw because it says there are maybe files ready to write to it, the cd drive gives the same currently in use message if in explorer I right click and click eject.

I have attached the Hijackthis log maybe there is something there that can point one of you in the right direction (which is helping me to fix the cd rom and the dvd rw)

Thanks for your time.

Chris

drewha1969

I would try booting from a Live CD such as Ultimate Boot CD 4 Win and running Antivirus.

phototropic

Try renaming Mbam BEFORE you download it.
Please post a current HJT scan log.
You could also try running an online scan:

http://www.bitdefender.com/scan8/ie.html
http://housecall.trendmicro.com/uk/

Good luck!!!

David-Howard

Your log file didn't post.
Malwarebytes should remove this threat. If not, Combofix (as you stated ) will. But the instructions for Combofix must be followed.
Note: ComboFix should not be run in Safe Mode, unless that is the only mode the affected system will boot to.
If you have not updated Malwarebytes please do so and then boot into Safe Mode (F8 at startup) and run a scan.
You should do this with your current antivirus product as well.
As for HiJackThis you can post it for free analysis here or at
www.hijackthis.de
You are primarily looking for items marked with red X's.
You can get a brief overview of Hijackthis here:
http://www.bleepingcomputer.com/tutorials/tutorial42.html
If after running any of the suites above you find that your internet connection fails (is broken) please perform the following steps.
Restart your computer and test your internet connection.
If it does not work, then click Start ->Settings and Control Panel.
Select Network connections. Locate your connection and right click on it.
In the menu click the Repair option. When the repair proccess has finished, your connection should be working again. Reboot to test.
You may also have some success by logging on to the affected system under a different profile. Some malware only affects the profile that it was loaded under.
David

warturtle

You need to rename ComboFix before downloading or transferring it to the infected computer. If you rename if after transferring to the infected computer, the virus might not let the file execute. This is why you are looking at a window that flashes for a second and then disappears.

Download ComboFix again and save it as jabba.exe or some completely different name and then execute it. Let us have the ComboFix log. Running MalwareBytes right after ComboFix finishes will give you good results with Vundo.

Hope that helps.

ChrisDriven

ASKER

Hi all,

Thanks for the suggestions, I will be check things out after work and report back a.s.a.p.

Chris

bleech677

Live cd boot sounds like a good idea, a similar solution would be to load an AV that has a boot time scan like Avast - This has fixed many persistant problems for me

ChrisDriven

ASKER

Hi again, here's an update:

Downloaded, renamed and ran combofix: log attached.
Ran Mbam, log attached.
Hijackthis log attached

Everything went well, combofix found and removed the 11 or so rootkits that AVG was finding. I thought that everything was fine, then I started internet explorer! The $_ _T hit the fan there. IE started to restore the last session, A lot windows all with http:// www.fulldotfind.com/pubac/ac.php?aid=11&sid=v3076 in them, they kept coming, eventually IE was closed down by Vista. i have no idea where to go from here.

I cannot seem to attach any files, it says uploading and then nothing appears. I will upload them somewhere else.

Thanks again for all of your time.

Chris

ChrisDriven

ASKER

http://uploading.com/files/FL2WUU6V/ComboFix.txt.html

http://uploading.com/files/80TPDAOQ/hijackthis.log.html

http://uploading.com/files/E7Q1GDLE/mbam-log-2009-05-15 (07-04-14).txt.html

Hijackthis log from 2 days ago (before combofix and Mbam ran) http://uploading.com/files/478MC8ZV/hijackthis1.log.html

Chris

warturtle

Thanks for uploading those files on Uploading, Chris. I have tried to download them but everytime I wait for 90 seconds to pass and then click on 'Free Download', it comes back to the original webpage and I click on 'Download Now' and then, it goes back to the 90-second timer.

Are you able to post the ComboFix log in the body of the message? and the other logs as well?

ChrisDriven

ASKER

Ok, will do.

Combofix Log :
ComboFix 09-05-13.02 - Lars 15/05/2009 8:19:18.3 - NTFSx86
Running from: C:\Users\Lars\Desktop\komix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\TEMP\logishrd\LVPrcInj01.dll

.
((((((((((((((((((((((((( Files Created from 2009-04-15 to 2009-05-15 )))))))))))))))))))))))))))))))
.

2009-05-14 18:48:50 . 2009-05-14 18:48:50      0      d-----w      C:\ProgramData\Nero
2009-05-14 18:48:50 . 2009-05-14 18:49:24      0      d-----w      C:\Program Files\Common Files\Ahead
2009-05-14 17:50:16 . 2009-05-14 17:50:16      0      d-----w      C:\Windows\log
2009-05-14 14:11:24 . 2009-05-14 15:28:56      0      d-----w      C:\Program Files\MALWAREBYTES ANTI-MALWARE
2009-05-13 18:33:34 . 2009-05-13 18:33:34      14152      ----a-w      C:\Windows\system32\drivers\PROCEXP113.SYS
2009-05-12 20:31:44 . 2009-05-12 20:31:44      0      d-----w      C:\Users\Lars\AppData\Local\Ahead
2009-05-12 19:49:46 . 2009-03-09 19:06:57      15688      ----a-w      C:\Windows\system32\lsdelete.exe
2009-05-12 19:45:43 . 2009-03-09 19:06:56      64160      ----a-w      C:\Windows\system32\drivers\Lbd.sys
2009-05-12 19:45:30 . 2009-05-13 18:16:47      0      dc-h--w      C:\ProgramData\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-12 19:45:23 . 2009-05-12 19:45:23      0      d-----w      C:\Program Files\Lavasoft
2009-05-12 19:45:23 . 2009-05-12 19:45:46      0      d-----w      C:\ProgramData\Lavasoft
2009-05-12 15:40:16 . 2009-05-12 15:40:16      0      d-----w      C:\Users\Lars\AppData\Roaming\Lavasoft
2009-05-11 05:28:11 . 2009-05-11 05:28:11      262144      ----a-w      C:\ntuser.dat
2009-05-10 21:52:25 . 2009-05-10 21:52:28      0      d-----w      C:\Program Files\CleanUp!
2009-05-10 14:29:43 . 2009-05-13 19:06:25      0      d--h--w      C:\$AVG8.VAULT$
2009-05-10 14:08:53 . 2009-05-10 14:08:53      0      d-----w      C:\ProgramData\Downloaded Installations
2009-05-10 14:08:42 . 2009-05-10 18:48:28      11952      ----a-w      C:\Windows\system32\avgrsstx.dll
2009-05-10 14:08:42 . 2009-05-10 18:48:14      12552      ----a-w      C:\Windows\system32\drivers\avgrkx86.sys
2009-05-10 14:08:41 . 2009-05-10 18:48:24      108552      ----a-w      C:\Windows\system32\drivers\avgtdix.sys
2009-05-10 14:08:37 . 2009-05-10 18:48:28      325896      ----a-w      C:\Windows\system32\drivers\avgldx86.sys
2009-05-10 14:08:35 . 2009-05-14 15:53:20      0      d-----w      C:\Windows\system32\drivers\Avg
2009-05-10 14:08:26 . 2009-05-10 18:48:17      23832      ----a-w      C:\Windows\system32\drivers\avgfwd6x.sys
2009-05-10 14:08:26 . 2009-05-10 14:08:26      0      d-----w      C:\Program Files\AVG
2009-05-10 14:08:26 . 2009-05-12 22:26:03      0      d-----w      C:\ProgramData\avg8
2009-05-10 09:00:40 . 2009-05-10 13:46:51      0      d-----w      C:\Program Files\Spybot - Search & Destroy
2009-05-09 06:49:44 . 2009-05-09 06:50:13      0      d-----w      C:\Windows\BDOSCAN8
2009-05-07 22:31:40 . 2009-05-07 22:31:41      28320      ----a-w      C:\Windows\system32\drivers\czvqaigs.sys
2009-05-07 20:25:44 . 2009-05-07 20:25:44      47360      ----a-w      C:\Windows\system32\drivers\pcouffin.sys
2009-05-07 20:25:44 . 2009-05-07 20:25:44      47360      ----a-w      C:\Users\Lars\AppData\Roaming\pcouffin.sys
2009-05-07 20:25:40 . 2006-09-29 11:24:48      217127      ----a-w      C:\Windows\system32\drv43260.dll
2009-05-07 20:25:40 . 2006-09-29 11:25:38      208935      ----a-w      C:\Windows\system32\drv33260.dll
2009-05-07 20:25:40 . 2006-09-29 11:26:22      176165      ----a-w      C:\Windows\system32\drv23260.dll
2009-05-07 20:25:40 . 2007-03-18 19:37:12      65602      ----a-w      C:\Windows\system32\cook3260.dll
2009-05-07 20:25:40 . 2006-05-11 18:21:00      626688      ----a-w      C:\Windows\system32\vp7vfw.dll
2009-05-07 20:25:40 . 2006-05-20 15:16:00      1184984      ----a-w      C:\Windows\system32\wvc1dmod.dll
2009-05-07 20:25:40 . 2004-05-04 10:53:40      1645320      ----a-w      C:\Windows\gdiplus.dll
2009-05-03 04:27:58 . 2009-05-03 04:27:58      0      d-----w      C:\Program Files\Elaborate Bytes
2009-05-02 07:47:11 . 2009-05-02 07:51:28      0      d-----w      C:\Users\Lars\AppData\Roaming\dvdcss
2009-05-02 07:46:45 . 2009-05-02 07:51:43      0      d-----w      C:\Users\Lars\AppData\Roaming\vlc(144)
2009-05-01 23:05:26 . 2009-05-01 23:05:26      0      d-----w      C:\Users\Lars\AppData\Local\PowerDVDCinema
2009-05-01 23:01:54 . 2009-05-01 23:01:54      0      d-----w      C:\Program Files\Common Files\CyberLink
2009-04-30 20:45:16 . 2009-05-08 22:22:43      0      d-----w      C:\Program Files\Combined Community Codec Pack
2009-04-30 20:44:44 . 2009-04-30 20:44:45      0      d-----w      C:\Program Files\AC3Filter
2009-04-30 17:33:20 . 2009-04-30 17:33:20      0      d-----w      C:\Users\Lars\AppData\Local\SupportSoft
2009-04-28 15:15:19 . 2009-04-28 15:15:19      0      d-----w      C:\Program Files\Daniusoft
2009-04-21 09:35:00 . 2009-04-21 09:38:04      0      d-----w      C:\iPAQ

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-15 06:44:41 . 2007-10-26 09:19:39      92362      ----a-w      C:\Windows\system32\perfc006.dat
2009-05-15 06:44:41 . 2007-10-26 09:19:39      502388      ----a-w      C:\Windows\system32\perfh006.dat
2009-05-15 04:57:56 . 2007-10-24 21:29:49      8376      ----a-w      C:\Users\Lars\AppData\Local\d3d9caps.dat
2009-05-14 15:28:56 . 2009-05-14 14:16:49      0      d-----w      C:\Program Files\Malwarebytes' Anti-Malware
2009-05-13 01:00:16 . 2006-11-02 11:18:33      0      d-----w      C:\Program Files\Windows Mail
2009-05-13 00:10:53 . 2008-10-19 14:54:09      8224      ----a-w      C:\Users\EmmaOgAndreas\AppData\Local\GDIPFONTCACHEV1.DAT
2009-05-10 19:44:31 . 2008-01-28 21:55:15      0      d-----w      C:\Program Files\Fake Voice
2009-05-10 14:49:22 . 2008-04-02 18:55:25      0      d-----w      C:\Program Files\PPMate
2009-05-10 14:08:31 . 2006-11-02 10:25:05      86016      ----a-w      C:\Windows\inf\infstor.dat
2009-05-10 14:08:31 . 2006-11-02 10:25:05      86016      ----a-w      C:\Windows\inf\infpub.dat
2009-05-10 14:08:31 . 2006-11-02 10:25:05      143360      ----a-w      C:\Windows\inf\infstrng.dat
2009-05-10 08:37:38 . 2008-10-23 16:39:23      0      d-----w      C:\Users\Lars\AppData\Roaming\SUPERAntiSpyware.com
2009-05-10 08:37:38 . 2007-11-10 12:28:06      0      d-----w      C:\Program Files\SUPERAntiSpyware
2009-05-10 08:36:50 . 2007-10-25 02:24:10      0      d-----w      C:\Program Files\Common Files\Wise Installation Wizard
2009-05-07 21:41:17 . 2007-10-26 09:42:50      0      d-----w      C:\Program Files\ESET
2009-05-07 20:25:41 . 2009-01-29 13:11:45      0      d-----w      C:\Program Files\VSO
2009-05-06 21:04:59 . 2007-10-28 14:53:53      112048      ----a-w      C:\Users\Camilla\AppData\Local\GDIPFONTCACHEV1.DAT
2009-05-06 21:00:10 . 2007-10-24 21:30:11      112048      ----a-w      C:\Users\Lars\AppData\Local\GDIPFONTCACHEV1.DAT
2009-05-05 18:46:33 . 2007-10-28 15:36:13      0      d-----w      C:\Program Files\Microsoft Works
2009-05-04 20:20:23 . 2007-10-25 04:05:26      0      d--h--w      C:\Program Files\InstallShield Installation Information
2009-05-04 20:19:50 . 2008-11-19 20:26:10      0      d-----w      C:\Program Files\Veetle
2009-05-03 04:08:19 . 2007-10-26 20:25:48      0      d-----w      C:\Program Files\CyberLink
2009-04-21 09:38:08 . 2007-12-20 18:00:36      0      d-----w      C:\Program Files\HP
2009-04-10 17:40:42 . 2008-03-21 10:06:49      0      d-----w      C:\Program Files\DVD Shrink
2009-04-06 13:32:54 . 2009-05-14 14:16:50      38496      ----a-w      C:\Windows\system32\drivers\mbamswissarmy.sys
2009-04-06 13:32:46 . 2009-05-14 14:16:52      15504      ----a-w      C:\Windows\system32\drivers\mbam.sys
2009-04-04 19:11:00 . 2007-10-28 10:27:40      0      d-----w      C:\Program Files\Common Files\Adobe
2009-04-02 20:35:44 . 2009-04-02 20:35:44      0      d-----w      C:\Program Files\CLICK
2009-04-01 19:39:22 . 2009-04-01 19:39:21      0      d-----w      C:\Program Files\Common Files\Deterministic Networks
2009-04-01 15:10:29 . 2008-02-28 23:08:58      0      d-----w      C:\Program Files\THQ
2009-03-31 14:14:50 . 2008-05-31 18:10:19      181192      ---ha-w      C:\Windows\system32\mlfcache.dat
2009-03-28 09:32:22 . 2009-03-28 09:32:22      0      d-----w      C:\Program Files\QuickPar
2009-03-17 15:44:57 . 2007-10-26 20:28:41      0      d-----w      C:\Program Files\Google
2009-03-17 03:38:46 . 2009-04-15 18:07:04      13824      ----a-w      C:\Windows\system32\apilogen.dll
2009-03-17 03:38:44 . 2009-04-15 18:07:04      24064      ----a-w      C:\Windows\system32\amxread.dll
2009-03-09 17:00:55 . 2009-03-09 17:00:55      0      ----a-w      C:\Users\Lars\temp.dat
2009-03-08 11:34:57 . 2009-03-31 19:05:30      914944      ----a-w      C:\Windows\system32\wininet.dll
2009-03-08 11:34:28 . 2009-03-31 19:05:33      43008      ----a-w      C:\Windows\system32\licmgr10.dll
2009-03-08 11:33:38 . 2009-03-31 19:05:34      18944      ----a-w      C:\Windows\system32\corpol.dll
2009-03-08 11:33:17 . 2009-03-31 19:05:31      109056      ----a-w      C:\Windows\system32\iesysprep.dll
2009-03-08 11:33:16 . 2009-03-31 19:05:31      109568      ----a-w      C:\Windows\system32\PDMSetup.exe
2009-03-08 11:33:15 . 2009-03-31 19:05:31      132608      ----a-w      C:\Windows\system32\ieUnatt.exe
2009-03-08 11:33:15 . 2009-03-31 19:05:31      107520      ----a-w      C:\Windows\system32\RegisterIEPKEYs.exe
2009-03-08 11:33:15 . 2009-03-31 19:05:31      107008      ----a-w      C:\Windows\system32\SetIEInstalledDate.exe
2009-03-08 11:33:15 . 2009-03-31 19:05:31      103936      ----a-w      C:\Windows\system32\SetDepNx.exe
2009-03-08 11:33:04 . 2009-03-31 19:05:32      420352      ----a-w      C:\Windows\system32\vbscript.dll
2009-03-08 11:32:54 . 2009-03-31 19:05:34      72704      ----a-w      C:\Windows\system32\admparse.dll
2009-03-08 11:32:49 . 2009-03-31 19:05:33      71680      ----a-w      C:\Windows\system32\iesetup.dll
2009-03-08 11:32:38 . 2009-03-31 19:05:33      66560      ----a-w      C:\Windows\system32\wextract.exe
2009-03-08 11:32:32 . 2009-03-31 19:05:31      169472      ----a-w      C:\Windows\system32\iexpress.exe
2009-03-08 11:31:37 . 2009-03-31 19:05:34      34816      ----a-w      C:\Windows\system32\imgutil.dll
2009-03-08 11:31:17 . 2009-03-31 19:05:34      48128      ----a-w      C:\Windows\system32\mshtmler.dll
2009-03-08 11:31:00 . 2009-03-31 19:05:31      45568      ----a-w      C:\Windows\system32\mshta.exe
2009-03-08 11:22:37 . 2009-03-31 19:05:34      156160      ----a-w      C:\Windows\system32\msls31.dll
2009-03-03 04:46:01 . 2009-04-15 18:07:22      3599328      ----a-w      C:\Windows\system32\ntkrnlpa.exe
2009-03-03 04:46:01 . 2009-04-15 18:07:21      3547632      ----a-w      C:\Windows\system32\ntoskrnl.exe
2009-03-03 04:39:36 . 2009-04-15 18:07:20      183296      ----a-w      C:\Windows\system32\sdohlp.dll
2009-03-03 04:39:32 . 2009-04-15 18:07:23      551424      ----a-w      C:\Windows\system32\rpcss.dll
2009-03-03 04:39:22 . 2009-04-15 18:07:20      26112      ----a-w      C:\Windows\system32\printfilterpipelineprxy.dll
2009-03-03 04:37:11 . 2009-04-15 18:07:20      98304      ----a-w      C:\Windows\system32\iasrecst.dll
2009-03-03 04:37:11 . 2009-04-15 18:07:20      54784      ----a-w      C:\Windows\system32\iasads.dll
2009-03-03 04:37:11 . 2009-04-15 18:07:20      44032      ----a-w      C:\Windows\system32\iasdatastore.dll
2009-03-03 03:04:59 . 2009-04-15 18:07:21      666624      ----a-w      C:\Windows\system32\printfilterpipelinesvc.exe
2009-03-03 02:38:13 . 2009-04-15 18:07:20      17408      ----a-w      C:\Windows\system32\iashost.exe
2009-02-26 10:46:56 . 2009-02-26 10:46:56      74760      ----a-w      C:\Windows\system32\drivers\UniversalDD.sys
2009-02-26 10:46:56 . 2009-02-26 10:46:56      25608      ----a-w      C:\Windows\system32\drivers\AVGIDSErHr.sys
2009-02-22 10:48:14 . 2009-02-22 10:02:03      34      ----a-w      C:\Users\EmmaOgAndreas\jagex_runescape_preferences.dat
2009-02-19 08:55:20 . 2009-02-19 08:55:20      15384      ----a-w      C:\Windows\system32\drivers\pfmodnt.sys
2009-02-19 08:54:48 . 2009-02-19 08:54:48      1222680      ----a-w      C:\Windows\system32\drivers\ha20x22k.sys
2009-02-19 08:53:16 . 2009-02-19 08:53:16      1179672      ----a-w      C:\Windows\system32\drivers\ha20x2k.sys
2009-02-19 08:52:42 . 2009-02-19 08:52:42      95768      ----a-w      C:\Windows\system32\drivers\emupia2k.sys
2009-02-19 08:52:04 . 2009-02-19 08:52:04      159256      ----a-w      C:\Windows\system32\drivers\ctsfm2k.sys
2009-02-19 08:51:26 . 2009-02-19 08:51:26      14360      ----a-w      C:\Windows\system32\drivers\ctprxy2k.sys
2009-02-19 08:50:46 . 2009-02-19 08:50:46      129560      ----a-w      C:\Windows\system32\drivers\ctoss2k.sys
2009-02-19 08:45:16 . 2009-02-19 08:45:16      535320      ----a-w      C:\Windows\system32\drivers\ctaud2k.sys
2009-02-19 08:44:40 . 2009-02-19 08:44:40      511000      ----a-w      C:\Windows\system32\drivers\ctac32k.sys
2009-02-19 08:43:50 . 2009-02-19 08:43:50      1353240      ----a-w      C:\Windows\system32\drivers\CTEXFIFX.sys
2009-02-19 08:43:10 . 2009-02-19 08:43:10      73752      ----a-w      C:\Windows\system32\drivers\CTHWIUT.sys
2009-02-19 08:42:26 . 2009-02-19 08:42:26      198168      ----a-w      C:\Windows\system32\drivers\CT20XUT.sys
2009-02-19 07:00:14 . 2008-01-15 04:01:40      86016      ----a-w      C:\Windows\system32\ctcoinst.dll
2009-02-19 07:00:14 . 2008-01-15 04:01:40      181248      ----a-w      C:\Windows\system32\ctdvinst.dll
2009-02-19 06:59:04 . 2009-02-19 06:59:04      14336      ----a-w      C:\Windows\system32\a3d.dll
2009-02-19 06:58:38 . 2009-02-19 06:58:38      13312      ----a-w      C:\Windows\system32\ac3api.dll
2009-02-19 06:58:02 . 2009-02-19 06:58:02      2560      ----a-w      C:\Windows\system32\CtxfiRes.dll
2009-02-19 06:58:00 . 2009-02-19 06:58:00      42496      ----a-w      C:\Windows\system32\CTxfiBtn.dll
2009-02-19 06:57:58 . 2009-02-19 06:57:58      39424      ----a-w      C:\Windows\system32\CTxfiSpk.dll
2009-02-19 06:57:58 . 2009-02-19 06:57:58      24576      ----a-w      C:\Windows\system32\Ctxfihlp.exe
2009-02-19 06:54:06 . 2009-02-19 06:54:06      47104      ----a-w      C:\Windows\system32\CTxfiReg.exe
2009-02-19 06:54:02 . 2009-02-19 06:54:02      15360      ----a-w      C:\Windows\system32\Ct20xspi.dll
2009-02-19 06:53:56 . 2009-02-19 06:53:56      1212928      ----a-w      C:\Windows\system32\CTxfispi.exe
2009-02-19 06:47:06 . 2008-02-21 03:04:18      51787      ----a-w      C:\Windows\system32\ctdlang.dat
2009-02-19 06:47:06 . 2008-02-21 03:04:18      384428      ----a-w      C:\Windows\system32\ctdnlstr.dat
2009-02-19 06:46:32 . 2009-02-19 06:46:32      201216      ----a-w      C:\Windows\system32\ctemupia.dll
2009-02-19 06:43:48 . 2009-02-19 06:43:48      193024      ----a-w      C:\Windows\system32\ct_oal.dll
2009-02-19 06:43:44 . 2009-02-19 06:43:44      50688      ----a-w      C:\Windows\system32\ctasio.dll
2009-02-19 06:43:36 . 2009-02-19 06:43:36      53248      ----a-w      C:\Windows\system32\ctdproxy.dll
2009-02-19 06:42:54 . 2009-02-19 06:42:54      74240      ----a-w      C:\Windows\system32\ctosuser.dll
2009-02-19 06:42:52 . 2009-02-19 06:42:52      10240      ----a-w      C:\Windows\system32\sfman32.dll
2009-02-19 06:42:50 . 2009-02-19 06:42:50      130560      ----a-w      C:\Windows\system32\sfms32.dll
2009-02-19 06:42:44 . 2009-02-19 06:42:44      16384      ----a-w      C:\Windows\system32\regplib.exe
2006-11-22 14:58:11 . 2006-11-22 14:58:11      8192      --sha-w      C:\Windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 07:33:39 202240]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 17:51:28 3885408]
"IncrediMail"="C:\Program Files\IncrediMail\bin\IncMail.exe" [2008-03-09 11:51:42 243072]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 07:33:09 125952]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-08-08 12:11:12 490952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WPCUMI"="C:\Windows\system32\WpcUmi.exe" [2006-11-02 12:33:21 176128]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-10-10 05:28:32 36352]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2008-12-15 21:17:56 136600]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 16:11:48 565008]
"LifeChat"="c:\Program Files\Microsoft LifeChat\LifeChat.exe" [2008-08-21 09:16:56 267296]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 19:34:40 49152]
"EverioService"="C:\Program Files\CyberLink\PCM4Everio\EverioService.exe" [2007-11-01 16:13:26 151552]
"etMonitor"="C:\Windows\etMon.exe" [2007-09-19 20:03:44 102400]
"AVGIDS"="C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe" [2009-02-26 10:46:22 1579528]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2009-05-10 18:48:25 1947928]
"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 19:06:55 515416]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 13:57:24 153136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\Windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\Windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\Windows\pss\Logitech Desktop Messenger.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickSet.lnk
backup=C:\Windows\pss\QuickSet.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UACDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"= C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{30471418-D31B-4DEE-9ECA-2CF8DB2FBACC}"= UDP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\Crysis.exe:Crysis_32
"{539AD9C6-9097-44F1-B9DA-81B600DB3990}"= TCP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\Crysis.exe:Crysis_32
"{9DD004BD-76BC-4F65-ADFE-3017ADE5F65D}"= UDP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\CrysisDedicatedServer.exe:CrysisDedicatedServer_32
"{A7FA87C4-ECD0-4FA4-B03E-29F88156EFE8}"= TCP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\CrysisDedicatedServer.exe:CrysisDedicatedServer_32
"{2A8841B5-7D8C-458B-BBF8-E50ADCF4A934}"= Disabled:UDP:E:\setup\HPZNUI01.EXE:hpznui01.exe
"{FA38AD53-AF86-4259-B453-FEC9A075B2C3}"= Disabled:TCP:E:\setup\HPZNUI01.EXE:hpznui01.exe
"{F3C41857-8C63-42E3-926C-D6FF2D68F886}"= C:\Program Files\Cyberlink\PowerDVD\PowerDVD.EXE:CyberLink PowerDVD
"TCP Query User{B822B438-2D5C-442E-B8B6-FEBEF41674EA}C:\\program files\\wol\\wol.exe"= UDP:C:\program files\wol\wol.exe:WOL 1.0.3
"UDP Query User{3A3BA820-6444-40D9-A10F-83DAB35D49E2}C:\\program files\\wol\\wol.exe"= TCP:C:\program files\wol\wol.exe:WOL 1.0.3
"{EC7CD5A0-4118-444B-9806-7C1731ED2FC5}"= UDP:C:\Program Files\THQ\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe:GPGNet - Supreme Commander
"{5C22172A-D26B-4AE5-93C1-E94825064B35}"= TCP:C:\Program Files\THQ\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe:GPGNet - Supreme Commander
"TCP Query User{31383E43-1747-4EF9-BDDE-A48FF7DA446E}C:\\program files\\real\\realplayer\\realplay.exe"= UDP:C:\program files\real\realplayer\realplay.exe:RealPlayer
"UDP Query User{D6F0886C-DB32-4589-AA34-C2800FC1BE0C}C:\\program files\\real\\realplayer\\realplay.exe"= TCP:C:\program files\real\realplayer\realplay.exe:RealPlayer
"TCP Query User{571F19BB-CCE1-46F4-9B39-34290497360A}C:\\program files\\ppmate\\ppamnet.exe"= UDP:C:\program files\ppmate\ppamnet.exe:ppmnet Module
"UDP Query User{AF8F77E4-B47A-4ADE-921E-8491C5B90235}C:\\program files\\ppmate\\ppamnet.exe"= TCP:C:\program files\ppmate\ppamnet.exe:ppmnet Module
"{87244075-6D60-4E8F-B51F-731B41786424}"= UDP:C:\Program Files\Ubisoft\Assassin's Creed\AssassinsCreed_Dx9.exe:Assassin's Creed Dx9
"{74864C2D-1A73-4326-975D-C2BFDF8AE8F8}"= TCP:C:\Program Files\Ubisoft\Assassin's Creed\AssassinsCreed_Dx9.exe:Assassin's Creed Dx9
"{504DD735-0A66-4BC3-B021-C5BFFCEA5F25}"= UDP:C:\Program Files\Ubisoft\Assassin's Creed\AssassinsCreed_Dx10.exe:Assassin's Creed Dx10
"{E2CF730D-0AA2-4D35-A671-BF1E7586F3A4}"= TCP:C:\Program Files\Ubisoft\Assassin's Creed\AssassinsCreed_Dx10.exe:Assassin's Creed Dx10
"{46D1E131-150D-4B11-A2DE-E43A958478A0}"= UDP:C:\Program Files\Ubisoft\Assassin's Creed\AssassinsCreed_Launcher.exe:Assassin's Creed Update
"{1A0CCE22-3738-41B2-B121-6800FDF307BA}"= TCP:C:\Program Files\Ubisoft\Assassin's Creed\AssassinsCreed_Launcher.exe:Assassin's Creed Update
"TCP Query User{FBE5EC3C-24D0-42CD-B023-051CD68EF440}C:\\program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{2BD03585-0CCF-441A-B5DF-7AD36AE3C135}C:\\program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{1F9A3EAF-C4E2-4C05-A0E0-5C9C530C6FD2}C:\\program files\\globalscape\\cuteftp 8 professional\\ftpte.exe"= UDP:C:\program files\globalscape\cuteftp 8 professional\ftpte.exe:FTP Transfer Engine
"UDP Query User{1DEAE99E-59C2-439D-A2D1-E1831D45E78E}C:\\program files\\globalscape\\cuteftp 8 professional\\ftpte.exe"= TCP:C:\program files\globalscape\cuteftp 8 professional\ftpte.exe:FTP Transfer Engine
"{B9051207-5699-4E3D-A1F6-365E52696223}"= UDP:C:\Program Files\Codemasters\GRID\GRID.exe:GRID
"{5BA757F4-01E3-44DA-AA79-28E465A20412}"= TCP:C:\Program Files\Codemasters\GRID\GRID.exe:GRID
"TCP Query User{DAD976BA-862A-48B3-9D37-24CA6B78D77C}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{2884C220-188B-49A9-85B5-FD153A66C8B9}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"{B198D27E-73C3-47F7-AD53-3DDF00EB89C2}"= Disabled:UDP:C:\Program Files\IncrediMail\bin\ImLc.exe:IncrediMail
"{B67E0675-427F-41B7-B2BC-16454EAE9BED}"= Disabled:TCP:C:\Program Files\IncrediMail\bin\ImLc.exe:IncrediMail
"{A8974B9D-1240-40FE-B31D-40BD4205201C}"= Disabled:UDP:C:\Program Files\IncrediMail\bin\ImPackr.exe:IncrediMail
"{2FD7DAE2-7AC3-4BA9-A1FE-3C479468EB70}"= Disabled:TCP:C:\Program Files\IncrediMail\bin\ImPackr.exe:IncrediMail
"{79989C2A-7482-4EA1-89C8-23C867C36278}"= Disabled:UDP:C:\Program Files\IncrediMail\bin\ImpCnt.exe:IncrediMail
"{4C225B18-DEDB-4B83-83F2-5818331AE89F}"= Disabled:TCP:C:\Program Files\IncrediMail\bin\ImpCnt.exe:IncrediMail
"{5E224F79-B425-4FEF-8200-E315EF95FAD2}"= UDP:C:\Program Files\Eidos\Conflict Denied Ops\ConflictDeniedOps.exe:Conflict: Denied Ops
"{F76B08C3-17A6-4503-B07E-68F505B819EB}"= TCP:C:\Program Files\Eidos\Conflict Denied Ops\ConflictDeniedOps.exe:Conflict: Denied Ops
"{3919F47A-315E-4A1A-AE2D-CB497AB374F7}"= UDP:C:\Program Files\Activision\Call of Duty - World at War\CoDWaWmp.exe:Call of Duty(R) - World at War(TM)
"{9CB2A16A-B461-4463-B700-969FC5DA21B6}"= TCP:C:\Program Files\Activision\Call of Duty - World at War\CoDWaWmp.exe:Call of Duty(R) - World at War(TM)
"{08663E7B-9A74-4178-B51F-CD6DC4B93AE5}"= UDP:C:\Program Files\Activision\Call of Duty - World at War\CoDWaW.exe:Call of Duty(R) - World at War(TM)
"{E446B26B-75B5-454E-90D8-1020A6069D19}"= TCP:C:\Program Files\Activision\Call of Duty - World at War\CoDWaW.exe:Call of Duty(R) - World at War(TM)
"{BF199DD6-2D8C-44E5-A285-8519DAF58E20}"= C:\Program Files\CyberLink\PowerDirector Express\PDX.EXE:CyberLink PowerDirector Express
"TCP Query User{46FC2F39-4F27-4B3C-8A3A-E8B3EDCB5346}C:\\program files\\java\\jre6\\bin\\java.exe"= UDP:C:\program files\java\jre6\bin\java.exe:Java(TM) Platform SE binary
"UDP Query User{5B44DA43-2916-4B9E-955E-DBFF70ABB30E}C:\\program files\\java\\jre6\\bin\\java.exe"= TCP:C:\program files\java\jre6\bin\java.exe:Java(TM) Platform SE binary
"{53EAAC54-3AF8-45A2-BE1A-A622AC53325E}"= C:\Program Files\AVG\AVG8\avgam.exe:avgam.exe
"{08B691AD-A3ED-484A-B1F1-5635448B369E}"= C:\Program Files\AVG\AVG8\avgdiag.exe:avgdiag.exe
"{2B34CCA0-99CA-445C-8A0E-5A99A30F6AA5}"= C:\Program Files\AVG\AVG8\avgdiagex.exe:avgdiagex.exe
"{E0639972-B2C8-422B-9CC3-468E86F5D5D0}"= C:\Program Files\AVG\AVG8\avgemc.exe:avgemc.exe
"{AC1EAA2F-0AAD-4A8D-9071-18D9A1755680}"= C:\Program Files\AVG\AVG8\avgupd.exe:avgupd.exe
"{2E32CCCC-AE8F-49DB-829F-07F9684AA664}"= C:\Program Files\AVG\AVG8\avgnsx.exe:avgnsx.exe
"TCP Query User{29A944B8-D27D-4B81-A967-5AC4F1CC75C6}C:\\program files\\zattoo\\zattoo2.exe"= Disabled:UDP:C:\program files\zattoo\zattoo2.exe:
"UDP Query User{43430C6B-25C6-4316-9ABD-3800ECA17B02}C:\\program files\\zattoo\\zattoo2.exe"= Disabled:TCP:C:\program files\zattoo\zattoo2.exe:
"TCP Query User{53939F42-4C07-4493-A92B-D9F2E87D579B}C:\\program files\\zattoo\\zattoo.exe"= Disabled:UDP:C:\program files\zattoo\zattoo.exe:
"UDP Query User{BA4C9F24-DED7-4B80-B7DF-6D9A49630BAF}C:\\program files\\zattoo\\zattoo.exe"= Disabled:TCP:C:\program files\zattoo\zattoo.exe:
"TCP Query User{E9E39D17-6D30-4020-8456-057DA4491D0A}C:\\program files\\zattoo\\zattood.exe"= Disabled:UDP:C:\program files\zattoo\zattood.exe:zattood
"UDP Query User{FCD80E81-DC3C-4641-9468-30DB22CB61ED}C:\\program files\\zattoo\\zattood.exe"= Disabled:TCP:C:\program files\zattoo\zattood.exe:zattood
"TCP Query User{3B1EC8F4-25DE-420C-A4C4-491DE8EDC2D4}C:\\program files\\zattoo\\zattoo.exe"= Disabled:UDP:C:\program files\zattoo\zattoo.exe:
"UDP Query User{E9A85774-5328-4AC5-AC4E-2F05D13BCC87}C:\\program files\\zattoo\\zattoo.exe"= Disabled:TCP:C:\program files\zattoo\zattoo.exe:
"{7510586A-F97F-4E24-9C91-9A0C3020CAE6}"= UDP:C:\Program Files\IncrediMail\bin\IncMail.exe:IncrediMail
"{E38E9C52-EE42-42C8-8505-47871BC470F2}"= TCP:C:\Program Files\IncrediMail\bin\IncMail.exe:IncrediMail
"{5F2E4C05-3198-493D-BBFB-393B7A09B4E9}"= UDP:C:\Program Files\IncrediMail\bin\ImApp.exe:IncrediMail
"{C355A61B-7416-4AB6-9865-30A88A4C2B93}"= TCP:C:\Program Files\IncrediMail\bin\ImApp.exe:IncrediMail
"TCP Query User{CDFA3DEA-02B7-458E-B041-02FD31704577}C:\\program files\\thq\\company of heroes\\reliccoh.exe"= Disabled:UDP:C:\program files\thq\company of heroes\reliccoh.exe:RelicCOH
"UDP Query User{4CB0BAC7-816F-492C-8B24-4259B419C8A3}C:\\program files\\thq\\company of heroes\\reliccoh.exe"= Disabled:TCP:C:\program files\thq\company of heroes\reliccoh.exe:RelicCOH
"TCP Query User{7140D20F-0CEA-4CD6-B698-F2E3CA1FFB8C}C:\\program files\\zattoo\\zattood.exe"= Disabled:UDP:C:\program files\zattoo\zattood.exe:zattood
"UDP Query User{53654654-A298-4A06-9589-DE66A4EB8E42}C:\\program files\\zattoo\\zattood.exe"= Disabled:TCP:C:\program files\zattoo\zattood.exe:zattood
"{BA701B04-5F72-423C-9A13-48522E8E2254}"= Disabled:UDP:C:\Program Files\IncrediMail\bin\IncMail.exe:IncrediMail
"{9F8E78EA-EBD2-49F8-8B16-36C641E32BA9}"= Disabled:TCP:C:\Program Files\IncrediMail\bin\IncMail.exe:IncrediMail
"{E832E931-2A48-4685-8BCB-1B0FDEFA18CE}"= Disabled:UDP:C:\Program Files\IncrediMail\bin\ImApp.exe:IncrediMail
"{26FA698A-C492-4EC4-B4E2-86495C99624B}"= Disabled:TCP:C:\Program Files\IncrediMail\bin\ImApp.exe:IncrediMail

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\PPMate\\ppmate.exe"= C:\Program Files\PPMate\ppmate.exe:*:Enabled:PPMate
"C:\\Program Files\\PPMate\\ppamnet.exe"= C:\Program Files\PPMate\ppamnet.exe:*:Enabled:PPMate
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"= C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7

R3 athena;athena;C:\Windows\system32\DRIVERS\athena.sys [2006-11-09 09:29:12 110336]
R3 AVGIDSDriver;AVGIDSDriver;C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_VISTA\AVGIDSDriver.sys [2009-02-26 10:46:56 121352]
R3 AVGIDSFilter;AVGIDSFilter;C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_VISTA\AVGIDSFilter.sys [2009-02-26 10:46:56 30216]
R3 AVGIDSShim;AVGIDSShim;C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_VISTA\AVGIDSShim.sys [2009-02-26 10:46:56 29136]
R3 CT20XUT;CT20XUT;C:\Windows\system32\drivers\CT20XUT.SYS [2009-02-19 08:42:26 198168]
R3 CTEXFIFX;CTEXFIFX;C:\Windows\system32\drivers\CTEXFIFX.SYS [2009-02-19 08:43:50 1353240]
R3 CTHWIUT;CTHWIUT;C:\Windows\system32\drivers\CTHWIUT.SYS [2009-02-19 08:43:10 73752]
R3 DCamUSBET;ET USB 2750 Camera;C:\Windows\system32\DRIVERS\etDevice.sys [2008-03-01 00:38:36 131712]
R3 FiltUSBET;ET USB Device Lower Filter;C:\Windows\system32\DRIVERS\etFilter.sys [2008-06-12 18:02:42 183168]
R3 ha20x22k;Creative 20X2 HAL Driver;C:\Windows\system32\drivers\ha20x22k.sys [2009-02-19 08:54:48 1222680]
R3 ScanUSBET;ET USB Still Image Capture Device;C:\Windows\system32\DRIVERS\etScan.sys [2007-09-07 18:43:56 6656]
R3 SIS163u;SiS163 usb Wireless LAN Adapter Driver;C:\Windows\system32\DRIVERS\sis163u.sys [x]
R3 SndTAudio;SndTAudio;C:\Windows\system32\drivers\SndTAudio.sys [2008-11-11 14:05:16 23096]
R3 SndTVideo;SndTVideo;C:\Windows\system32\DRIVERS\SndTVideo.sys [2008-11-11 14:05:18 3768]
R4 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2009-05-10 18:48:15 908568]
R4 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-05-10 18:48:20 298776]
R4 avgfws8;AVG8 Firewall;C:\PROGRA~1\AVG\AVG8\avgfws8.exe [2009-05-10 18:48:16 1366904]
R4 AVGIDSAgent;AVGIDSAgent;C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe AVGIDSAgent [x]
R4 AVGIDSWatcher;AVGIDSWatcher;C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe [2009-02-26 10:46:22 563720]
S0 AVGIDSErHr;AVGIDSErHr;C:\Windows\System32\Drivers\AVGIDSErHr.sys [2009-02-26 10:46:56 25608]
S0 AvgRkx86;avgrkx86.sys;C:\Windows\System32\Drivers\avgrkx86.sys [2009-05-10 18:48:14 12552]
S0 Lbd;Lbd;C:\Windows\system32\DRIVERS\Lbd.sys [2009-03-09 19:06:56 64160]
S1 Avgfwfd;AVG network filter service;C:\Windows\system32\DRIVERS\avgfwd6x.sys [2009-05-10 18:48:17 23832]
S1 AvgLdx86;AVG AVI Loader Driver x86;C:\Windows\System32\Drivers\avgldx86.sys [2009-05-10 18:48:28 325896]
S1 AvgTdiX;AVG8 Network Redirector;C:\Windows\System32\Drivers\avgtdix.sys [2009-05-10 18:48:24 108552]
S2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2007-11-02 19:42:32 41456]
S2 fssfltr;fssfltr;C:\Windows\system32\DRIVERS\fssfltr.sys [2008-12-08 16:01:52 55264]
S2 fsssvc;Windows Live Family Safety;C:\Program Files\Windows Live\Family Safety\fsssvc.exe [2009-02-06 17:08:58 533360]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 19:06:55 951632]
S3 b57nd60x;%SvcDispName%;C:\Windows\system32\DRIVERS\b57nd60x.sys [2008-01-19 04:25:04 179712]
S3 CT20XUT.SYS;CT20XUT.SYS;C:\Windows\System32\drivers\CT20XUT.SYS [2009-02-19 08:42:26 198168]
S3 CTEXFIFX.SYS;CTEXFIFX.SYS;C:\Windows\System32\drivers\CTEXFIFX.SYS [2009-02-19 08:43:50 1353240]
S3 CTHWIUT.SYS;CTHWIUT.SYS;C:\Windows\System32\drivers\CTHWIUT.SYS [2009-02-19 08:43:10 73752]
S3 physX32;physX32;C:\Windows\system32\DRIVERS\physX32.sys [2007-09-13 06:43:00 120320]
S3 tenCapture;tenCapture;C:\Windows\system32\DRIVERS\tenCapture.sys [2007-04-21 14:15:42 9344]

--- Other Services/Drivers In Memory ---

*Deregistered* - {95808DC4-FA4A-4C74-92FE-5B863F82066B}
*Deregistered* - AFD
*Deregistered* - Avgfwfd
*Deregistered* - AVGIDSErHr
*Deregistered* - AvgLdx86
*Deregistered* - AvgMfx86
*Deregistered* - AvgRkx86
*Deregistered* - AvgTdiX
*Deregistered* - Beep
*Deregistered* - bowser
*Deregistered* - cdfs
*Deregistered* - CLFS
*Deregistered* - crcdisk
*Deregistered* - CT20XUT.SYS
*Deregistered* - CTEXFIFX.SYS
*Deregistered* - CTHWIUT.SYS
*Deregistered* - ctprxy2k
*Deregistered* - ctsfm2k
*Deregistered* - CVPNDRVA
*Deregistered* - DfsC
*Deregistered* - DNE
*Deregistered* - DXGKrnl
*Deregistered* - Ecache
*Deregistered* - emupia
*Deregistered* - FileInfo
*Deregistered* - FltMgr
*Deregistered* - fssfltr
*Deregistered* - fvevol
*Deregistered* - ha20x2k
*Deregistered* - HTTP
*Deregistered* - iScsiPrt
*Deregistered* - kbdclass
*Deregistered* - KSecDD
*Deregistered* - Lbd
*Deregistered* - lltdio
*Deregistered* - LVPr2Mon
*Deregistered* - LVUSBSta
*Deregistered* - mouclass
*Deregistered* - MountMgr
*Deregistered* - mpsdrv
*Deregistered* - MRxDAV
*Deregistered* - mrxsmb
*Deregistered* - mrxsmb10
*Deregistered* - mrxsmb20
*Deregistered* - Msfs
*Deregistered* - msisadrv
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NativeWifiP
*Deregistered* - NDIS
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - netbt
*Deregistered* - Npfs
*Deregistered* - nsiproxy
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - NVR0Dev
*Deregistered* - nvraid
*Deregistered* - nvstor
*Deregistered* - ossrv
*Deregistered* - Pcouffin
*Deregistered* - PEAUTH
*Deregistered* - PptpMiniport
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasPppoe
*Deregistered* - RasSstp
*Deregistered* - rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RDPENCDD
*Deregistered* - RDPWD
*Deregistered* - rspndr
*Deregistered* - secdrv
*Deregistered* - Smb
*Deregistered* - spldr
*Deregistered* - sptd
*Deregistered* - srv
*Deregistered* - srv2
*Deregistered* - srvnet
*Deregistered* - swenum
*Deregistered* - Tcpip
*Deregistered* - tcpipreg
*Deregistered* - TDTCP
*Deregistered* - tdx
*Deregistered* - tssecsrv
*Deregistered* - tunmp
*Deregistered* - tunnel
*Deregistered* - udfs
*Deregistered* - umbus
*Deregistered* - VgaSave
*Deregistered* - volmgr
*Deregistered* - volmgrx
*Deregistered* - volsnap
*Deregistered* - Wanarpv6
*Deregistered* - Wdf01000
*Deregistered* - ws2ifsl

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile      REG_MULTI_SZ       wcescomm rapimgr
LocalServiceRestricted      REG_MULTI_SZ       WcesComm RapiMgr
HPZ12      REG_MULTI_SZ       Pml Driver HPZ12 Net Driver HPZ12

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\shell\AutoRun\command - H:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0e93f610-3888-11dd-b1e2-001aa0d8fac4}]
\shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL O:\Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{10faf08e-002b-11de-ac78-806e6f6e6963}]
\shell\AutoRun\command - H:\setupSNK.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24}]
%SystemRoot%\system32\soundschemes2.exe /AddRegistration
.
Contents of the 'Scheduled Tasks' folder

2009-05-12 C:\Windows\Tasks\Ad-Aware Update (Weekly).job
- C:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06:56 . 2009-03-09 19:06:56]

2009-04-14 C:\Windows\Tasks\GBMPro6 Task - New Backup Job.job
- C:\Program Files\Genie-Soft\GBMPro 6.0\GBMPro.exe [2008-08-03 20:13:25 . 2005-05-15 12:58:50]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - (no file)

.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = 192.168.0.102:808
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - C:\Windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: C:\Windows\system32\wpclsp.dll
DPF: {B015B944-7316-49AE-AC84-ACCA9379EA32} - hxxp://86.144.102.131:8085/IPCamPluginMJPEG.cab
DPF: {D216644A-C6DB-49D9-BBCF-D38FE7991BF2} - hxxps://danid.dk/csp/authenticode/digitalsignatur-csp.exe
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-15 08:52:50
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ... this is not a cut and paste error, the log stops here.
****************************************************************************************************

HiJackThis :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:09:43, on 15/05/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\wpcumi.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Microsoft LifeChat\LifeChat.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
C:\Windows\etMon.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSUI.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\IncrediMail\bin\ImApp.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.102:808
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Windows Live Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll
O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [WPCUMI] C:\Windows\system32\WpcUmi.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LifeChat] "c:\Program Files\Microsoft LifeChat\LifeChat.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [EverioService] "C:\Program Files\CyberLink\PCM4Everio\EverioService.exe"
O4 - HKLM\..\Run: [etMonitor] C:\Windows\etMon.exe
O4 - HKLM\..\Run: [AVGIDS] "C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - Global Startup: Birthday Checker.lnk = C:\Program Files\SS Birthday Reminder\Birthday Checker.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.co.uk/s/v/e/36.24/KBTUZDFvTZs/uploader2.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {B015B944-7316-49AE-AC84-ACCA9379EA32} (IPCamPlugIn Control) - http://86.144.102.131:8085/IPCamPluginMJPEG.cab
O16 - DPF: {D216644A-C6DB-49D9-BBCF-D38FE7991BF2} (Util Class) - https://danid.dk/csp/authenticode/digitalsignatur-csp.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\Windows\System32\avgrsstx.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

--
End of file - 9279 bytes
***************************************************************************************************************

Malwarebytes' Anti-Malware 1.36
Database version: 2131
Windows 6.0.6001 Service Pack 1

15/05/2009 07:04:14
mbam-log-2009-05-15 (07-04-14).txt

Scan type: Quick Scan
Objects scanned: 86205
Time elapsed: 3 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Hope this is ok-

Chris

bleech677

Does this PC get strange security warnings and pop ups?

ppamnet.exe does not look legit -seems like it is something that can (and did) turn off your firewall to communicate with the outside. Seems like this PC is part of some botnet because it is listing for connections on TCP and UDP. It also can run other bad things and hijack processes

First thing you want to do is run a boot time AV scan either Avast or livecd - you may have to scan a fe times

After that run HJT and re-post the log.

BTW, this computer has a ton of junk installed on it

Are you using AVG and NOD32?

warturtle

Yes, there are a couple of infections that I can see as well, but I would ask you to scan your PC with either TrendMicro HouseCall based at: http://housecall.trendmicro.com/ or BitDefender Online Scanner based at http://www.bitdefender.com/scanner/online/free.html?url=scan8/ie.html

The above 2 scans will also remove any infections present on your PC. Sometimes, a virus can have the same name as a legitimate file and at such times, online scanners can be quite helpful in making sure that we don't delete the legitimate file. They will point out the malicious files and we will remove them (unless they can't do it themselves).

ChrisDriven

ASKER

Hi again,
I found a folder called ESET on the C:\drive, I could not delete it bacause it was in use. I got rid of it by booting to a comand prompt. There is a lot of junk on the PC, I have found around 11 different "viewing programmes" for watching live football, I have deleted all of them, PPAMNET.exe was one of these.
Ok I ran bitdefender twice the first time it found :
Infected Files
1

Virus Detected

Trojan.Generic.391361
1

I rebooted and ran it again, it found nothing. Trend Micros Houscall was still running after 3 hours so I gave up on that.

Here is the Hijack this log :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:24:24, on 15/05/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\System32\wpcumi.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Microsoft LifeChat\LifeChat.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
C:\Windows\etMon.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSUI.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\IncrediMail\bin\ImApp.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSMonitor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.102:808
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Windows Live Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll
O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [WPCUMI] C:\Windows\system32\WpcUmi.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LifeChat] "c:\Program Files\Microsoft LifeChat\LifeChat.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [EverioService] "C:\Program Files\CyberLink\PCM4Everio\EverioService.exe"
O4 - HKLM\..\Run: [etMonitor] C:\Windows\etMon.exe
O4 - HKLM\..\Run: [AVGIDS] "C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Windows Update] C:\Windows\system32\Winudate32.exe
O4 - Global Startup: Birthday Checker.lnk = C:\Program Files\SS Birthday Reminder\Birthday Checker.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.co.uk/s/v/e/36.24/KBTUZDFvTZs/uploader2.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {B015B944-7316-49AE-AC84-ACCA9379EA32} (IPCamPlugIn Control) - http://86.144.102.131:8085/IPCamPluginMJPEG.cab
O16 - DPF: {D216644A-C6DB-49D9-BBCF-D38FE7991BF2} (Util Class) - https://danid.dk/csp/authenticode/digitalsignatur-csp.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\Windows\System32\avgrsstx.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVGIDSAgent - AVG - C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe
O23 - Service: AVGIDSWatcher - AVG - C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

--
End of file - 10622 bytes

Good hunting :-)

Chris

bleech677

First off -

you have a trojan proxy still running locally on port 808

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.102:808
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

ASKER CERTIFIED SOLUTION

bleech677

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

bleech677

Also - keep in mind the boot time scan - this will kill anything before it can load itself into memory

phototropic

ChrisDriven,

I would have HJT fix this entry:

O4 - HKCU\..\Run: [Windows Update] C:\Windows\system32\Winudate32.exe

Then I would try downloading a fresh (not re-named) copy of Combofix and run another scan. Please post the log here.

warturtle,

On 13th. May ( ID: 24378966 ) I posted the following:

"...Try renaming Mbam BEFORE you download it.
Please post a current HJT scan log.
You could also try running an online scan:

http://www.bitdefender.com/scan8/ie.html
http://housecall.trendmicro.com/uk/

Good luck!!!..."

Please don't duplicate posts.

warturtle

@phototropic

Sorry, Bud. Didn't see the original post because it was way up there...my bad!

@chrisdriven

Could you please upload the below files on www.virustotal.com and let us know, if they're being flagged as infections?

C:\Windows\system32\drivers\czvqaigs.sys
C:\Users\EmmaOgAndreas\AppData\Local\GDIPFONTCACHEV1.DAT
C:\Windows\system32\PDMSetup.exe
C:\Windows\system32\iashost.exe
C:\Windows\system32\regplib.exe
C:\Program Files\CyberLink\PowerDVD\000.fcl
O:\Info.exe

And you said that AVG flagged 11 rootkits in the scan but was unable to delete them. Are you able to upload avg.txt file that you said initially, so that we can see what files are being flagged as rootkits?