Solved

Need help after removing Malware

Posted on 2009-05-13
18
1,072 Views
Last Modified: 2013-12-06
Hi Experts,

I have spent the past 2 nights with my friends PC trying to get rid of some bad spyware/malware and a few trojans. The PC (Vista x86) cannot run Malwarebytes, it just comes with a stopped working error, same goes for Vundofix which says its not a valid Win32 app.Combofix starts and then closes with a stopped working popup.
Ad-aware Free found Virtumonde and removed it (maybe). LSP-Fix finds no errors. Ad-aware finds nothing now just some cookies and ESET online scan comes up with nothing. Now to the problems :-)

AVG  finds 11 rootkits (see AVG.txt) but cannot remove them (access denied).

The CD rom drive and the DVD RW drive both can run fine after inserting a disk, but I cannot burn to the dvd rw because it says there are maybe files ready to write to it, the cd drive gives the same currently in use message if in explorer I right click and click eject.

I have attached the Hijackthis log maybe there is something there that can point one of you in the right direction (which is helping me to fix the cd rom and the dvd rw)

Thanks for your time.

Chris

0
Comment
Question by:ChrisDriven
  • 5
  • 5
  • 4
  • +3
18 Comments
 
LVL 6

Expert Comment

by:drewha1969
ID: 24378537
I would try booting from a Live CD such as Ultimate Boot CD 4 Win and running Antivirus.
0
 
LVL 23

Expert Comment

by:phototropic
ID: 24378966
Try renaming Mbam BEFORE you download it.
Please post a current HJT scan log.
You could also try running an online scan:

http://www.bitdefender.com/scan8/ie.html
http://housecall.trendmicro.com/uk/

Good luck!!!
0
 
LVL 27

Expert Comment

by:David-Howard
ID: 24379315
Your log file didn't post.
Malwarebytes should remove this threat. If not, Combofix (as you stated ) will. But the instructions for Combofix must be followed.
Note: ComboFix should not be run in Safe Mode, unless that is the only mode the affected system will boot to.
If you have not updated Malwarebytes please do so and then boot into Safe Mode (F8 at startup) and run a scan.
You should do this with your current antivirus product as well.
As for HiJackThis you can post it for free analysis here or at
www.hijackthis.de
You are primarily looking for items marked with red X's.
You can get a brief overview of Hijackthis here:
http://www.bleepingcomputer.com/tutorials/tutorial42.html
If after running any of the suites above you find that your internet connection fails (is broken) please perform the following steps.
Restart your computer and test your internet connection.
If it does not work, then click Start ->Settings and Control Panel.
Select Network connections. Locate your connection and right click on it.
In the menu click the Repair option. When the repair proccess has finished, your connection should be working again. Reboot to test.
You may also have some success by logging on to the affected system under a different profile. Some malware only affects the profile that it was loaded under.
David

0
 
LVL 16

Expert Comment

by:warturtle
ID: 24380416
You need to rename ComboFix before downloading or transferring it to the infected computer. If you rename if after transferring to the infected computer, the virus might not let the file execute. This is why you are looking at a window that flashes for a second and then disappears.

Download ComboFix again and save it as jabba.exe or some completely different name and then execute it. Let us have the ComboFix log. Running MalwareBytes right after ComboFix finishes will give you good results with Vundo.

Hope that helps.
0
 

Author Comment

by:ChrisDriven
ID: 24381988
Hi all,

Thanks for the suggestions, I will be check things out after work and report back a.s.a.p.

Chris

0
 
LVL 3

Expert Comment

by:bleech677
ID: 24388898
Live cd boot sounds like a good idea, a similar solution would be to load an AV that has a boot time scan like Avast - This has fixed many persistant problems for me
0
 

Author Comment

by:ChrisDriven
ID: 24392972
Hi again, here's an update:

Downloaded, renamed and ran combofix: log attached.
Ran Mbam, log attached.
Hijackthis log attached

Everything went well, combofix found and removed the 11 or so rootkits that AVG was finding. I thought that everything was fine, then I started internet explorer! The $_ _T hit the fan there. IE started to restore the last session, A lot windows all with  http:// www.fulldotfind.com/pubac/ac.php?aid=11&sid=v3076 in them, they kept coming, eventually IE was closed down by Vista. i have no idea where to go from here.

I cannot seem to attach any files, it says uploading and then nothing appears. I will upload them somewhere else.

Thanks again for all of your time.

Chris
0
 

Author Comment

by:ChrisDriven
ID: 24393001
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24393887
Thanks for uploading those files on Uploading, Chris. I have tried to download them but everytime I wait for 90 seconds to pass and then click on 'Free Download', it comes back to the original webpage and I click on 'Download Now' and then, it goes back to the 90-second timer.

Are you able to post the ComboFix log in the body of the message? and the other logs as well?
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:ChrisDriven
ID: 24394189
Ok, will do.

Combofix Log :
ComboFix 09-05-13.02 - Lars 15/05/2009  8:19:18.3 - NTFSx86
Running from: C:\Users\Lars\Desktop\komix.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\TEMP\logishrd\LVPrcInj01.dll

.
(((((((((((((((((((((((((   Files Created from 2009-04-15 to 2009-05-15  )))))))))))))))))))))))))))))))
.

2009-05-14 18:48:50 . 2009-05-14 18:48:50      0      d-----w      C:\ProgramData\Nero
2009-05-14 18:48:50 . 2009-05-14 18:49:24      0      d-----w      C:\Program Files\Common Files\Ahead
2009-05-14 17:50:16 . 2009-05-14 17:50:16      0      d-----w      C:\Windows\log
2009-05-14 14:11:24 . 2009-05-14 15:28:56      0      d-----w      C:\Program Files\MALWAREBYTES ANTI-MALWARE
2009-05-13 18:33:34 . 2009-05-13 18:33:34      14152      ----a-w      C:\Windows\system32\drivers\PROCEXP113.SYS
2009-05-12 20:31:44 . 2009-05-12 20:31:44      0      d-----w      C:\Users\Lars\AppData\Local\Ahead
2009-05-12 19:49:46 . 2009-03-09 19:06:57      15688      ----a-w      C:\Windows\system32\lsdelete.exe
2009-05-12 19:45:43 . 2009-03-09 19:06:56      64160      ----a-w      C:\Windows\system32\drivers\Lbd.sys
2009-05-12 19:45:30 . 2009-05-13 18:16:47      0      dc-h--w      C:\ProgramData\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-12 19:45:23 . 2009-05-12 19:45:23      0      d-----w      C:\Program Files\Lavasoft
2009-05-12 19:45:23 . 2009-05-12 19:45:46      0      d-----w      C:\ProgramData\Lavasoft
2009-05-12 15:40:16 . 2009-05-12 15:40:16      0      d-----w      C:\Users\Lars\AppData\Roaming\Lavasoft
2009-05-11 05:28:11 . 2009-05-11 05:28:11      262144      ----a-w      C:\ntuser.dat
2009-05-10 21:52:25 . 2009-05-10 21:52:28      0      d-----w      C:\Program Files\CleanUp!
2009-05-10 14:29:43 . 2009-05-13 19:06:25      0      d--h--w      C:\$AVG8.VAULT$
2009-05-10 14:08:53 . 2009-05-10 14:08:53      0      d-----w      C:\ProgramData\Downloaded Installations
2009-05-10 14:08:42 . 2009-05-10 18:48:28      11952      ----a-w      C:\Windows\system32\avgrsstx.dll
2009-05-10 14:08:42 . 2009-05-10 18:48:14      12552      ----a-w      C:\Windows\system32\drivers\avgrkx86.sys
2009-05-10 14:08:41 . 2009-05-10 18:48:24      108552      ----a-w      C:\Windows\system32\drivers\avgtdix.sys
2009-05-10 14:08:37 . 2009-05-10 18:48:28      325896      ----a-w      C:\Windows\system32\drivers\avgldx86.sys
2009-05-10 14:08:35 . 2009-05-14 15:53:20      0      d-----w      C:\Windows\system32\drivers\Avg
2009-05-10 14:08:26 . 2009-05-10 18:48:17      23832      ----a-w      C:\Windows\system32\drivers\avgfwd6x.sys
2009-05-10 14:08:26 . 2009-05-10 14:08:26      0      d-----w      C:\Program Files\AVG
2009-05-10 14:08:26 . 2009-05-12 22:26:03      0      d-----w      C:\ProgramData\avg8
2009-05-10 09:00:40 . 2009-05-10 13:46:51      0      d-----w      C:\Program Files\Spybot - Search & Destroy
2009-05-09 06:49:44 . 2009-05-09 06:50:13      0      d-----w      C:\Windows\BDOSCAN8
2009-05-07 22:31:40 . 2009-05-07 22:31:41      28320      ----a-w      C:\Windows\system32\drivers\czvqaigs.sys
2009-05-07 20:25:44 . 2009-05-07 20:25:44      47360      ----a-w      C:\Windows\system32\drivers\pcouffin.sys
2009-05-07 20:25:44 . 2009-05-07 20:25:44      47360      ----a-w      C:\Users\Lars\AppData\Roaming\pcouffin.sys
2009-05-07 20:25:40 . 2006-09-29 11:24:48      217127      ----a-w      C:\Windows\system32\drv43260.dll
2009-05-07 20:25:40 . 2006-09-29 11:25:38      208935      ----a-w      C:\Windows\system32\drv33260.dll
2009-05-07 20:25:40 . 2006-09-29 11:26:22      176165      ----a-w      C:\Windows\system32\drv23260.dll
2009-05-07 20:25:40 . 2007-03-18 19:37:12      65602      ----a-w      C:\Windows\system32\cook3260.dll
2009-05-07 20:25:40 . 2006-05-11 18:21:00      626688      ----a-w      C:\Windows\system32\vp7vfw.dll
2009-05-07 20:25:40 . 2006-05-20 15:16:00      1184984      ----a-w      C:\Windows\system32\wvc1dmod.dll
2009-05-07 20:25:40 . 2004-05-04 10:53:40      1645320      ----a-w      C:\Windows\gdiplus.dll
2009-05-03 04:27:58 . 2009-05-03 04:27:58      0      d-----w      C:\Program Files\Elaborate Bytes
2009-05-02 07:47:11 . 2009-05-02 07:51:28      0      d-----w      C:\Users\Lars\AppData\Roaming\dvdcss
2009-05-02 07:46:45 . 2009-05-02 07:51:43      0      d-----w      C:\Users\Lars\AppData\Roaming\vlc(144)
2009-05-01 23:05:26 . 2009-05-01 23:05:26      0      d-----w      C:\Users\Lars\AppData\Local\PowerDVDCinema
2009-05-01 23:01:54 . 2009-05-01 23:01:54      0      d-----w      C:\Program Files\Common Files\CyberLink
2009-04-30 20:45:16 . 2009-05-08 22:22:43      0      d-----w      C:\Program Files\Combined Community Codec Pack
2009-04-30 20:44:44 . 2009-04-30 20:44:45      0      d-----w      C:\Program Files\AC3Filter
2009-04-30 17:33:20 . 2009-04-30 17:33:20      0      d-----w      C:\Users\Lars\AppData\Local\SupportSoft
2009-04-28 15:15:19 . 2009-04-28 15:15:19      0      d-----w      C:\Program Files\Daniusoft
2009-04-21 09:35:00 . 2009-04-21 09:38:04      0      d-----w      C:\iPAQ

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-15 06:44:41 . 2007-10-26 09:19:39      92362      ----a-w      C:\Windows\system32\perfc006.dat
2009-05-15 06:44:41 . 2007-10-26 09:19:39      502388      ----a-w      C:\Windows\system32\perfh006.dat
2009-05-15 04:57:56 . 2007-10-24 21:29:49      8376      ----a-w      C:\Users\Lars\AppData\Local\d3d9caps.dat
2009-05-14 15:28:56 . 2009-05-14 14:16:49      0      d-----w      C:\Program Files\Malwarebytes' Anti-Malware
2009-05-13 01:00:16 . 2006-11-02 11:18:33      0      d-----w      C:\Program Files\Windows Mail
2009-05-13 00:10:53 . 2008-10-19 14:54:09      8224      ----a-w      C:\Users\EmmaOgAndreas\AppData\Local\GDIPFONTCACHEV1.DAT
2009-05-10 19:44:31 . 2008-01-28 21:55:15      0      d-----w      C:\Program Files\Fake Voice
2009-05-10 14:49:22 . 2008-04-02 18:55:25      0      d-----w      C:\Program Files\PPMate
2009-05-10 14:08:31 . 2006-11-02 10:25:05      86016      ----a-w      C:\Windows\inf\infstor.dat
2009-05-10 14:08:31 . 2006-11-02 10:25:05      86016      ----a-w      C:\Windows\inf\infpub.dat
2009-05-10 14:08:31 . 2006-11-02 10:25:05      143360      ----a-w      C:\Windows\inf\infstrng.dat
2009-05-10 08:37:38 . 2008-10-23 16:39:23      0      d-----w      C:\Users\Lars\AppData\Roaming\SUPERAntiSpyware.com
2009-05-10 08:37:38 . 2007-11-10 12:28:06      0      d-----w      C:\Program Files\SUPERAntiSpyware
2009-05-10 08:36:50 . 2007-10-25 02:24:10      0      d-----w      C:\Program Files\Common Files\Wise Installation Wizard
2009-05-07 21:41:17 . 2007-10-26 09:42:50      0      d-----w      C:\Program Files\ESET
2009-05-07 20:25:41 . 2009-01-29 13:11:45      0      d-----w      C:\Program Files\VSO
2009-05-06 21:04:59 . 2007-10-28 14:53:53      112048      ----a-w      C:\Users\Camilla\AppData\Local\GDIPFONTCACHEV1.DAT
2009-05-06 21:00:10 . 2007-10-24 21:30:11      112048      ----a-w      C:\Users\Lars\AppData\Local\GDIPFONTCACHEV1.DAT
2009-05-05 18:46:33 . 2007-10-28 15:36:13      0      d-----w      C:\Program Files\Microsoft Works
2009-05-04 20:20:23 . 2007-10-25 04:05:26      0      d--h--w      C:\Program Files\InstallShield Installation Information
2009-05-04 20:19:50 . 2008-11-19 20:26:10      0      d-----w      C:\Program Files\Veetle
2009-05-03 04:08:19 . 2007-10-26 20:25:48      0      d-----w      C:\Program Files\CyberLink
2009-04-21 09:38:08 . 2007-12-20 18:00:36      0      d-----w      C:\Program Files\HP
2009-04-10 17:40:42 . 2008-03-21 10:06:49      0      d-----w      C:\Program Files\DVD Shrink
2009-04-06 13:32:54 . 2009-05-14 14:16:50      38496      ----a-w      C:\Windows\system32\drivers\mbamswissarmy.sys
2009-04-06 13:32:46 . 2009-05-14 14:16:52      15504      ----a-w      C:\Windows\system32\drivers\mbam.sys
2009-04-04 19:11:00 . 2007-10-28 10:27:40      0      d-----w      C:\Program Files\Common Files\Adobe
2009-04-02 20:35:44 . 2009-04-02 20:35:44      0      d-----w      C:\Program Files\CLICK
2009-04-01 19:39:22 . 2009-04-01 19:39:21      0      d-----w      C:\Program Files\Common Files\Deterministic Networks
2009-04-01 15:10:29 . 2008-02-28 23:08:58      0      d-----w      C:\Program Files\THQ
2009-03-31 14:14:50 . 2008-05-31 18:10:19      181192      ---ha-w      C:\Windows\system32\mlfcache.dat
2009-03-28 09:32:22 . 2009-03-28 09:32:22      0      d-----w      C:\Program Files\QuickPar
2009-03-17 15:44:57 . 2007-10-26 20:28:41      0      d-----w      C:\Program Files\Google
2009-03-17 03:38:46 . 2009-04-15 18:07:04      13824      ----a-w      C:\Windows\system32\apilogen.dll
2009-03-17 03:38:44 . 2009-04-15 18:07:04      24064      ----a-w      C:\Windows\system32\amxread.dll
2009-03-09 17:00:55 . 2009-03-09 17:00:55      0      ----a-w      C:\Users\Lars\temp.dat
2009-03-08 11:34:57 . 2009-03-31 19:05:30      914944      ----a-w      C:\Windows\system32\wininet.dll
2009-03-08 11:34:28 . 2009-03-31 19:05:33      43008      ----a-w      C:\Windows\system32\licmgr10.dll
2009-03-08 11:33:38 . 2009-03-31 19:05:34      18944      ----a-w      C:\Windows\system32\corpol.dll
2009-03-08 11:33:17 . 2009-03-31 19:05:31      109056      ----a-w      C:\Windows\system32\iesysprep.dll
2009-03-08 11:33:16 . 2009-03-31 19:05:31      109568      ----a-w      C:\Windows\system32\PDMSetup.exe
2009-03-08 11:33:15 . 2009-03-31 19:05:31      132608      ----a-w      C:\Windows\system32\ieUnatt.exe
2009-03-08 11:33:15 . 2009-03-31 19:05:31      107520      ----a-w      C:\Windows\system32\RegisterIEPKEYs.exe
2009-03-08 11:33:15 . 2009-03-31 19:05:31      107008      ----a-w      C:\Windows\system32\SetIEInstalledDate.exe
2009-03-08 11:33:15 . 2009-03-31 19:05:31      103936      ----a-w      C:\Windows\system32\SetDepNx.exe
2009-03-08 11:33:04 . 2009-03-31 19:05:32      420352      ----a-w      C:\Windows\system32\vbscript.dll
2009-03-08 11:32:54 . 2009-03-31 19:05:34      72704      ----a-w      C:\Windows\system32\admparse.dll
2009-03-08 11:32:49 . 2009-03-31 19:05:33      71680      ----a-w      C:\Windows\system32\iesetup.dll
2009-03-08 11:32:38 . 2009-03-31 19:05:33      66560      ----a-w      C:\Windows\system32\wextract.exe
2009-03-08 11:32:32 . 2009-03-31 19:05:31      169472      ----a-w      C:\Windows\system32\iexpress.exe
2009-03-08 11:31:37 . 2009-03-31 19:05:34      34816      ----a-w      C:\Windows\system32\imgutil.dll
2009-03-08 11:31:17 . 2009-03-31 19:05:34      48128      ----a-w      C:\Windows\system32\mshtmler.dll
2009-03-08 11:31:00 . 2009-03-31 19:05:31      45568      ----a-w      C:\Windows\system32\mshta.exe
2009-03-08 11:22:37 . 2009-03-31 19:05:34      156160      ----a-w      C:\Windows\system32\msls31.dll
2009-03-03 04:46:01 . 2009-04-15 18:07:22      3599328      ----a-w      C:\Windows\system32\ntkrnlpa.exe
2009-03-03 04:46:01 . 2009-04-15 18:07:21      3547632      ----a-w      C:\Windows\system32\ntoskrnl.exe
2009-03-03 04:39:36 . 2009-04-15 18:07:20      183296      ----a-w      C:\Windows\system32\sdohlp.dll
2009-03-03 04:39:32 . 2009-04-15 18:07:23      551424      ----a-w      C:\Windows\system32\rpcss.dll
2009-03-03 04:39:22 . 2009-04-15 18:07:20      26112      ----a-w      C:\Windows\system32\printfilterpipelineprxy.dll
2009-03-03 04:37:11 . 2009-04-15 18:07:20      98304      ----a-w      C:\Windows\system32\iasrecst.dll
2009-03-03 04:37:11 . 2009-04-15 18:07:20      54784      ----a-w      C:\Windows\system32\iasads.dll
2009-03-03 04:37:11 . 2009-04-15 18:07:20      44032      ----a-w      C:\Windows\system32\iasdatastore.dll
2009-03-03 03:04:59 . 2009-04-15 18:07:21      666624      ----a-w      C:\Windows\system32\printfilterpipelinesvc.exe
2009-03-03 02:38:13 . 2009-04-15 18:07:20      17408      ----a-w      C:\Windows\system32\iashost.exe
2009-02-26 10:46:56 . 2009-02-26 10:46:56      74760      ----a-w      C:\Windows\system32\drivers\UniversalDD.sys
2009-02-26 10:46:56 . 2009-02-26 10:46:56      25608      ----a-w      C:\Windows\system32\drivers\AVGIDSErHr.sys
2009-02-22 10:48:14 . 2009-02-22 10:02:03      34      ----a-w      C:\Users\EmmaOgAndreas\jagex_runescape_preferences.dat
2009-02-19 08:55:20 . 2009-02-19 08:55:20      15384      ----a-w      C:\Windows\system32\drivers\pfmodnt.sys
2009-02-19 08:54:48 . 2009-02-19 08:54:48      1222680      ----a-w      C:\Windows\system32\drivers\ha20x22k.sys
2009-02-19 08:53:16 . 2009-02-19 08:53:16      1179672      ----a-w      C:\Windows\system32\drivers\ha20x2k.sys
2009-02-19 08:52:42 . 2009-02-19 08:52:42      95768      ----a-w      C:\Windows\system32\drivers\emupia2k.sys
2009-02-19 08:52:04 . 2009-02-19 08:52:04      159256      ----a-w      C:\Windows\system32\drivers\ctsfm2k.sys
2009-02-19 08:51:26 . 2009-02-19 08:51:26      14360      ----a-w      C:\Windows\system32\drivers\ctprxy2k.sys
2009-02-19 08:50:46 . 2009-02-19 08:50:46      129560      ----a-w      C:\Windows\system32\drivers\ctoss2k.sys
2009-02-19 08:45:16 . 2009-02-19 08:45:16      535320      ----a-w      C:\Windows\system32\drivers\ctaud2k.sys
2009-02-19 08:44:40 . 2009-02-19 08:44:40      511000      ----a-w      C:\Windows\system32\drivers\ctac32k.sys
2009-02-19 08:43:50 . 2009-02-19 08:43:50      1353240      ----a-w      C:\Windows\system32\drivers\CTEXFIFX.sys
2009-02-19 08:43:10 . 2009-02-19 08:43:10      73752      ----a-w      C:\Windows\system32\drivers\CTHWIUT.sys
2009-02-19 08:42:26 . 2009-02-19 08:42:26      198168      ----a-w      C:\Windows\system32\drivers\CT20XUT.sys
2009-02-19 07:00:14 . 2008-01-15 04:01:40      86016      ----a-w      C:\Windows\system32\ctcoinst.dll
2009-02-19 07:00:14 . 2008-01-15 04:01:40      181248      ----a-w      C:\Windows\system32\ctdvinst.dll
2009-02-19 06:59:04 . 2009-02-19 06:59:04      14336      ----a-w      C:\Windows\system32\a3d.dll
2009-02-19 06:58:38 . 2009-02-19 06:58:38      13312      ----a-w      C:\Windows\system32\ac3api.dll
2009-02-19 06:58:02 . 2009-02-19 06:58:02      2560      ----a-w      C:\Windows\system32\CtxfiRes.dll
2009-02-19 06:58:00 . 2009-02-19 06:58:00      42496      ----a-w      C:\Windows\system32\CTxfiBtn.dll
2009-02-19 06:57:58 . 2009-02-19 06:57:58      39424      ----a-w      C:\Windows\system32\CTxfiSpk.dll
2009-02-19 06:57:58 . 2009-02-19 06:57:58      24576      ----a-w      C:\Windows\system32\Ctxfihlp.exe
2009-02-19 06:54:06 . 2009-02-19 06:54:06      47104      ----a-w      C:\Windows\system32\CTxfiReg.exe
2009-02-19 06:54:02 . 2009-02-19 06:54:02      15360      ----a-w      C:\Windows\system32\Ct20xspi.dll
2009-02-19 06:53:56 . 2009-02-19 06:53:56      1212928      ----a-w      C:\Windows\system32\CTxfispi.exe
2009-02-19 06:47:06 . 2008-02-21 03:04:18      51787      ----a-w      C:\Windows\system32\ctdlang.dat
2009-02-19 06:47:06 . 2008-02-21 03:04:18      384428      ----a-w      C:\Windows\system32\ctdnlstr.dat
2009-02-19 06:46:32 . 2009-02-19 06:46:32      201216      ----a-w      C:\Windows\system32\ctemupia.dll
2009-02-19 06:43:48 . 2009-02-19 06:43:48      193024      ----a-w      C:\Windows\system32\ct_oal.dll
2009-02-19 06:43:44 . 2009-02-19 06:43:44      50688      ----a-w      C:\Windows\system32\ctasio.dll
2009-02-19 06:43:36 . 2009-02-19 06:43:36      53248      ----a-w      C:\Windows\system32\ctdproxy.dll
2009-02-19 06:42:54 . 2009-02-19 06:42:54      74240      ----a-w      C:\Windows\system32\ctosuser.dll
2009-02-19 06:42:52 . 2009-02-19 06:42:52      10240      ----a-w      C:\Windows\system32\sfman32.dll
2009-02-19 06:42:50 . 2009-02-19 06:42:50      130560      ----a-w      C:\Windows\system32\sfms32.dll
2009-02-19 06:42:44 . 2009-02-19 06:42:44      16384      ----a-w      C:\Windows\system32\regplib.exe
2006-11-22 14:58:11 . 2006-11-22 14:58:11      8192      --sha-w      C:\Windows\Users\Default\NTUSER.DAT
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 07:33:39 202240]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 17:51:28 3885408]
"IncrediMail"="C:\Program Files\IncrediMail\bin\IncMail.exe" [2008-03-09 11:51:42 243072]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 07:33:09 125952]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-08-08 12:11:12 490952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WPCUMI"="C:\Windows\system32\WpcUmi.exe" [2006-11-02 12:33:21 176128]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-10-10 05:28:32 36352]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2008-12-15 21:17:56 136600]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 16:11:48 565008]
"LifeChat"="c:\Program Files\Microsoft LifeChat\LifeChat.exe" [2008-08-21 09:16:56 267296]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 19:34:40 49152]
"EverioService"="C:\Program Files\CyberLink\PCM4Everio\EverioService.exe" [2007-11-01 16:13:26 151552]
"etMonitor"="C:\Windows\etMon.exe" [2007-09-19 20:03:44 102400]
"AVGIDS"="C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe" [2009-02-26 10:46:22 1579528]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2009-05-10 18:48:25 1947928]
"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 19:06:55 515416]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 13:57:24 153136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\Windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\Windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\Windows\pss\Logitech Desktop Messenger.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickSet.lnk
backup=C:\Windows\pss\QuickSet.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UACDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"= C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{30471418-D31B-4DEE-9ECA-2CF8DB2FBACC}"= UDP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\Crysis.exe:Crysis_32
"{539AD9C6-9097-44F1-B9DA-81B600DB3990}"= TCP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\Crysis.exe:Crysis_32
"{9DD004BD-76BC-4F65-ADFE-3017ADE5F65D}"= UDP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\CrysisDedicatedServer.exe:CrysisDedicatedServer_32
"{A7FA87C4-ECD0-4FA4-B03E-29F88156EFE8}"= TCP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\CrysisDedicatedServer.exe:CrysisDedicatedServer_32
"{2A8841B5-7D8C-458B-BBF8-E50ADCF4A934}"= Disabled:UDP:E:\setup\HPZNUI01.EXE:hpznui01.exe
"{FA38AD53-AF86-4259-B453-FEC9A075B2C3}"= Disabled:TCP:E:\setup\HPZNUI01.EXE:hpznui01.exe
"{F3C41857-8C63-42E3-926C-D6FF2D68F886}"= C:\Program Files\Cyberlink\PowerDVD\PowerDVD.EXE:CyberLink PowerDVD
"TCP Query User{B822B438-2D5C-442E-B8B6-FEBEF41674EA}C:\\program files\\wol\\wol.exe"= UDP:C:\program files\wol\wol.exe:WOL 1.0.3
"UDP Query User{3A3BA820-6444-40D9-A10F-83DAB35D49E2}C:\\program files\\wol\\wol.exe"= TCP:C:\program files\wol\wol.exe:WOL 1.0.3
"{EC7CD5A0-4118-444B-9806-7C1731ED2FC5}"= UDP:C:\Program Files\THQ\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe:GPGNet - Supreme Commander
"{5C22172A-D26B-4AE5-93C1-E94825064B35}"= TCP:C:\Program Files\THQ\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe:GPGNet - Supreme Commander
"TCP Query User{31383E43-1747-4EF9-BDDE-A48FF7DA446E}C:\\program files\\real\\realplayer\\realplay.exe"= UDP:C:\program files\real\realplayer\realplay.exe:RealPlayer
"UDP Query User{D6F0886C-DB32-4589-AA34-C2800FC1BE0C}C:\\program files\\real\\realplayer\\realplay.exe"= TCP:C:\program files\real\realplayer\realplay.exe:RealPlayer
"TCP Query User{571F19BB-CCE1-46F4-9B39-34290497360A}C:\\program files\\ppmate\\ppamnet.exe"= UDP:C:\program files\ppmate\ppamnet.exe:ppmnet Module
"UDP Query User{AF8F77E4-B47A-4ADE-921E-8491C5B90235}C:\\program files\\ppmate\\ppamnet.exe"= TCP:C:\program files\ppmate\ppamnet.exe:ppmnet Module
"{87244075-6D60-4E8F-B51F-731B41786424}"= UDP:C:\Program Files\Ubisoft\Assassin's Creed\AssassinsCreed_Dx9.exe:Assassin's Creed Dx9
"{74864C2D-1A73-4326-975D-C2BFDF8AE8F8}"= TCP:C:\Program Files\Ubisoft\Assassin's Creed\AssassinsCreed_Dx9.exe:Assassin's Creed Dx9
"{504DD735-0A66-4BC3-B021-C5BFFCEA5F25}"= UDP:C:\Program Files\Ubisoft\Assassin's Creed\AssassinsCreed_Dx10.exe:Assassin's Creed Dx10
"{E2CF730D-0AA2-4D35-A671-BF1E7586F3A4}"= TCP:C:\Program Files\Ubisoft\Assassin's Creed\AssassinsCreed_Dx10.exe:Assassin's Creed Dx10
"{46D1E131-150D-4B11-A2DE-E43A958478A0}"= UDP:C:\Program Files\Ubisoft\Assassin's Creed\AssassinsCreed_Launcher.exe:Assassin's Creed Update
"{1A0CCE22-3738-41B2-B121-6800FDF307BA}"= TCP:C:\Program Files\Ubisoft\Assassin's Creed\AssassinsCreed_Launcher.exe:Assassin's Creed Update
"TCP Query User{FBE5EC3C-24D0-42CD-B023-051CD68EF440}C:\\program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{2BD03585-0CCF-441A-B5DF-7AD36AE3C135}C:\\program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{1F9A3EAF-C4E2-4C05-A0E0-5C9C530C6FD2}C:\\program files\\globalscape\\cuteftp 8 professional\\ftpte.exe"= UDP:C:\program files\globalscape\cuteftp 8 professional\ftpte.exe:FTP Transfer Engine
"UDP Query User{1DEAE99E-59C2-439D-A2D1-E1831D45E78E}C:\\program files\\globalscape\\cuteftp 8 professional\\ftpte.exe"= TCP:C:\program files\globalscape\cuteftp 8 professional\ftpte.exe:FTP Transfer Engine
"{B9051207-5699-4E3D-A1F6-365E52696223}"= UDP:C:\Program Files\Codemasters\GRID\GRID.exe:GRID
"{5BA757F4-01E3-44DA-AA79-28E465A20412}"= TCP:C:\Program Files\Codemasters\GRID\GRID.exe:GRID
"TCP Query User{DAD976BA-862A-48B3-9D37-24CA6B78D77C}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{2884C220-188B-49A9-85B5-FD153A66C8B9}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"{B198D27E-73C3-47F7-AD53-3DDF00EB89C2}"= Disabled:UDP:C:\Program Files\IncrediMail\bin\ImLc.exe:IncrediMail
"{B67E0675-427F-41B7-B2BC-16454EAE9BED}"= Disabled:TCP:C:\Program Files\IncrediMail\bin\ImLc.exe:IncrediMail
"{A8974B9D-1240-40FE-B31D-40BD4205201C}"= Disabled:UDP:C:\Program Files\IncrediMail\bin\ImPackr.exe:IncrediMail
"{2FD7DAE2-7AC3-4BA9-A1FE-3C479468EB70}"= Disabled:TCP:C:\Program Files\IncrediMail\bin\ImPackr.exe:IncrediMail
"{79989C2A-7482-4EA1-89C8-23C867C36278}"= Disabled:UDP:C:\Program Files\IncrediMail\bin\ImpCnt.exe:IncrediMail
"{4C225B18-DEDB-4B83-83F2-5818331AE89F}"= Disabled:TCP:C:\Program Files\IncrediMail\bin\ImpCnt.exe:IncrediMail
"{5E224F79-B425-4FEF-8200-E315EF95FAD2}"= UDP:C:\Program Files\Eidos\Conflict Denied Ops\ConflictDeniedOps.exe:Conflict: Denied Ops
"{F76B08C3-17A6-4503-B07E-68F505B819EB}"= TCP:C:\Program Files\Eidos\Conflict Denied Ops\ConflictDeniedOps.exe:Conflict: Denied Ops
"{3919F47A-315E-4A1A-AE2D-CB497AB374F7}"= UDP:C:\Program Files\Activision\Call of Duty - World at War\CoDWaWmp.exe:Call of Duty(R) - World at War(TM)
"{9CB2A16A-B461-4463-B700-969FC5DA21B6}"= TCP:C:\Program Files\Activision\Call of Duty - World at War\CoDWaWmp.exe:Call of Duty(R) - World at War(TM)
"{08663E7B-9A74-4178-B51F-CD6DC4B93AE5}"= UDP:C:\Program Files\Activision\Call of Duty - World at War\CoDWaW.exe:Call of Duty(R) - World at War(TM)
"{E446B26B-75B5-454E-90D8-1020A6069D19}"= TCP:C:\Program Files\Activision\Call of Duty - World at War\CoDWaW.exe:Call of Duty(R) - World at War(TM)
"{BF199DD6-2D8C-44E5-A285-8519DAF58E20}"= C:\Program Files\CyberLink\PowerDirector Express\PDX.EXE:CyberLink PowerDirector Express
"TCP Query User{46FC2F39-4F27-4B3C-8A3A-E8B3EDCB5346}C:\\program files\\java\\jre6\\bin\\java.exe"= UDP:C:\program files\java\jre6\bin\java.exe:Java(TM) Platform SE binary
"UDP Query User{5B44DA43-2916-4B9E-955E-DBFF70ABB30E}C:\\program files\\java\\jre6\\bin\\java.exe"= TCP:C:\program files\java\jre6\bin\java.exe:Java(TM) Platform SE binary
"{53EAAC54-3AF8-45A2-BE1A-A622AC53325E}"= C:\Program Files\AVG\AVG8\avgam.exe:avgam.exe
"{08B691AD-A3ED-484A-B1F1-5635448B369E}"= C:\Program Files\AVG\AVG8\avgdiag.exe:avgdiag.exe
"{2B34CCA0-99CA-445C-8A0E-5A99A30F6AA5}"= C:\Program Files\AVG\AVG8\avgdiagex.exe:avgdiagex.exe
"{E0639972-B2C8-422B-9CC3-468E86F5D5D0}"= C:\Program Files\AVG\AVG8\avgemc.exe:avgemc.exe
"{AC1EAA2F-0AAD-4A8D-9071-18D9A1755680}"= C:\Program Files\AVG\AVG8\avgupd.exe:avgupd.exe
"{2E32CCCC-AE8F-49DB-829F-07F9684AA664}"= C:\Program Files\AVG\AVG8\avgnsx.exe:avgnsx.exe
"TCP Query User{29A944B8-D27D-4B81-A967-5AC4F1CC75C6}C:\\program files\\zattoo\\zattoo2.exe"= Disabled:UDP:C:\program files\zattoo\zattoo2.exe:
"UDP Query User{43430C6B-25C6-4316-9ABD-3800ECA17B02}C:\\program files\\zattoo\\zattoo2.exe"= Disabled:TCP:C:\program files\zattoo\zattoo2.exe:
"TCP Query User{53939F42-4C07-4493-A92B-D9F2E87D579B}C:\\program files\\zattoo\\zattoo.exe"= Disabled:UDP:C:\program files\zattoo\zattoo.exe:
"UDP Query User{BA4C9F24-DED7-4B80-B7DF-6D9A49630BAF}C:\\program files\\zattoo\\zattoo.exe"= Disabled:TCP:C:\program files\zattoo\zattoo.exe:
"TCP Query User{E9E39D17-6D30-4020-8456-057DA4491D0A}C:\\program files\\zattoo\\zattood.exe"= Disabled:UDP:C:\program files\zattoo\zattood.exe:zattood
"UDP Query User{FCD80E81-DC3C-4641-9468-30DB22CB61ED}C:\\program files\\zattoo\\zattood.exe"= Disabled:TCP:C:\program files\zattoo\zattood.exe:zattood
"TCP Query User{3B1EC8F4-25DE-420C-A4C4-491DE8EDC2D4}C:\\program files\\zattoo\\zattoo.exe"= Disabled:UDP:C:\program files\zattoo\zattoo.exe:
"UDP Query User{E9A85774-5328-4AC5-AC4E-2F05D13BCC87}C:\\program files\\zattoo\\zattoo.exe"= Disabled:TCP:C:\program files\zattoo\zattoo.exe:
"{7510586A-F97F-4E24-9C91-9A0C3020CAE6}"= UDP:C:\Program Files\IncrediMail\bin\IncMail.exe:IncrediMail
"{E38E9C52-EE42-42C8-8505-47871BC470F2}"= TCP:C:\Program Files\IncrediMail\bin\IncMail.exe:IncrediMail
"{5F2E4C05-3198-493D-BBFB-393B7A09B4E9}"= UDP:C:\Program Files\IncrediMail\bin\ImApp.exe:IncrediMail
"{C355A61B-7416-4AB6-9865-30A88A4C2B93}"= TCP:C:\Program Files\IncrediMail\bin\ImApp.exe:IncrediMail
"TCP Query User{CDFA3DEA-02B7-458E-B041-02FD31704577}C:\\program files\\thq\\company of heroes\\reliccoh.exe"= Disabled:UDP:C:\program files\thq\company of heroes\reliccoh.exe:RelicCOH
"UDP Query User{4CB0BAC7-816F-492C-8B24-4259B419C8A3}C:\\program files\\thq\\company of heroes\\reliccoh.exe"= Disabled:TCP:C:\program files\thq\company of heroes\reliccoh.exe:RelicCOH
"TCP Query User{7140D20F-0CEA-4CD6-B698-F2E3CA1FFB8C}C:\\program files\\zattoo\\zattood.exe"= Disabled:UDP:C:\program files\zattoo\zattood.exe:zattood
"UDP Query User{53654654-A298-4A06-9589-DE66A4EB8E42}C:\\program files\\zattoo\\zattood.exe"= Disabled:TCP:C:\program files\zattoo\zattood.exe:zattood
"{BA701B04-5F72-423C-9A13-48522E8E2254}"= Disabled:UDP:C:\Program Files\IncrediMail\bin\IncMail.exe:IncrediMail
"{9F8E78EA-EBD2-49F8-8B16-36C641E32BA9}"= Disabled:TCP:C:\Program Files\IncrediMail\bin\IncMail.exe:IncrediMail
"{E832E931-2A48-4685-8BCB-1B0FDEFA18CE}"= Disabled:UDP:C:\Program Files\IncrediMail\bin\ImApp.exe:IncrediMail
"{26FA698A-C492-4EC4-B4E2-86495C99624B}"= Disabled:TCP:C:\Program Files\IncrediMail\bin\ImApp.exe:IncrediMail

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\PPMate\\ppmate.exe"= C:\Program Files\PPMate\ppmate.exe:*:Enabled:PPMate
"C:\\Program Files\\PPMate\\ppamnet.exe"= C:\Program Files\PPMate\ppamnet.exe:*:Enabled:PPMate
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"= C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7

R3 athena;athena;C:\Windows\system32\DRIVERS\athena.sys [2006-11-09 09:29:12 110336]
R3 AVGIDSDriver;AVGIDSDriver;C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_VISTA\AVGIDSDriver.sys [2009-02-26 10:46:56 121352]
R3 AVGIDSFilter;AVGIDSFilter;C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_VISTA\AVGIDSFilter.sys [2009-02-26 10:46:56 30216]
R3 AVGIDSShim;AVGIDSShim;C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_VISTA\AVGIDSShim.sys [2009-02-26 10:46:56 29136]
R3 CT20XUT;CT20XUT;C:\Windows\system32\drivers\CT20XUT.SYS [2009-02-19 08:42:26 198168]
R3 CTEXFIFX;CTEXFIFX;C:\Windows\system32\drivers\CTEXFIFX.SYS [2009-02-19 08:43:50 1353240]
R3 CTHWIUT;CTHWIUT;C:\Windows\system32\drivers\CTHWIUT.SYS [2009-02-19 08:43:10 73752]
R3 DCamUSBET;ET USB 2750 Camera;C:\Windows\system32\DRIVERS\etDevice.sys [2008-03-01 00:38:36 131712]
R3 FiltUSBET;ET USB Device Lower Filter;C:\Windows\system32\DRIVERS\etFilter.sys [2008-06-12 18:02:42 183168]
R3 ha20x22k;Creative 20X2 HAL Driver;C:\Windows\system32\drivers\ha20x22k.sys [2009-02-19 08:54:48 1222680]
R3 ScanUSBET;ET USB Still Image Capture Device;C:\Windows\system32\DRIVERS\etScan.sys [2007-09-07 18:43:56 6656]
R3 SIS163u;SiS163 usb Wireless LAN Adapter Driver;C:\Windows\system32\DRIVERS\sis163u.sys [x]
R3 SndTAudio;SndTAudio;C:\Windows\system32\drivers\SndTAudio.sys [2008-11-11 14:05:16 23096]
R3 SndTVideo;SndTVideo;C:\Windows\system32\DRIVERS\SndTVideo.sys [2008-11-11 14:05:18 3768]
R4 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2009-05-10 18:48:15 908568]
R4 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-05-10 18:48:20 298776]
R4 avgfws8;AVG8 Firewall;C:\PROGRA~1\AVG\AVG8\avgfws8.exe [2009-05-10 18:48:16 1366904]
R4 AVGIDSAgent;AVGIDSAgent;C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe AVGIDSAgent [x]
R4 AVGIDSWatcher;AVGIDSWatcher;C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe [2009-02-26 10:46:22 563720]
S0 AVGIDSErHr;AVGIDSErHr;C:\Windows\System32\Drivers\AVGIDSErHr.sys [2009-02-26 10:46:56 25608]
S0 AvgRkx86;avgrkx86.sys;C:\Windows\System32\Drivers\avgrkx86.sys [2009-05-10 18:48:14 12552]
S0 Lbd;Lbd;C:\Windows\system32\DRIVERS\Lbd.sys [2009-03-09 19:06:56 64160]
S1 Avgfwfd;AVG network filter service;C:\Windows\system32\DRIVERS\avgfwd6x.sys [2009-05-10 18:48:17 23832]
S1 AvgLdx86;AVG AVI Loader Driver x86;C:\Windows\System32\Drivers\avgldx86.sys [2009-05-10 18:48:28 325896]
S1 AvgTdiX;AVG8 Network Redirector;C:\Windows\System32\Drivers\avgtdix.sys [2009-05-10 18:48:24 108552]
S2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2007-11-02 19:42:32 41456]
S2 fssfltr;fssfltr;C:\Windows\system32\DRIVERS\fssfltr.sys [2008-12-08 16:01:52 55264]
S2 fsssvc;Windows Live Family Safety;C:\Program Files\Windows Live\Family Safety\fsssvc.exe [2009-02-06 17:08:58 533360]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 19:06:55 951632]
S3 b57nd60x;%SvcDispName%;C:\Windows\system32\DRIVERS\b57nd60x.sys [2008-01-19 04:25:04 179712]
S3 CT20XUT.SYS;CT20XUT.SYS;C:\Windows\System32\drivers\CT20XUT.SYS [2009-02-19 08:42:26 198168]
S3 CTEXFIFX.SYS;CTEXFIFX.SYS;C:\Windows\System32\drivers\CTEXFIFX.SYS [2009-02-19 08:43:50 1353240]
S3 CTHWIUT.SYS;CTHWIUT.SYS;C:\Windows\System32\drivers\CTHWIUT.SYS [2009-02-19 08:43:10 73752]
S3 physX32;physX32;C:\Windows\system32\DRIVERS\physX32.sys [2007-09-13 06:43:00 120320]
S3 tenCapture;tenCapture;C:\Windows\system32\DRIVERS\tenCapture.sys [2007-04-21 14:15:42 9344]


--- Other Services/Drivers In Memory ---

*Deregistered* - {95808DC4-FA4A-4C74-92FE-5B863F82066B}
*Deregistered* - AFD
*Deregistered* - Avgfwfd
*Deregistered* - AVGIDSErHr
*Deregistered* - AvgLdx86
*Deregistered* - AvgMfx86
*Deregistered* - AvgRkx86
*Deregistered* - AvgTdiX
*Deregistered* - Beep
*Deregistered* - bowser
*Deregistered* - cdfs
*Deregistered* - CLFS
*Deregistered* - crcdisk
*Deregistered* - CT20XUT.SYS
*Deregistered* - CTEXFIFX.SYS
*Deregistered* - CTHWIUT.SYS
*Deregistered* - ctprxy2k
*Deregistered* - ctsfm2k
*Deregistered* - CVPNDRVA
*Deregistered* - DfsC
*Deregistered* - DNE
*Deregistered* - DXGKrnl
*Deregistered* - Ecache
*Deregistered* - emupia
*Deregistered* - FileInfo
*Deregistered* - FltMgr
*Deregistered* - fssfltr
*Deregistered* - fvevol
*Deregistered* - ha20x2k
*Deregistered* - HTTP
*Deregistered* - iScsiPrt
*Deregistered* - kbdclass
*Deregistered* - KSecDD
*Deregistered* - Lbd
*Deregistered* - lltdio
*Deregistered* - LVPr2Mon
*Deregistered* - LVUSBSta
*Deregistered* - mouclass
*Deregistered* - MountMgr
*Deregistered* - mpsdrv
*Deregistered* - MRxDAV
*Deregistered* - mrxsmb
*Deregistered* - mrxsmb10
*Deregistered* - mrxsmb20
*Deregistered* - Msfs
*Deregistered* - msisadrv
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NativeWifiP
*Deregistered* - NDIS
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - netbt
*Deregistered* - Npfs
*Deregistered* - nsiproxy
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - NVR0Dev
*Deregistered* - nvraid
*Deregistered* - nvstor
*Deregistered* - ossrv
*Deregistered* - Pcouffin
*Deregistered* - PEAUTH
*Deregistered* - PptpMiniport
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasPppoe
*Deregistered* - RasSstp
*Deregistered* - rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RDPENCDD
*Deregistered* - RDPWD
*Deregistered* - rspndr
*Deregistered* - secdrv
*Deregistered* - Smb
*Deregistered* - spldr
*Deregistered* - sptd
*Deregistered* - srv
*Deregistered* - srv2
*Deregistered* - srvnet
*Deregistered* - swenum
*Deregistered* - Tcpip
*Deregistered* - tcpipreg
*Deregistered* - TDTCP
*Deregistered* - tdx
*Deregistered* - tssecsrv
*Deregistered* - tunmp
*Deregistered* - tunnel
*Deregistered* - udfs
*Deregistered* - umbus
*Deregistered* - VgaSave
*Deregistered* - volmgr
*Deregistered* - volmgrx
*Deregistered* - volsnap
*Deregistered* - Wanarpv6
*Deregistered* - Wdf01000
*Deregistered* - ws2ifsl

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile      REG_MULTI_SZ         wcescomm rapimgr
LocalServiceRestricted      REG_MULTI_SZ         WcesComm RapiMgr
HPZ12      REG_MULTI_SZ         Pml Driver HPZ12 Net Driver HPZ12

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\shell\AutoRun\command - H:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0e93f610-3888-11dd-b1e2-001aa0d8fac4}]
\shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL O:\Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{10faf08e-002b-11de-ac78-806e6f6e6963}]
\shell\AutoRun\command - H:\setupSNK.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24}]
%SystemRoot%\system32\soundschemes2.exe /AddRegistration
.
Contents of the 'Scheduled Tasks' folder

2009-05-12 C:\Windows\Tasks\Ad-Aware Update (Weekly).job
- C:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06:56 . 2009-03-09 19:06:56]

2009-04-14 C:\Windows\Tasks\GBMPro6 Task - New Backup Job.job
- C:\Program Files\Genie-Soft\GBMPro 6.0\GBMPro.exe [2008-08-03 20:13:25 . 2005-05-15 12:58:50]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - (no file)


.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = 192.168.0.102:808
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - C:\Windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: C:\Windows\system32\wpclsp.dll
DPF: {B015B944-7316-49AE-AC84-ACCA9379EA32} - hxxp://86.144.102.131:8085/IPCamPluginMJPEG.cab
DPF: {D216644A-C6DB-49D9-BBCF-D38FE7991BF2} - hxxps://danid.dk/csp/authenticode/digitalsignatur-csp.exe
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-15 08:52:50
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...    this is not a cut and paste error, the log stops here.
****************************************************************************************************

HiJackThis :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:09:43, on 15/05/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\wpcumi.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Microsoft LifeChat\LifeChat.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
C:\Windows\etMon.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSUI.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\IncrediMail\bin\ImApp.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.102:808
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Windows Live Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll
O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [WPCUMI] C:\Windows\system32\WpcUmi.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LifeChat] "c:\Program Files\Microsoft LifeChat\LifeChat.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [EverioService] "C:\Program Files\CyberLink\PCM4Everio\EverioService.exe"
O4 - HKLM\..\Run: [etMonitor] C:\Windows\etMon.exe
O4 - HKLM\..\Run: [AVGIDS] "C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - Global Startup: Birthday Checker.lnk = C:\Program Files\SS Birthday Reminder\Birthday Checker.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.co.uk/s/v/e/36.24/KBTUZDFvTZs/uploader2.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {B015B944-7316-49AE-AC84-ACCA9379EA32} (IPCamPlugIn Control) - http://86.144.102.131:8085/IPCamPluginMJPEG.cab
O16 - DPF: {D216644A-C6DB-49D9-BBCF-D38FE7991BF2} (Util Class) - https://danid.dk/csp/authenticode/digitalsignatur-csp.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\Windows\System32\avgrsstx.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

--
End of file - 9279 bytes
***************************************************************************************************************

Malwarebytes' Anti-Malware 1.36
Database version: 2131
Windows 6.0.6001 Service Pack 1

15/05/2009 07:04:14
mbam-log-2009-05-15 (07-04-14).txt

Scan type: Quick Scan
Objects scanned: 86205
Time elapsed: 3 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




Hope this is ok-

Chris
0
 
LVL 3

Expert Comment

by:bleech677
ID: 24394983
Does this PC get strange security warnings and pop ups?

ppamnet.exe does not look legit -seems like it is something that can (and did) turn off your firewall to communicate with the outside. Seems like this PC is part of some botnet because it is listing for connections on TCP and UDP. It also can run other bad things and hijack processes

First thing you want to do is run a boot time AV scan either Avast or livecd - you may have to scan a fe times

After that run HJT and re-post the log.

BTW, this computer has a ton of junk installed on it

Are you using AVG and NOD32?
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24396533
Yes, there are a couple of infections that I can see as well, but I would ask you to scan your PC with either TrendMicro HouseCall based at: http://housecall.trendmicro.com/ or BitDefender Online Scanner based at http://www.bitdefender.com/scanner/online/free.html?url=scan8/ie.html

The above 2 scans will also remove any infections present on your PC. Sometimes, a virus can have the same name as a legitimate file and at such times, online scanners can be quite helpful in making sure that we don't delete the legitimate file. They will point out the malicious files and we will remove them (unless they can't do it themselves).
0
 

Author Comment

by:ChrisDriven
ID: 24398990
Hi again,
I found a folder called ESET on the C:\drive, I could not delete it bacause it was in use. I got rid of it by booting to a comand prompt. There is a lot of junk on the PC, I have found around 11 different "viewing programmes" for watching live football, I have deleted all of them, PPAMNET.exe was one of these.
Ok I ran bitdefender twice the first time it found :
Infected Files
 1
 
Virus Detected
 
Trojan.Generic.391361
 1

I rebooted and ran it again, it found nothing. Trend Micros Houscall was still running after 3 hours so I gave up on that.

Here is the Hijack this log :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:24:24, on 15/05/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\System32\wpcumi.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Microsoft LifeChat\LifeChat.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
C:\Windows\etMon.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSUI.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\IncrediMail\bin\ImApp.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSMonitor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.102:808
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Windows Live Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll
O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [WPCUMI] C:\Windows\system32\WpcUmi.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LifeChat] "c:\Program Files\Microsoft LifeChat\LifeChat.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [EverioService] "C:\Program Files\CyberLink\PCM4Everio\EverioService.exe"
O4 - HKLM\..\Run: [etMonitor] C:\Windows\etMon.exe
O4 - HKLM\..\Run: [AVGIDS] "C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Windows Update] C:\Windows\system32\Winudate32.exe
O4 - Global Startup: Birthday Checker.lnk = C:\Program Files\SS Birthday Reminder\Birthday Checker.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.co.uk/s/v/e/36.24/KBTUZDFvTZs/uploader2.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {B015B944-7316-49AE-AC84-ACCA9379EA32} (IPCamPlugIn Control) - http://86.144.102.131:8085/IPCamPluginMJPEG.cab
O16 - DPF: {D216644A-C6DB-49D9-BBCF-D38FE7991BF2} (Util Class) - https://danid.dk/csp/authenticode/digitalsignatur-csp.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\Windows\System32\avgrsstx.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVGIDSAgent - AVG - C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe
O23 - Service: AVGIDSWatcher - AVG - C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

--
End of file - 10622 bytes


Good hunting :-)

Chris
0
 
LVL 3

Expert Comment

by:bleech677
ID: 24399073
First off -

you have a trojan proxy still running locally on port 808

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.102:808
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
0
 
LVL 3

Accepted Solution

by:
bleech677 earned 250 total points
ID: 24399136
Give spybot a shot - the realtime monitoring is decent - it will give you warning anytime there is a registry change.

And as for the proxy trojan, it may or may not be running - I'd expect one more entry in there from it but don't see it - get rid of the keys I mentioned anyway.

This log is painful to look at ;) I didn't know realplayer was still in business
0
 
LVL 3

Expert Comment

by:bleech677
ID: 24399143
Also - keep in mind the boot time scan - this will kill anything before it can load itself into memory
0
 
LVL 23

Expert Comment

by:phototropic
ID: 24401632
ChrisDriven,

I would have HJT fix this entry:

O4 - HKCU\..\Run: [Windows Update] C:\Windows\system32\Winudate32.exe

Then I would try downloading a fresh (not re-named) copy of Combofix and run another scan.  Please post the log here.

warturtle,

On 13th. May ( ID: 24378966 ) I posted the following:

"...Try renaming Mbam BEFORE you download it.
Please post a current HJT scan log.
You could also try running an online scan:

http://www.bitdefender.com/scan8/ie.html
http://housecall.trendmicro.com/uk/

Good luck!!!..."

Please don't duplicate posts.

0
 
LVL 16

Expert Comment

by:warturtle
ID: 24402117
@phototropic

Sorry, Bud. Didn't see the original post because it was way up there...my bad!

@chrisdriven

Could you please upload the below files on www.virustotal.com and let us know, if they're being flagged as infections?

C:\Windows\system32\drivers\czvqaigs.sys
C:\Users\EmmaOgAndreas\AppData\Local\GDIPFONTCACHEV1.DAT
C:\Windows\system32\PDMSetup.exe
C:\Windows\system32\iashost.exe
C:\Windows\system32\regplib.exe
C:\Program Files\CyberLink\PowerDVD\000.fcl
O:\Info.exe

And you said that AVG flagged 11 rootkits in the scan but was unable to delete them. Are you able to upload avg.txt file that you said initially, so that we can see what files are being flagged as rootkits?
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

By the time you finish reading this article, you may have already lost all your money because you don't know the simple steps to securing your BitCoin wallet. BitCoin is an incredible invention. It is a decentralized currency system, which is the…
HOW TO REMOTELY CLEAN MEROND.O WITH ESET SILENTLY PROBLEM       If you have the fortunate luck to contract the Merond.O virus on your network, it can be quite troublesome to remove as it propagates to network shares on your network. In my case, the …
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now