ChrisDriven
asked on
Need help after removing Malware
Hi Experts,
I have spent the past 2 nights with my friends PC trying to get rid of some bad spyware/malware and a few trojans. The PC (Vista x86) cannot run Malwarebytes, it just comes with a stopped working error, same goes for Vundofix which says its not a valid Win32 app.Combofix starts and then closes with a stopped working popup.
Ad-aware Free found Virtumonde and removed it (maybe). LSP-Fix finds no errors. Ad-aware finds nothing now just some cookies and ESET online scan comes up with nothing. Now to the problems :-)
AVG finds 11 rootkits (see AVG.txt) but cannot remove them (access denied).
The CD rom drive and the DVD RW drive both can run fine after inserting a disk, but I cannot burn to the dvd rw because it says there are maybe files ready to write to it, the cd drive gives the same currently in use message if in explorer I right click and click eject.
I have attached the Hijackthis log maybe there is something there that can point one of you in the right direction (which is helping me to fix the cd rom and the dvd rw)
Thanks for your time.
Chris
I have spent the past 2 nights with my friends PC trying to get rid of some bad spyware/malware and a few trojans. The PC (Vista x86) cannot run Malwarebytes, it just comes with a stopped working error, same goes for Vundofix which says its not a valid Win32 app.Combofix starts and then closes with a stopped working popup.
Ad-aware Free found Virtumonde and removed it (maybe). LSP-Fix finds no errors. Ad-aware finds nothing now just some cookies and ESET online scan comes up with nothing. Now to the problems :-)
AVG finds 11 rootkits (see AVG.txt) but cannot remove them (access denied).
The CD rom drive and the DVD RW drive both can run fine after inserting a disk, but I cannot burn to the dvd rw because it says there are maybe files ready to write to it, the cd drive gives the same currently in use message if in explorer I right click and click eject.
I have attached the Hijackthis log maybe there is something there that can point one of you in the right direction (which is helping me to fix the cd rom and the dvd rw)
Thanks for your time.
Chris
I would try booting from a Live CD such as Ultimate Boot CD 4 Win and running Antivirus.
Try renaming Mbam BEFORE you download it.
Please post a current HJT scan log.
You could also try running an online scan:
http://www.bitdefender.com/scan8/ie.html
http://housecall.trendmicro.com/uk/
Good luck!!!
Please post a current HJT scan log.
You could also try running an online scan:
http://www.bitdefender.com/scan8/ie.html
http://housecall.trendmicro.com/uk/
Good luck!!!
Your log file didn't post.
Malwarebytes should remove this threat. If not, Combofix (as you stated ) will. But the instructions for Combofix must be followed.
Note: ComboFix should not be run in Safe Mode, unless that is the only mode the affected system will boot to.
If you have not updated Malwarebytes please do so and then boot into Safe Mode (F8 at startup) and run a scan.
You should do this with your current antivirus product as well.
As for HiJackThis you can post it for free analysis here or at
www.hijackthis.de
You are primarily looking for items marked with red X's.
You can get a brief overview of Hijackthis here:
http://www.bleepingcomputer.com/tutorials/tutorial42.html
If after running any of the suites above you find that your internet connection fails (is broken) please perform the following steps.
Restart your computer and test your internet connection.
If it does not work, then click Start ->Settings and Control Panel.
Select Network connections. Locate your connection and right click on it.
In the menu click the Repair option. When the repair proccess has finished, your connection should be working again. Reboot to test.
You may also have some success by logging on to the affected system under a different profile. Some malware only affects the profile that it was loaded under.
David
Malwarebytes should remove this threat. If not, Combofix (as you stated ) will. But the instructions for Combofix must be followed.
Note: ComboFix should not be run in Safe Mode, unless that is the only mode the affected system will boot to.
If you have not updated Malwarebytes please do so and then boot into Safe Mode (F8 at startup) and run a scan.
You should do this with your current antivirus product as well.
As for HiJackThis you can post it for free analysis here or at
www.hijackthis.de
You are primarily looking for items marked with red X's.
You can get a brief overview of Hijackthis here:
http://www.bleepingcomputer.com/tutorials/tutorial42.html
If after running any of the suites above you find that your internet connection fails (is broken) please perform the following steps.
Restart your computer and test your internet connection.
If it does not work, then click Start ->Settings and Control Panel.
Select Network connections. Locate your connection and right click on it.
In the menu click the Repair option. When the repair proccess has finished, your connection should be working again. Reboot to test.
You may also have some success by logging on to the affected system under a different profile. Some malware only affects the profile that it was loaded under.
David
You need to rename ComboFix before downloading or transferring it to the infected computer. If you rename if after transferring to the infected computer, the virus might not let the file execute. This is why you are looking at a window that flashes for a second and then disappears.
Download ComboFix again and save it as jabba.exe or some completely different name and then execute it. Let us have the ComboFix log. Running MalwareBytes right after ComboFix finishes will give you good results with Vundo.
Hope that helps.
Download ComboFix again and save it as jabba.exe or some completely different name and then execute it. Let us have the ComboFix log. Running MalwareBytes right after ComboFix finishes will give you good results with Vundo.
Hope that helps.
ASKER
Hi all,
Thanks for the suggestions, I will be check things out after work and report back a.s.a.p.
Chris
Thanks for the suggestions, I will be check things out after work and report back a.s.a.p.
Chris
Live cd boot sounds like a good idea, a similar solution would be to load an AV that has a boot time scan like Avast - This has fixed many persistant problems for me
ASKER
Hi again, here's an update:
Downloaded, renamed and ran combofix: log attached.
Ran Mbam, log attached.
Hijackthis log attached
Everything went well, combofix found and removed the 11 or so rootkits that AVG was finding. I thought that everything was fine, then I started internet explorer! The $_ _T hit the fan there. IE started to restore the last session, A lot windows all with http:// www.fulldotfind.com/pubac/ac.php?aid=11&sid=v3076 in them, they kept coming, eventually IE was closed down by Vista. i have no idea where to go from here.
I cannot seem to attach any files, it says uploading and then nothing appears. I will upload them somewhere else.
Thanks again for all of your time.
Chris
Downloaded, renamed and ran combofix: log attached.
Ran Mbam, log attached.
Hijackthis log attached
Everything went well, combofix found and removed the 11 or so rootkits that AVG was finding. I thought that everything was fine, then I started internet explorer! The $_ _T hit the fan there. IE started to restore the last session, A lot windows all with http:// www.fulldotfind.com/pubac/ac.php?aid=11&sid=v3076 in them, they kept coming, eventually IE was closed down by Vista. i have no idea where to go from here.
I cannot seem to attach any files, it says uploading and then nothing appears. I will upload them somewhere else.
Thanks again for all of your time.
Chris
ASKER
http://uploading.com/files/FL2WUU6V/ComboFix.txt.html
http://uploading.com/files/80TPDAOQ/hijackthis.log.html
http://uploading.com/files/E7Q1GDLE/mbam-log-2009-05-15 (07-04-14).txt.html
Hijackthis log from 2 days ago (before combofix and Mbam ran) http://uploading.com/files/478MC8ZV/hijackthis1.log.html
Chris
http://uploading.com/files/80TPDAOQ/hijackthis.log.html
http://uploading.com/files/E7Q1GDLE/mbam-log-2009-05-15 (07-04-14).txt.html
Hijackthis log from 2 days ago (before combofix and Mbam ran) http://uploading.com/files/478MC8ZV/hijackthis1.log.html
Chris
Thanks for uploading those files on Uploading, Chris. I have tried to download them but everytime I wait for 90 seconds to pass and then click on 'Free Download', it comes back to the original webpage and I click on 'Download Now' and then, it goes back to the 90-second timer.
Are you able to post the ComboFix log in the body of the message? and the other logs as well?
Are you able to post the ComboFix log in the body of the message? and the other logs as well?
ASKER
Ok, will do.
Combofix Log :
ComboFix 09-05-13.02 - Lars 15/05/2009 8:19:18.3 - NTFSx86
Running from: C:\Users\Lars\Desktop\komi x.exe
.
(((((((((((((((((((((((((( (((((((((( ((( Other Deletions )))))))))))))))))))))))))) )))))))))) )))))))))) )))
.
C:\Windows\TEMP\logishrd\L VPrcInj01. dll
.
((((((((((((((((((((((((( Files Created from 2009-04-15 to 2009-05-15 )))))))))))))))))))))))))) )))))
.
2009-05-14 18:48:50 . 2009-05-14 18:48:50 0 d-----w C:\ProgramData\Nero
2009-05-14 18:48:50 . 2009-05-14 18:49:24 0 d-----w C:\Program Files\Common Files\Ahead
2009-05-14 17:50:16 . 2009-05-14 17:50:16 0 d-----w C:\Windows\log
2009-05-14 14:11:24 . 2009-05-14 15:28:56 0 d-----w C:\Program Files\MALWAREBYTES ANTI-MALWARE
2009-05-13 18:33:34 . 2009-05-13 18:33:34 14152 ----a-w C:\Windows\system32\driver s\PROCEXP1 13.SYS
2009-05-12 20:31:44 . 2009-05-12 20:31:44 0 d-----w C:\Users\Lars\AppData\Loca l\Ahead
2009-05-12 19:49:46 . 2009-03-09 19:06:57 15688 ----a-w C:\Windows\system32\lsdele te.exe
2009-05-12 19:45:43 . 2009-03-09 19:06:56 64160 ----a-w C:\Windows\system32\driver s\Lbd.sys
2009-05-12 19:45:30 . 2009-05-13 18:16:47 0 dc-h--w C:\ProgramData\{7972B2E5-3 E09-4E5E-8 1B7-FE5819 D6772F}
2009-05-12 19:45:23 . 2009-05-12 19:45:23 0 d-----w C:\Program Files\Lavasoft
2009-05-12 19:45:23 . 2009-05-12 19:45:46 0 d-----w C:\ProgramData\Lavasoft
2009-05-12 15:40:16 . 2009-05-12 15:40:16 0 d-----w C:\Users\Lars\AppData\Roam ing\Lavaso ft
2009-05-11 05:28:11 . 2009-05-11 05:28:11 262144 ----a-w C:\ntuser.dat
2009-05-10 21:52:25 . 2009-05-10 21:52:28 0 d-----w C:\Program Files\CleanUp!
2009-05-10 14:29:43 . 2009-05-13 19:06:25 0 d--h--w C:\$AVG8.VAULT$
2009-05-10 14:08:53 . 2009-05-10 14:08:53 0 d-----w C:\ProgramData\Downloaded Installations
2009-05-10 14:08:42 . 2009-05-10 18:48:28 11952 ----a-w C:\Windows\system32\avgrss tx.dll
2009-05-10 14:08:42 . 2009-05-10 18:48:14 12552 ----a-w C:\Windows\system32\driver s\avgrkx86 .sys
2009-05-10 14:08:41 . 2009-05-10 18:48:24 108552 ----a-w C:\Windows\system32\driver s\avgtdix. sys
2009-05-10 14:08:37 . 2009-05-10 18:48:28 325896 ----a-w C:\Windows\system32\driver s\avgldx86 .sys
2009-05-10 14:08:35 . 2009-05-14 15:53:20 0 d-----w C:\Windows\system32\driver s\Avg
2009-05-10 14:08:26 . 2009-05-10 18:48:17 23832 ----a-w C:\Windows\system32\driver s\avgfwd6x .sys
2009-05-10 14:08:26 . 2009-05-10 14:08:26 0 d-----w C:\Program Files\AVG
2009-05-10 14:08:26 . 2009-05-12 22:26:03 0 d-----w C:\ProgramData\avg8
2009-05-10 09:00:40 . 2009-05-10 13:46:51 0 d-----w C:\Program Files\Spybot - Search & Destroy
2009-05-09 06:49:44 . 2009-05-09 06:50:13 0 d-----w C:\Windows\BDOSCAN8
2009-05-07 22:31:40 . 2009-05-07 22:31:41 28320 ----a-w C:\Windows\system32\driver s\czvqaigs .sys
2009-05-07 20:25:44 . 2009-05-07 20:25:44 47360 ----a-w C:\Windows\system32\driver s\pcouffin .sys
2009-05-07 20:25:44 . 2009-05-07 20:25:44 47360 ----a-w C:\Users\Lars\AppData\Roam ing\pcouff in.sys
2009-05-07 20:25:40 . 2006-09-29 11:24:48 217127 ----a-w C:\Windows\system32\drv432 60.dll
2009-05-07 20:25:40 . 2006-09-29 11:25:38 208935 ----a-w C:\Windows\system32\drv332 60.dll
2009-05-07 20:25:40 . 2006-09-29 11:26:22 176165 ----a-w C:\Windows\system32\drv232 60.dll
2009-05-07 20:25:40 . 2007-03-18 19:37:12 65602 ----a-w C:\Windows\system32\cook32 60.dll
2009-05-07 20:25:40 . 2006-05-11 18:21:00 626688 ----a-w C:\Windows\system32\vp7vfw .dll
2009-05-07 20:25:40 . 2006-05-20 15:16:00 1184984 ----a-w C:\Windows\system32\wvc1dm od.dll
2009-05-07 20:25:40 . 2004-05-04 10:53:40 1645320 ----a-w C:\Windows\gdiplus.dll
2009-05-03 04:27:58 . 2009-05-03 04:27:58 0 d-----w C:\Program Files\Elaborate Bytes
2009-05-02 07:47:11 . 2009-05-02 07:51:28 0 d-----w C:\Users\Lars\AppData\Roam ing\dvdcss
2009-05-02 07:46:45 . 2009-05-02 07:51:43 0 d-----w C:\Users\Lars\AppData\Roam ing\vlc(14 4)
2009-05-01 23:05:26 . 2009-05-01 23:05:26 0 d-----w C:\Users\Lars\AppData\Loca l\PowerDVD Cinema
2009-05-01 23:01:54 . 2009-05-01 23:01:54 0 d-----w C:\Program Files\Common Files\CyberLink
2009-04-30 20:45:16 . 2009-05-08 22:22:43 0 d-----w C:\Program Files\Combined Community Codec Pack
2009-04-30 20:44:44 . 2009-04-30 20:44:45 0 d-----w C:\Program Files\AC3Filter
2009-04-30 17:33:20 . 2009-04-30 17:33:20 0 d-----w C:\Users\Lars\AppData\Loca l\SupportS oft
2009-04-28 15:15:19 . 2009-04-28 15:15:19 0 d-----w C:\Program Files\Daniusoft
2009-04-21 09:35:00 . 2009-04-21 09:38:04 0 d-----w C:\iPAQ
.
(((((((((((((((((((((((((( (((((((((( (((( Find3M Report )))))))))))))))))))))))))) )))))))))) )))))))))) ))))))
.
2009-05-15 06:44:41 . 2007-10-26 09:19:39 92362 ----a-w C:\Windows\system32\perfc0 06.dat
2009-05-15 06:44:41 . 2007-10-26 09:19:39 502388 ----a-w C:\Windows\system32\perfh0 06.dat
2009-05-15 04:57:56 . 2007-10-24 21:29:49 8376 ----a-w C:\Users\Lars\AppData\Loca l\d3d9caps .dat
2009-05-14 15:28:56 . 2009-05-14 14:16:49 0 d-----w C:\Program Files\Malwarebytes' Anti-Malware
2009-05-13 01:00:16 . 2006-11-02 11:18:33 0 d-----w C:\Program Files\Windows Mail
2009-05-13 00:10:53 . 2008-10-19 14:54:09 8224 ----a-w C:\Users\EmmaOgAndreas\App Data\Local \GDIPFONTC ACHEV1.DAT
2009-05-10 19:44:31 . 2008-01-28 21:55:15 0 d-----w C:\Program Files\Fake Voice
2009-05-10 14:49:22 . 2008-04-02 18:55:25 0 d-----w C:\Program Files\PPMate
2009-05-10 14:08:31 . 2006-11-02 10:25:05 86016 ----a-w C:\Windows\inf\infstor.dat
2009-05-10 14:08:31 . 2006-11-02 10:25:05 86016 ----a-w C:\Windows\inf\infpub.dat
2009-05-10 14:08:31 . 2006-11-02 10:25:05 143360 ----a-w C:\Windows\inf\infstrng.da t
2009-05-10 08:37:38 . 2008-10-23 16:39:23 0 d-----w C:\Users\Lars\AppData\Roam ing\SUPERA ntiSpyware .com
2009-05-10 08:37:38 . 2007-11-10 12:28:06 0 d-----w C:\Program Files\SUPERAntiSpyware
2009-05-10 08:36:50 . 2007-10-25 02:24:10 0 d-----w C:\Program Files\Common Files\Wise Installation Wizard
2009-05-07 21:41:17 . 2007-10-26 09:42:50 0 d-----w C:\Program Files\ESET
2009-05-07 20:25:41 . 2009-01-29 13:11:45 0 d-----w C:\Program Files\VSO
2009-05-06 21:04:59 . 2007-10-28 14:53:53 112048 ----a-w C:\Users\Camilla\AppData\L ocal\GDIPF ONTCACHEV1 .DAT
2009-05-06 21:00:10 . 2007-10-24 21:30:11 112048 ----a-w C:\Users\Lars\AppData\Loca l\GDIPFONT CACHEV1.DA T
2009-05-05 18:46:33 . 2007-10-28 15:36:13 0 d-----w C:\Program Files\Microsoft Works
2009-05-04 20:20:23 . 2007-10-25 04:05:26 0 d--h--w C:\Program Files\InstallShield Installation Information
2009-05-04 20:19:50 . 2008-11-19 20:26:10 0 d-----w C:\Program Files\Veetle
2009-05-03 04:08:19 . 2007-10-26 20:25:48 0 d-----w C:\Program Files\CyberLink
2009-04-21 09:38:08 . 2007-12-20 18:00:36 0 d-----w C:\Program Files\HP
2009-04-10 17:40:42 . 2008-03-21 10:06:49 0 d-----w C:\Program Files\DVD Shrink
2009-04-06 13:32:54 . 2009-05-14 14:16:50 38496 ----a-w C:\Windows\system32\driver s\mbamswis sarmy.sys
2009-04-06 13:32:46 . 2009-05-14 14:16:52 15504 ----a-w C:\Windows\system32\driver s\mbam.sys
2009-04-04 19:11:00 . 2007-10-28 10:27:40 0 d-----w C:\Program Files\Common Files\Adobe
2009-04-02 20:35:44 . 2009-04-02 20:35:44 0 d-----w C:\Program Files\CLICK
2009-04-01 19:39:22 . 2009-04-01 19:39:21 0 d-----w C:\Program Files\Common Files\Deterministic Networks
2009-04-01 15:10:29 . 2008-02-28 23:08:58 0 d-----w C:\Program Files\THQ
2009-03-31 14:14:50 . 2008-05-31 18:10:19 181192 ---ha-w C:\Windows\system32\mlfcac he.dat
2009-03-28 09:32:22 . 2009-03-28 09:32:22 0 d-----w C:\Program Files\QuickPar
2009-03-17 15:44:57 . 2007-10-26 20:28:41 0 d-----w C:\Program Files\Google
2009-03-17 03:38:46 . 2009-04-15 18:07:04 13824 ----a-w C:\Windows\system32\apilog en.dll
2009-03-17 03:38:44 . 2009-04-15 18:07:04 24064 ----a-w C:\Windows\system32\amxrea d.dll
2009-03-09 17:00:55 . 2009-03-09 17:00:55 0 ----a-w C:\Users\Lars\temp.dat
2009-03-08 11:34:57 . 2009-03-31 19:05:30 914944 ----a-w C:\Windows\system32\winine t.dll
2009-03-08 11:34:28 . 2009-03-31 19:05:33 43008 ----a-w C:\Windows\system32\licmgr 10.dll
2009-03-08 11:33:38 . 2009-03-31 19:05:34 18944 ----a-w C:\Windows\system32\corpol .dll
2009-03-08 11:33:17 . 2009-03-31 19:05:31 109056 ----a-w C:\Windows\system32\iesysp rep.dll
2009-03-08 11:33:16 . 2009-03-31 19:05:31 109568 ----a-w C:\Windows\system32\PDMSet up.exe
2009-03-08 11:33:15 . 2009-03-31 19:05:31 132608 ----a-w C:\Windows\system32\ieUnat t.exe
2009-03-08 11:33:15 . 2009-03-31 19:05:31 107520 ----a-w C:\Windows\system32\Regist erIEPKEYs. exe
2009-03-08 11:33:15 . 2009-03-31 19:05:31 107008 ----a-w C:\Windows\system32\SetIEI nstalledDa te.exe
2009-03-08 11:33:15 . 2009-03-31 19:05:31 103936 ----a-w C:\Windows\system32\SetDep Nx.exe
2009-03-08 11:33:04 . 2009-03-31 19:05:32 420352 ----a-w C:\Windows\system32\vbscri pt.dll
2009-03-08 11:32:54 . 2009-03-31 19:05:34 72704 ----a-w C:\Windows\system32\admpar se.dll
2009-03-08 11:32:49 . 2009-03-31 19:05:33 71680 ----a-w C:\Windows\system32\iesetu p.dll
2009-03-08 11:32:38 . 2009-03-31 19:05:33 66560 ----a-w C:\Windows\system32\wextra ct.exe
2009-03-08 11:32:32 . 2009-03-31 19:05:31 169472 ----a-w C:\Windows\system32\iexpre ss.exe
2009-03-08 11:31:37 . 2009-03-31 19:05:34 34816 ----a-w C:\Windows\system32\imguti l.dll
2009-03-08 11:31:17 . 2009-03-31 19:05:34 48128 ----a-w C:\Windows\system32\mshtml er.dll
2009-03-08 11:31:00 . 2009-03-31 19:05:31 45568 ----a-w C:\Windows\system32\mshta. exe
2009-03-08 11:22:37 . 2009-03-31 19:05:34 156160 ----a-w C:\Windows\system32\msls31 .dll
2009-03-03 04:46:01 . 2009-04-15 18:07:22 3599328 ----a-w C:\Windows\system32\ntkrnl pa.exe
2009-03-03 04:46:01 . 2009-04-15 18:07:21 3547632 ----a-w C:\Windows\system32\ntoskr nl.exe
2009-03-03 04:39:36 . 2009-04-15 18:07:20 183296 ----a-w C:\Windows\system32\sdohlp .dll
2009-03-03 04:39:32 . 2009-04-15 18:07:23 551424 ----a-w C:\Windows\system32\rpcss. dll
2009-03-03 04:39:22 . 2009-04-15 18:07:20 26112 ----a-w C:\Windows\system32\printf ilterpipel ineprxy.dl l
2009-03-03 04:37:11 . 2009-04-15 18:07:20 98304 ----a-w C:\Windows\system32\iasrec st.dll
2009-03-03 04:37:11 . 2009-04-15 18:07:20 54784 ----a-w C:\Windows\system32\iasads .dll
2009-03-03 04:37:11 . 2009-04-15 18:07:20 44032 ----a-w C:\Windows\system32\iasdat astore.dll
2009-03-03 03:04:59 . 2009-04-15 18:07:21 666624 ----a-w C:\Windows\system32\printf ilterpipel inesvc.exe
2009-03-03 02:38:13 . 2009-04-15 18:07:20 17408 ----a-w C:\Windows\system32\iashos t.exe
2009-02-26 10:46:56 . 2009-02-26 10:46:56 74760 ----a-w C:\Windows\system32\driver s\Universa lDD.sys
2009-02-26 10:46:56 . 2009-02-26 10:46:56 25608 ----a-w C:\Windows\system32\driver s\AVGIDSEr Hr.sys
2009-02-22 10:48:14 . 2009-02-22 10:02:03 34 ----a-w C:\Users\EmmaOgAndreas\jag ex_runesca pe_prefere nces.dat
2009-02-19 08:55:20 . 2009-02-19 08:55:20 15384 ----a-w C:\Windows\system32\driver s\pfmodnt. sys
2009-02-19 08:54:48 . 2009-02-19 08:54:48 1222680 ----a-w C:\Windows\system32\driver s\ha20x22k .sys
2009-02-19 08:53:16 . 2009-02-19 08:53:16 1179672 ----a-w C:\Windows\system32\driver s\ha20x2k. sys
2009-02-19 08:52:42 . 2009-02-19 08:52:42 95768 ----a-w C:\Windows\system32\driver s\emupia2k .sys
2009-02-19 08:52:04 . 2009-02-19 08:52:04 159256 ----a-w C:\Windows\system32\driver s\ctsfm2k. sys
2009-02-19 08:51:26 . 2009-02-19 08:51:26 14360 ----a-w C:\Windows\system32\driver s\ctprxy2k .sys
2009-02-19 08:50:46 . 2009-02-19 08:50:46 129560 ----a-w C:\Windows\system32\driver s\ctoss2k. sys
2009-02-19 08:45:16 . 2009-02-19 08:45:16 535320 ----a-w C:\Windows\system32\driver s\ctaud2k. sys
2009-02-19 08:44:40 . 2009-02-19 08:44:40 511000 ----a-w C:\Windows\system32\driver s\ctac32k. sys
2009-02-19 08:43:50 . 2009-02-19 08:43:50 1353240 ----a-w C:\Windows\system32\driver s\CTEXFIFX .sys
2009-02-19 08:43:10 . 2009-02-19 08:43:10 73752 ----a-w C:\Windows\system32\driver s\CTHWIUT. sys
2009-02-19 08:42:26 . 2009-02-19 08:42:26 198168 ----a-w C:\Windows\system32\driver s\CT20XUT. sys
2009-02-19 07:00:14 . 2008-01-15 04:01:40 86016 ----a-w C:\Windows\system32\ctcoin st.dll
2009-02-19 07:00:14 . 2008-01-15 04:01:40 181248 ----a-w C:\Windows\system32\ctdvin st.dll
2009-02-19 06:59:04 . 2009-02-19 06:59:04 14336 ----a-w C:\Windows\system32\a3d.dl l
2009-02-19 06:58:38 . 2009-02-19 06:58:38 13312 ----a-w C:\Windows\system32\ac3api .dll
2009-02-19 06:58:02 . 2009-02-19 06:58:02 2560 ----a-w C:\Windows\system32\CtxfiR es.dll
2009-02-19 06:58:00 . 2009-02-19 06:58:00 42496 ----a-w C:\Windows\system32\CTxfiB tn.dll
2009-02-19 06:57:58 . 2009-02-19 06:57:58 39424 ----a-w C:\Windows\system32\CTxfiS pk.dll
2009-02-19 06:57:58 . 2009-02-19 06:57:58 24576 ----a-w C:\Windows\system32\Ctxfih lp.exe
2009-02-19 06:54:06 . 2009-02-19 06:54:06 47104 ----a-w C:\Windows\system32\CTxfiR eg.exe
2009-02-19 06:54:02 . 2009-02-19 06:54:02 15360 ----a-w C:\Windows\system32\Ct20xs pi.dll
2009-02-19 06:53:56 . 2009-02-19 06:53:56 1212928 ----a-w C:\Windows\system32\CTxfis pi.exe
2009-02-19 06:47:06 . 2008-02-21 03:04:18 51787 ----a-w C:\Windows\system32\ctdlan g.dat
2009-02-19 06:47:06 . 2008-02-21 03:04:18 384428 ----a-w C:\Windows\system32\ctdnls tr.dat
2009-02-19 06:46:32 . 2009-02-19 06:46:32 201216 ----a-w C:\Windows\system32\ctemup ia.dll
2009-02-19 06:43:48 . 2009-02-19 06:43:48 193024 ----a-w C:\Windows\system32\ct_oal .dll
2009-02-19 06:43:44 . 2009-02-19 06:43:44 50688 ----a-w C:\Windows\system32\ctasio .dll
2009-02-19 06:43:36 . 2009-02-19 06:43:36 53248 ----a-w C:\Windows\system32\ctdpro xy.dll
2009-02-19 06:42:54 . 2009-02-19 06:42:54 74240 ----a-w C:\Windows\system32\ctosus er.dll
2009-02-19 06:42:52 . 2009-02-19 06:42:52 10240 ----a-w C:\Windows\system32\sfman3 2.dll
2009-02-19 06:42:50 . 2009-02-19 06:42:50 130560 ----a-w C:\Windows\system32\sfms32 .dll
2009-02-19 06:42:44 . 2009-02-19 06:42:44 16384 ----a-w C:\Windows\system32\regpli b.exe
2006-11-22 14:58:11 . 2006-11-22 14:58:11 8192 --sha-w C:\Windows\Users\Default\N TUSER.DAT
.
(((((((((((((((((((((((((( (((((((((( ( Reg Loading Points )))))))))))))))))))))))))) )))))))))) )))))))))) ))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWAR E\Microsof t\Windows\ CurrentVer sion\Run]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 07:33:39 202240]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe " [2009-02-06 17:51:28 3885408]
"IncrediMail"="C:\Program Files\IncrediMail\bin\IncM ail.exe" [2008-03-09 11:51:42 243072]
"ehTray.exe"="C:\Windows\e home\ehTra y.exe" [2008-01-19 07:33:09 125952]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-08-08 12:11:12 490952]
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows \CurrentVe rsion\Run]
"WPCUMI"="C:\Windows\syste m32\WpcUmi .exe" [2006-11-02 12:33:21 176128]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-10-10 05:28:32 36352]
"SunJavaUpdateSched"="C:\P rogram Files\Java\jre6\bin\jusche d.exe" [2008-12-15 21:17:56 136600]
"LogitechCommunicationsMan ager"="C:\ Program Files\Common Files\LogiShrd\LComMgr\Com munication s_Helper.e xe" [2008-08-14 16:11:48 565008]
"LifeChat"="c:\Program Files\Microsoft LifeChat\LifeChat.exe" [2008-08-21 09:16:56 267296]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 19:34:40 49152]
"EverioService"="C:\Progra m Files\CyberLink\PCM4Everio \EverioSer vice.exe" [2007-11-01 16:13:26 151552]
"etMonitor"="C:\Windows\et Mon.exe" [2007-09-19 20:03:44 102400]
"AVGIDS"="C:\Program Files\AVG\AVG8\IdentityPro tection\ag ent\bin\AV GIDSUI.exe " [2009-02-26 10:46:22 1579528]
"AVG8_TRAY"="C:\PROGRA~1\A VG\AVG8\av gtray.exe" [2009-05-10 18:48:25 1947928]
"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware\AA WTray.exe" [2009-03-09 19:06:55 515416]
"NeroFilterCheck"="C:\Prog ram Files\Common Files\Ahead\Lib\NeroCheck. exe" [2007-03-01 13:57:24 153136]
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\poli cies\syste m]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\Windows\ System32\a vgrsstx.dl l
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\C ontrol\Saf eBoot\Mini mal\Lavaso ft Ad-Aware Service]
@="Service"
[HKLM\~\startupfolder\C:^P rogramData ^Microsoft ^Windows^S tart Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\ProgramData\Micros oft\Window s\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\Windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonSta rtup
[HKLM\~\startupfolder\C:^P rogramData ^Microsoft ^Windows^S tart Menu^Programs^Startup^Logi tech Desktop Messenger.lnk]
path=C:\ProgramData\Micros oft\Window s\Start Menu\Programs\Startup\Logi tech Desktop Messenger.lnk
backup=C:\Windows\pss\Logi tech Desktop Messenger.lnk.CommonStartu p
backupExtension=.CommonSta rtup
[HKLM\~\startupfolder\C:^P rogramData ^Microsoft ^Windows^S tart Menu^Programs^Startup^Quic kSet.lnk]
path=C:\ProgramData\Micros oft\Window s\Start Menu\Programs\Startup\Quic kSet.lnk
backup=C:\Windows\pss\Quic kSet.lnk.C ommonStart up
backupExtension=.CommonSta rtup
[HKEY_LOCAL_MACHINE\softwa re\microso ft\securit y center]
"UACDisableNotify"=dword:0 0000001
[HKLM\~\services\sharedacc ess\parame ters\firew allpolicy\ DomainProf ile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedacc ess\parame ters\firew allpolicy\ DomainProf ile\Author izedApplic ations\Lis t]
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"= C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enab led:Logite ch Harmony Remote Software 7
[HKLM\~\services\sharedacc ess\parame ters\firew allpolicy\ FirewallRu les]
"{30471418-D31B-4DEE-9ECA- 2CF8DB2FBA CC}"= UDP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\C rysis.exe: Crysis_32
"{539AD9C6-9097-44F1-B9DA- 81B600DB39 90}"= TCP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\C rysis.exe: Crysis_32
"{9DD004BD-76BC-4F65-ADFE- 3017ADE5F6 5D}"= UDP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\C rysisDedic atedServer .exe:Crysi sDedicated Server_32
"{A7FA87C4-ECD0-4FA4-B03E- 29F88156EF E8}"= TCP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\C rysisDedic atedServer .exe:Crysi sDedicated Server_32
"{2A8841B5-7D8C-458B-BBF8- E50ADCF4A9 34}"= Disabled:UDP:E:\setup\HPZN UI01.EXE:h pznui01.ex e
"{FA38AD53-AF86-4259-B453- FEC9A075B2 C3}"= Disabled:TCP:E:\setup\HPZN UI01.EXE:h pznui01.ex e
"{F3C41857-8C63-42E3-926C- D6FF2D68F8 86}"= C:\Program Files\Cyberlink\PowerDVD\P owerDVD.EX E:CyberLin k PowerDVD
"TCP Query User{B822B438-2D5C-442E-B8 B6-FEBEF41 674EA}C:\\ program files\\wol\\wol.exe"= UDP:C:\program files\wol\wol.exe:WOL 1.0.3
"UDP Query User{3A3BA820-6444-40D9-A1 0F-83DAB35 D49E2}C:\\ program files\\wol\\wol.exe"= TCP:C:\program files\wol\wol.exe:WOL 1.0.3
"{EC7CD5A0-4118-444B-9806- 7C1731ED2F C5}"= UDP:C:\Program Files\THQ\Gas Powered Games\GPGNet\GPG.Multiplay er.Client. exe:GPGNet - Supreme Commander
"{5C22172A-D26B-4AE5-93C1- E94825064B 35}"= TCP:C:\Program Files\THQ\Gas Powered Games\GPGNet\GPG.Multiplay er.Client. exe:GPGNet - Supreme Commander
"TCP Query User{31383E43-1747-4EF9-BD DE-A48FF7D A446E}C:\\ program files\\real\\realplayer\\r ealplay.ex e"= UDP:C:\program files\real\realplayer\real play.exe:R ealPlayer
"UDP Query User{D6F0886C-DB32-4589-AA 34-C2800FC 1BE0C}C:\\ program files\\real\\realplayer\\r ealplay.ex e"= TCP:C:\program files\real\realplayer\real play.exe:R ealPlayer
"TCP Query User{571F19BB-CCE1-46F4-9B 39-3429049 7360A}C:\\ program files\\ppmate\\ppamnet.exe "= UDP:C:\program files\ppmate\ppamnet.exe:p pmnet Module
"UDP Query User{AF8F77E4-B47A-4ADE-92 1E-8491C5B 90235}C:\\ program files\\ppmate\\ppamnet.exe "= TCP:C:\program files\ppmate\ppamnet.exe:p pmnet Module
"{87244075-6D60-4E8F-B51F- 731B417864 24}"= UDP:C:\Program Files\Ubisoft\Assassin's Creed\AssassinsCreed_Dx9.e xe:Assassi n's Creed Dx9
"{74864C2D-1A73-4326-975D- C2BFDF8AE8 F8}"= TCP:C:\Program Files\Ubisoft\Assassin's Creed\AssassinsCreed_Dx9.e xe:Assassi n's Creed Dx9
"{504DD735-0A66-4BC3-B021- C5BFFCEA5F 25}"= UDP:C:\Program Files\Ubisoft\Assassin's Creed\AssassinsCreed_Dx10. exe:Assass in's Creed Dx10
"{E2CF730D-0AA2-4D35-A671- BF1E7586F3 A4}"= TCP:C:\Program Files\Ubisoft\Assassin's Creed\AssassinsCreed_Dx10. exe:Assass in's Creed Dx10
"{46D1E131-150D-4B11-A2DE- E43A958478 A0}"= UDP:C:\Program Files\Ubisoft\Assassin's Creed\AssassinsCreed_Launc her.exe:As sassin's Creed Update
"{1A0CCE22-3738-41B2-B121- 6800FDF307 BA}"= TCP:C:\Program Files\Ubisoft\Assassin's Creed\AssassinsCreed_Launc her.exe:As sassin's Creed Update
"TCP Query User{FBE5EC3C-24D0-42CD-B0 23-051CD68 EF440}C:\\ program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefo x
"UDP Query User{2BD03585-0CCF-441A-B5 DF-7AD36AE 3C135}C:\\ program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefo x
"TCP Query User{1F9A3EAF-C4E2-4C05-A0 E0-5C9C530 C6FD2}C:\\ program files\\globalscape\\cuteft p 8 professional\\ftpte.exe"= UDP:C:\program files\globalscape\cuteftp 8 professional\ftpte.exe:FTP Transfer Engine
"UDP Query User{1DEAE99E-59C2-439D-A2 D1-E1831D4 5E78E}C:\\ program files\\globalscape\\cuteft p 8 professional\\ftpte.exe"= TCP:C:\program files\globalscape\cuteftp 8 professional\ftpte.exe:FTP Transfer Engine
"{B9051207-5699-4E3D-A1F6- 365E526962 23}"= UDP:C:\Program Files\Codemasters\GRID\GRI D.exe:GRID
"{5BA757F4-01E3-44DA-AA79- 28E465A204 12}"= TCP:C:\Program Files\Codemasters\GRID\GRI D.exe:GRID
"TCP Query User{DAD976BA-862A-48B3-9D 37-24CA6B7 8D77C}C:\\ program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Inte rnet Explorer
"UDP Query User{2884C220-188B-49A9-85 B5-FD153A6 6C8B9}C:\\ program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Inte rnet Explorer
"{B198D27E-73C3-47F7-AD53- 3DDF00EB89 C2}"= Disabled:UDP:C:\Program Files\IncrediMail\bin\ImLc .exe:Incre diMail
"{B67E0675-427F-41B7-B2BC- 16454EAE9B ED}"= Disabled:TCP:C:\Program Files\IncrediMail\bin\ImLc .exe:Incre diMail
"{A8974B9D-1240-40FE-B31D- 40BD420520 1C}"= Disabled:UDP:C:\Program Files\IncrediMail\bin\ImPa ckr.exe:In crediMail
"{2FD7DAE2-7AC3-4BA9-A1FE- 3C479468EB 70}"= Disabled:TCP:C:\Program Files\IncrediMail\bin\ImPa ckr.exe:In crediMail
"{79989C2A-7482-4EA1-89C8- 23C867C362 78}"= Disabled:UDP:C:\Program Files\IncrediMail\bin\ImpC nt.exe:Inc rediMail
"{4C225B18-DEDB-4B83-83F2- 5818331AE8 9F}"= Disabled:TCP:C:\Program Files\IncrediMail\bin\ImpC nt.exe:Inc rediMail
"{5E224F79-B425-4FEF-8200- E315EF95FA D2}"= UDP:C:\Program Files\Eidos\Conflict Denied Ops\ConflictDeniedOps.exe: Conflict: Denied Ops
"{F76B08C3-17A6-4503-B07E- 68F505B819 EB}"= TCP:C:\Program Files\Eidos\Conflict Denied Ops\ConflictDeniedOps.exe: Conflict: Denied Ops
"{3919F47A-315E-4A1A-AE2D- CB497AB374 F7}"= UDP:C:\Program Files\Activision\Call of Duty - World at War\CoDWaWmp.exe:Call of Duty(R) - World at War(TM)
"{9CB2A16A-B461-4463-B700- 969FC5DA21 B6}"= TCP:C:\Program Files\Activision\Call of Duty - World at War\CoDWaWmp.exe:Call of Duty(R) - World at War(TM)
"{08663E7B-9A74-4178-B51F- CD6DC4B93A E5}"= UDP:C:\Program Files\Activision\Call of Duty - World at War\CoDWaW.exe:Call of Duty(R) - World at War(TM)
"{E446B26B-75B5-454E-90D8- 1020A6069D 19}"= TCP:C:\Program Files\Activision\Call of Duty - World at War\CoDWaW.exe:Call of Duty(R) - World at War(TM)
"{BF199DD6-2D8C-44E5-A285- 8519DAF58E 20}"= C:\Program Files\CyberLink\PowerDirec tor Express\PDX.EXE:CyberLink PowerDirector Express
"TCP Query User{46FC2F39-4F27-4B3C-8A 3A-E8B3EDC B5346}C:\\ program files\\java\\jre6\\bin\\ja va.exe"= UDP:C:\program files\java\jre6\bin\java.e xe:Java(TM ) Platform SE binary
"UDP Query User{5B44DA43-2916-4B9E-95 5E-DBFF70A BB30E}C:\\ program files\\java\\jre6\\bin\\ja va.exe"= TCP:C:\program files\java\jre6\bin\java.e xe:Java(TM ) Platform SE binary
"{53EAAC54-3AF8-45A2-BE1A- A622AC5332 5E}"= C:\Program Files\AVG\AVG8\avgam.exe:a vgam.exe
"{08B691AD-A3ED-484A-B1F1- 5635448B36 9E}"= C:\Program Files\AVG\AVG8\avgdiag.exe :avgdiag.e xe
"{2B34CCA0-99CA-445C-8A0E- 5A99A30F6A A5}"= C:\Program Files\AVG\AVG8\avgdiagex.e xe:avgdiag ex.exe
"{E0639972-B2C8-422B-9CC3- 468E86F5D5 D0}"= C:\Program Files\AVG\AVG8\avgemc.exe: avgemc.exe
"{AC1EAA2F-0AAD-4A8D-9071- 18D9A17556 80}"= C:\Program Files\AVG\AVG8\avgupd.exe: avgupd.exe
"{2E32CCCC-AE8F-49DB-829F- 07F9684AA6 64}"= C:\Program Files\AVG\AVG8\avgnsx.exe: avgnsx.exe
"TCP Query User{29A944B8-D27D-4B81-A9 67-5AC4F1C C75C6}C:\\ program files\\zattoo\\zattoo2.exe "= Disabled:UDP:C:\program files\zattoo\zattoo2.exe:
"UDP Query User{43430C6B-25C6-4316-9A BD-3800ECA 17B02}C:\\ program files\\zattoo\\zattoo2.exe "= Disabled:TCP:C:\program files\zattoo\zattoo2.exe:
"TCP Query User{53939F42-4C07-4493-A9 2B-D9F2E87 D579B}C:\\ program files\\zattoo\\zattoo.exe" = Disabled:UDP:C:\program files\zattoo\zattoo.exe:
"UDP Query User{BA4C9F24-DED7-4B80-B7 DF-6D9A496 30BAF}C:\\ program files\\zattoo\\zattoo.exe" = Disabled:TCP:C:\program files\zattoo\zattoo.exe:
"TCP Query User{E9E39D17-6D30-4020-84 56-057DA44 91D0A}C:\\ program files\\zattoo\\zattood.exe "= Disabled:UDP:C:\program files\zattoo\zattood.exe:z attood
"UDP Query User{FCD80E81-DC3C-4641-94 68-30DB22C B61ED}C:\\ program files\\zattoo\\zattood.exe "= Disabled:TCP:C:\program files\zattoo\zattood.exe:z attood
"TCP Query User{3B1EC8F4-25DE-420C-A4 C4-491DE8E DC2D4}C:\\ program files\\zattoo\\zattoo.exe" = Disabled:UDP:C:\program files\zattoo\zattoo.exe:
"UDP Query User{E9A85774-5328-4AC5-AC 4E-2F05D13 BCC87}C:\\ program files\\zattoo\\zattoo.exe" = Disabled:TCP:C:\program files\zattoo\zattoo.exe:
"{7510586A-F97F-4E24-9C91- 9A0C3020CA E6}"= UDP:C:\Program Files\IncrediMail\bin\IncM ail.exe:In crediMail
"{E38E9C52-EE42-42C8-8505- 47871BC470 F2}"= TCP:C:\Program Files\IncrediMail\bin\IncM ail.exe:In crediMail
"{5F2E4C05-3198-493D-BBFB- 393B7A09B4 E9}"= UDP:C:\Program Files\IncrediMail\bin\ImAp p.exe:Incr ediMail
"{C355A61B-7416-4AB6-9865- 30A88A4C2B 93}"= TCP:C:\Program Files\IncrediMail\bin\ImAp p.exe:Incr ediMail
"TCP Query User{CDFA3DEA-02B7-458E-B0 41-02FD317 04577}C:\\ program files\\thq\\company of heroes\\reliccoh.exe"= Disabled:UDP:C:\program files\thq\company of heroes\reliccoh.exe:RelicC OH
"UDP Query User{4CB0BAC7-816F-492C-8B 24-4259B41 9C8A3}C:\\ program files\\thq\\company of heroes\\reliccoh.exe"= Disabled:TCP:C:\program files\thq\company of heroes\reliccoh.exe:RelicC OH
"TCP Query User{7140D20F-0CEA-4CD6-B6 98-F2E3CA1 FFB8C}C:\\ program files\\zattoo\\zattood.exe "= Disabled:UDP:C:\program files\zattoo\zattood.exe:z attood
"UDP Query User{53654654-A298-4A06-95 89-DE66A4E B8E42}C:\\ program files\\zattoo\\zattood.exe "= Disabled:TCP:C:\program files\zattoo\zattood.exe:z attood
"{BA701B04-5F72-423C-9A13- 48522E8E22 54}"= Disabled:UDP:C:\Program Files\IncrediMail\bin\IncM ail.exe:In crediMail
"{9F8E78EA-EBD2-49F8-8B16- 36C641E32B A9}"= Disabled:TCP:C:\Program Files\IncrediMail\bin\IncM ail.exe:In crediMail
"{E832E931-2A48-4685-8BCB- 1B0FDEFA18 CE}"= Disabled:UDP:C:\Program Files\IncrediMail\bin\ImAp p.exe:Incr ediMail
"{26FA698A-C492-4EC4-B4E2- 86495C9962 4B}"= Disabled:TCP:C:\Program Files\IncrediMail\bin\ImAp p.exe:Incr ediMail
[HKLM\~\services\sharedacc ess\parame ters\firew allpolicy\ PublicProf ile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedacc ess\parame ters\firew allpolicy\ StandardPr ofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedacc ess\parame ters\firew allpolicy\ StandardPr ofile\Auth orizedAppl ications\L ist]
"C:\\Program Files\\PPMate\\ppmate.exe" = C:\Program Files\PPMate\ppmate.exe:*: Enabled:PP Mate
"C:\\Program Files\\PPMate\\ppamnet.exe "= C:\Program Files\PPMate\ppamnet.exe:* :Enabled:P PMate
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"= C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enab led:Logite ch Harmony Remote Software 7
R3 athena;athena;C:\Windows\s ystem32\DR IVERS\athe na.sys [2006-11-09 09:29:12 110336]
R3 AVGIDSDriver;AVGIDSDriver; C:\Program Files\AVG\AVG8\IdentityPro tection\ag ent\driver \platform_ VISTA\AVGI DSDriver.s ys [2009-02-26 10:46:56 121352]
R3 AVGIDSFilter;AVGIDSFilter; C:\Program Files\AVG\AVG8\IdentityPro tection\ag ent\driver \platform_ VISTA\AVGI DSFilter.s ys [2009-02-26 10:46:56 30216]
R3 AVGIDSShim;AVGIDSShim;C:\P rogram Files\AVG\AVG8\IdentityPro tection\ag ent\driver \platform_ VISTA\AVGI DSShim.sys [2009-02-26 10:46:56 29136]
R3 CT20XUT;CT20XUT;C:\Windows \system32\ drivers\CT 20XUT.SYS [2009-02-19 08:42:26 198168]
R3 CTEXFIFX;CTEXFIFX;C:\Windo ws\system3 2\drivers\ CTEXFIFX.S YS [2009-02-19 08:43:50 1353240]
R3 CTHWIUT;CTHWIUT;C:\Windows \system32\ drivers\CT HWIUT.SYS [2009-02-19 08:43:10 73752]
R3 DCamUSBET;ET USB 2750 Camera;C:\Windows\system32 \DRIVERS\e tDevice.sy s [2008-03-01 00:38:36 131712]
R3 FiltUSBET;ET USB Device Lower Filter;C:\Windows\system32 \DRIVERS\e tFilter.sy s [2008-06-12 18:02:42 183168]
R3 ha20x22k;Creative 20X2 HAL Driver;C:\Windows\system32 \drivers\h a20x22k.sy s [2009-02-19 08:54:48 1222680]
R3 ScanUSBET;ET USB Still Image Capture Device;C:\Windows\system32 \DRIVERS\e tScan.sys [2007-09-07 18:43:56 6656]
R3 SIS163u;SiS163 usb Wireless LAN Adapter Driver;C:\Windows\system32 \DRIVERS\s is163u.sys [x]
R3 SndTAudio;SndTAudio;C:\Win dows\syste m32\driver s\SndTAudi o.sys [2008-11-11 14:05:16 23096]
R3 SndTVideo;SndTVideo;C:\Win dows\syste m32\DRIVER S\SndTVide o.sys [2008-11-11 14:05:18 3768]
R4 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AV G8\avgemc. exe [2009-05-10 18:48:15 908568]
R4 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\A VG8\avgwds vc.exe [2009-05-10 18:48:20 298776]
R4 avgfws8;AVG8 Firewall;C:\PROGRA~1\AVG\A VG8\avgfws 8.exe [2009-05-10 18:48:16 1366904]
R4 AVGIDSAgent;AVGIDSAgent;C: \Program Files\AVG\AVG8\IdentityPro tection\ag ent\Bin\AV GIDSAgent. exe AVGIDSAgent [x]
R4 AVGIDSWatcher;AVGIDSWatche r;C:\Progr am Files\AVG\AVG8\IdentityPro tection\ag ent\Bin\AV GIDSWatche r.exe [2009-02-26 10:46:22 563720]
S0 AVGIDSErHr;AVGIDSErHr;C:\W indows\Sys tem32\Driv ers\AVGIDS ErHr.sys [2009-02-26 10:46:56 25608]
S0 AvgRkx86;avgrkx86.sys;C:\W indows\Sys tem32\Driv ers\avgrkx 86.sys [2009-05-10 18:48:14 12552]
S0 Lbd;Lbd;C:\Windows\system3 2\DRIVERS\ Lbd.sys [2009-03-09 19:06:56 64160]
S1 Avgfwfd;AVG network filter service;C:\Windows\system3 2\DRIVERS\ avgfwd6x.s ys [2009-05-10 18:48:17 23832]
S1 AvgLdx86;AVG AVI Loader Driver x86;C:\Windows\System32\Dr ivers\avgl dx86.sys [2009-05-10 18:48:28 325896]
S1 AvgTdiX;AVG8 Network Redirector;C:\Windows\Syst em32\Drive rs\avgtdix .sys [2009-05-10 18:48:24 108552]
S2 {95808DC4-FA4A-4C74-92FE-5 B863F82066 B};{95808D C4-FA4A-4C 74-92FE-5B 863F82066B };C:\Progr am Files\CyberLink\PowerDVD\0 00.fcl [2007-11-02 19:42:32 41456]
S2 fssfltr;fssfltr;C:\Windows \system32\ DRIVERS\fs sfltr.sys [2008-12-08 16:01:52 55264]
S2 fsssvc;Windows Live Family Safety;C:\Program Files\Windows Live\Family Safety\fsssvc.exe [2009-02-06 17:08:58 533360]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;C:\Program Files\Lavasoft\Ad-Aware\AA WService.e xe [2009-03-09 19:06:55 951632]
S3 b57nd60x;%SvcDispName%;C:\ Windows\sy stem32\DRI VERS\b57nd 60x.sys [2008-01-19 04:25:04 179712]
S3 CT20XUT.SYS;CT20XUT.SYS;C: \Windows\S ystem32\dr ivers\CT20 XUT.SYS [2009-02-19 08:42:26 198168]
S3 CTEXFIFX.SYS;CTEXFIFX.SYS; C:\Windows \System32\ drivers\CT EXFIFX.SYS [2009-02-19 08:43:50 1353240]
S3 CTHWIUT.SYS;CTHWIUT.SYS;C: \Windows\S ystem32\dr ivers\CTHW IUT.SYS [2009-02-19 08:43:10 73752]
S3 physX32;physX32;C:\Windows \system32\ DRIVERS\ph ysX32.sys [2007-09-13 06:43:00 120320]
S3 tenCapture;tenCapture;C:\W indows\sys tem32\DRIV ERS\tenCap ture.sys [2007-04-21 14:15:42 9344]
--- Other Services/Drivers In Memory ---
*Deregistered* - {95808DC4-FA4A-4C74-92FE-5 B863F82066 B}
*Deregistered* - AFD
*Deregistered* - Avgfwfd
*Deregistered* - AVGIDSErHr
*Deregistered* - AvgLdx86
*Deregistered* - AvgMfx86
*Deregistered* - AvgRkx86
*Deregistered* - AvgTdiX
*Deregistered* - Beep
*Deregistered* - bowser
*Deregistered* - cdfs
*Deregistered* - CLFS
*Deregistered* - crcdisk
*Deregistered* - CT20XUT.SYS
*Deregistered* - CTEXFIFX.SYS
*Deregistered* - CTHWIUT.SYS
*Deregistered* - ctprxy2k
*Deregistered* - ctsfm2k
*Deregistered* - CVPNDRVA
*Deregistered* - DfsC
*Deregistered* - DNE
*Deregistered* - DXGKrnl
*Deregistered* - Ecache
*Deregistered* - emupia
*Deregistered* - FileInfo
*Deregistered* - FltMgr
*Deregistered* - fssfltr
*Deregistered* - fvevol
*Deregistered* - ha20x2k
*Deregistered* - HTTP
*Deregistered* - iScsiPrt
*Deregistered* - kbdclass
*Deregistered* - KSecDD
*Deregistered* - Lbd
*Deregistered* - lltdio
*Deregistered* - LVPr2Mon
*Deregistered* - LVUSBSta
*Deregistered* - mouclass
*Deregistered* - MountMgr
*Deregistered* - mpsdrv
*Deregistered* - MRxDAV
*Deregistered* - mrxsmb
*Deregistered* - mrxsmb10
*Deregistered* - mrxsmb20
*Deregistered* - Msfs
*Deregistered* - msisadrv
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NativeWifiP
*Deregistered* - NDIS
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - netbt
*Deregistered* - Npfs
*Deregistered* - nsiproxy
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - NVR0Dev
*Deregistered* - nvraid
*Deregistered* - nvstor
*Deregistered* - ossrv
*Deregistered* - Pcouffin
*Deregistered* - PEAUTH
*Deregistered* - PptpMiniport
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasPppoe
*Deregistered* - RasSstp
*Deregistered* - rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RDPENCDD
*Deregistered* - RDPWD
*Deregistered* - rspndr
*Deregistered* - secdrv
*Deregistered* - Smb
*Deregistered* - spldr
*Deregistered* - sptd
*Deregistered* - srv
*Deregistered* - srv2
*Deregistered* - srvnet
*Deregistered* - swenum
*Deregistered* - Tcpip
*Deregistered* - tcpipreg
*Deregistered* - TDTCP
*Deregistered* - tdx
*Deregistered* - tssecsrv
*Deregistered* - tunmp
*Deregistered* - tunnel
*Deregistered* - udfs
*Deregistered* - umbus
*Deregistered* - VgaSave
*Deregistered* - volmgr
*Deregistered* - volmgrx
*Deregistered* - volsnap
*Deregistered* - Wanarpv6
*Deregistered* - Wdf01000
*Deregistered* - ws2ifsl
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
[HKEY_CURRENT_USER\softwar e\microsof t\windows\ currentver sion\explo rer\mountp oints2\H]
\shell\AutoRun\command - H:\setupSNK.exe
[HKEY_CURRENT_USER\softwar e\microsof t\windows\ currentver sion\explo rer\mountp oints2\{0e 93f610-388 8-11dd-b1e 2-001aa0d8 fac4}]
\shell\AutoRun\command - C:\Windows\system32\RunDLL 32.EXE Shell32.DLL,ShellExec_RunD LL O:\Info.exe protect.ed 480 480
[HKEY_CURRENT_USER\softwar e\microsof t\windows\ currentver sion\explo rer\mountp oints2\{10 faf08e-002 b-11de-ac7 8-806e6f6e 6963}]
\shell\AutoRun\command - H:\setupSNK.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\active setup\installed components\>{60B49E34-C7CC -11D0-8953 -00A0C9034 7FF}]
"C:\Windows\System32\rundl l32.exe" "C:\Windows\System32\iedkc s32.dll",B randIEActi veSetup SIGNUP
[HKEY_LOCAL_MACHINE\softwa re\microso ft\active setup\installed components\{7070D8E0-650A- 46b3-B03C- 9497582E6A 74}]
%SystemRoot%\system32\soun dschemes.e xe /AddRegistration
[HKEY_LOCAL_MACHINE\softwa re\microso ft\active setup\installed components\{B3688A53-AB2A- 4b1d-8CEF- 8F93D8C51C 24}]
%SystemRoot%\system32\soun dschemes2. exe /AddRegistration
.
Contents of the 'Scheduled Tasks' folder
2009-05-12 C:\Windows\Tasks\Ad-Aware Update (Weekly).job
- C:\Program Files\Lavasoft\Ad-Aware\Ad -AwareAdmi n.exe [2009-03-09 19:06:56 . 2009-03-09 19:06:56]
2009-04-14 C:\Windows\Tasks\GBMPro6 Task - New Backup Job.job
- C:\Program Files\Genie-Soft\GBMPro 6.0\GBMPro.exe [2008-08-03 20:13:25 . 2005-05-15 12:58:50]
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{6638A9DE-0745- 4292-8A2E- AE530E7B9B 3F} - (no file)
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = 192.168.0.102:808
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - C:\Windows\system32\GPhoto s.scr/200
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Offic e12\EXCEL. EXE/3000
LSP: C:\Windows\system32\wpclsp .dll
DPF: {B015B944-7316-49AE-AC84-A CCA9379EA3 2} - hxxp://86.144.102.131:8085 /IPCamPlug inMJPEG.ca b
DPF: {D216644A-C6DB-49D9-BBCF-D 38FE7991BF 2} - hxxps://danid.dk/csp/authe nticode/di gitalsigna tur-csp.ex e
FF - ProfilePath -
.
************************** ********** ********** ********** ********** ********
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-15 08:52:50
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ... this is not a cut and paste error, the log stops here.
************************** ********** ********** ********** ********** ********** ********** ********** ****
HiJackThis :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:09:43, on 15/05/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LV ComSer.exe
C:\Windows\system32\tasken g.exe
C:\Windows\system32\Dwm.ex e
C:\Windows\Explorer.EXE
C:\Windows\System32\wpcumi .exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Com munication s_Helper.e xe
C:\Program Files\Microsoft LifeChat\LifeChat.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\CyberLink\PCM4Everio \EverioSer vice.exe
C:\Windows\etMon.exe
C:\Program Files\AVG\AVG8\IdentityPro tection\ag ent\Bin\AV GIDSUI.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Lavasoft\Ad-Aware\AA WTray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.ex e
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Windows\system32\wbem\u nsecapp.ex e
C:\Windows\ehome\ehmsas.ex e
C:\Program Files\IncrediMail\bin\ImAp p.exe
C:\Windows\System32\mobsyn c.exe
C:\Program Files\Trend Micro\HijackThis\HijackThi s.exe
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyServer = 192.168.0.102:808
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\In ternet Explorer\Toolbar,LinksFold erName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Common Files\Adobe\Acrobat\Active X\AcroIEHe lper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4 C09146192C A} - C:\Program Files\Real\RealPlayer\rpbr owserrecor dplugin.dl l
O2 - BHO: Windows Live Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d 13f3d2976a c} - C:\Program Files\Windows Live\Family Safety\fssbho.dll
O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-9 0988571CEC B} - C:\Program Files\Windows Live\Messenger\wlchtc.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D 4DAF1D92D4 3} - C:\Program Files\Java\jre6\bin\ssv.dl l
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5 164760863C 6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-7 9A187E2698 E} - C:\PROGRA~1\AVG\AVG8\AVGTO O~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C F10577473F 7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-C E66B5AD205 D} - C:\Program Files\Google\GoogleToolbar Notifier\5 .0.926.345 0\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-7 6C02E2E7C4 E} - C:\Program Files\Google\Google Toolbar\Component\fastsear ch_219B3E1 547538286. dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9 C25C1C588A 9} - C:\Program Files\Java\jre6\bin\jp2ssv .dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-0 09027A5CD4 F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-7 9A187E2698 E} - C:\PROGRA~1\AVG\AVG8\AVGTO O~1.DLL
O4 - HKLM\..\Run: [WPCUMI] C:\Windows\system32\WpcUmi .exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusche d.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsMan ager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Com munication s_Helper.e xe"
O4 - HKLM\..\Run: [LifeChat] "c:\Program Files\Microsoft LifeChat\LifeChat.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [EverioService] "C:\Program Files\CyberLink\PCM4Everio \EverioSer vice.exe"
O4 - HKLM\..\Run: [etMonitor] C:\Windows\etMon.exe
O4 - HKLM\..\Run: [AVGIDS] "C:\Program Files\AVG\AVG8\IdentityPro tection\ag ent\bin\AV GIDSUI.exe "
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtr ay.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AA WTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck. exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe " /background
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncM ail.exe /c
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.ex e
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - Global Startup: Birthday Checker.lnk = C:\Program Files\SS Birthday Reminder\Birthday Checker.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\ GPhotos.sc r/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2 \Office12\ EXCEL.EXE/ 3000
O9 - Extra button: @C:\Windows\WindowsMobile\ INetRepl.d ll,-222 - {2EAF5BB1-070F-11D3-9307-0 0C04FAE2D4 F} - C:\Windows\WindowsMobile\I NetRepl.dl l
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-0 0C04FAE2D4 F} - C:\Windows\WindowsMobile\I NetRepl.dl l
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\ INetRepl.d ll,-223 - {2EAF5BB2-070F-11D3-9307-0 0C04FAE2D4 F} - C:\Windows\WindowsMobile\I NetRepl.dl l
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3 C9C571A826 3} - C:\PROGRA~1\MICROS~2\Offic e12\REFIEB AR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp .dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp .dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp .dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp .dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp .dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp .dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp .dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp .dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp .dll
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-3 14DEE697D8 3} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4 AFFED8E262 E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-4 76512BBC33 6} (UploadListView Class) - http://picasaweb.google.co.uk/s/v/e/36.24/KBTUZDFvTZs/uploader2.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-9 89993B5D08 B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A 704AD929EE E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-C C0F2172161 6} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {B015B944-7316-49AE-AC84-A CCA9379EA3 2} (IPCamPlugIn Control) - http://86.144.102.131:8085/IPCamPluginMJPEG.cab
O16 - DPF: {D216644A-C6DB-49D9-BBCF-D 38FE7991BF 2} (Util Class) - https://danid.dk/csp/authenticode/digitalsignatur-csp.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-F BDDE494F8D 1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\Windows\System32\avgrss tx.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E 902F9D95C8 1} - C:\Windows\System32\DreamS cene.dll
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AA WService.e xe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LV ComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPr cSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexing Service.ex e
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneSer vice.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc .exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
--
End of file - 9279 bytes
************************** ********** ********** ********** ********** ********** ********** ********** ********** *****
Malwarebytes' Anti-Malware 1.36
Database version: 2131
Windows 6.0.6001 Service Pack 1
15/05/2009 07:04:14
mbam-log-2009-05-15 (07-04-14).txt
Scan type: Quick Scan
Objects scanned: 86205
Time elapsed: 3 minute(s), 24 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Hope this is ok-
Chris
Combofix Log :
ComboFix 09-05-13.02 - Lars 15/05/2009 8:19:18.3 - NTFSx86
Running from: C:\Users\Lars\Desktop\komi
.
((((((((((((((((((((((((((
.
C:\Windows\TEMP\logishrd\L
.
((((((((((((((((((((((((( Files Created from 2009-04-15 to 2009-05-15 ))))))))))))))))))))))))))
.
2009-05-14 18:48:50 . 2009-05-14 18:48:50 0 d-----w C:\ProgramData\Nero
2009-05-14 18:48:50 . 2009-05-14 18:49:24 0 d-----w C:\Program Files\Common Files\Ahead
2009-05-14 17:50:16 . 2009-05-14 17:50:16 0 d-----w C:\Windows\log
2009-05-14 14:11:24 . 2009-05-14 15:28:56 0 d-----w C:\Program Files\MALWAREBYTES ANTI-MALWARE
2009-05-13 18:33:34 . 2009-05-13 18:33:34 14152 ----a-w C:\Windows\system32\driver
2009-05-12 20:31:44 . 2009-05-12 20:31:44 0 d-----w C:\Users\Lars\AppData\Loca
2009-05-12 19:49:46 . 2009-03-09 19:06:57 15688 ----a-w C:\Windows\system32\lsdele
2009-05-12 19:45:43 . 2009-03-09 19:06:56 64160 ----a-w C:\Windows\system32\driver
2009-05-12 19:45:30 . 2009-05-13 18:16:47 0 dc-h--w C:\ProgramData\{7972B2E5-3
2009-05-12 19:45:23 . 2009-05-12 19:45:23 0 d-----w C:\Program Files\Lavasoft
2009-05-12 19:45:23 . 2009-05-12 19:45:46 0 d-----w C:\ProgramData\Lavasoft
2009-05-12 15:40:16 . 2009-05-12 15:40:16 0 d-----w C:\Users\Lars\AppData\Roam
2009-05-11 05:28:11 . 2009-05-11 05:28:11 262144 ----a-w C:\ntuser.dat
2009-05-10 21:52:25 . 2009-05-10 21:52:28 0 d-----w C:\Program Files\CleanUp!
2009-05-10 14:29:43 . 2009-05-13 19:06:25 0 d--h--w C:\$AVG8.VAULT$
2009-05-10 14:08:53 . 2009-05-10 14:08:53 0 d-----w C:\ProgramData\Downloaded Installations
2009-05-10 14:08:42 . 2009-05-10 18:48:28 11952 ----a-w C:\Windows\system32\avgrss
2009-05-10 14:08:42 . 2009-05-10 18:48:14 12552 ----a-w C:\Windows\system32\driver
2009-05-10 14:08:41 . 2009-05-10 18:48:24 108552 ----a-w C:\Windows\system32\driver
2009-05-10 14:08:37 . 2009-05-10 18:48:28 325896 ----a-w C:\Windows\system32\driver
2009-05-10 14:08:35 . 2009-05-14 15:53:20 0 d-----w C:\Windows\system32\driver
2009-05-10 14:08:26 . 2009-05-10 18:48:17 23832 ----a-w C:\Windows\system32\driver
2009-05-10 14:08:26 . 2009-05-10 14:08:26 0 d-----w C:\Program Files\AVG
2009-05-10 14:08:26 . 2009-05-12 22:26:03 0 d-----w C:\ProgramData\avg8
2009-05-10 09:00:40 . 2009-05-10 13:46:51 0 d-----w C:\Program Files\Spybot - Search & Destroy
2009-05-09 06:49:44 . 2009-05-09 06:50:13 0 d-----w C:\Windows\BDOSCAN8
2009-05-07 22:31:40 . 2009-05-07 22:31:41 28320 ----a-w C:\Windows\system32\driver
2009-05-07 20:25:44 . 2009-05-07 20:25:44 47360 ----a-w C:\Windows\system32\driver
2009-05-07 20:25:44 . 2009-05-07 20:25:44 47360 ----a-w C:\Users\Lars\AppData\Roam
2009-05-07 20:25:40 . 2006-09-29 11:24:48 217127 ----a-w C:\Windows\system32\drv432
2009-05-07 20:25:40 . 2006-09-29 11:25:38 208935 ----a-w C:\Windows\system32\drv332
2009-05-07 20:25:40 . 2006-09-29 11:26:22 176165 ----a-w C:\Windows\system32\drv232
2009-05-07 20:25:40 . 2007-03-18 19:37:12 65602 ----a-w C:\Windows\system32\cook32
2009-05-07 20:25:40 . 2006-05-11 18:21:00 626688 ----a-w C:\Windows\system32\vp7vfw
2009-05-07 20:25:40 . 2006-05-20 15:16:00 1184984 ----a-w C:\Windows\system32\wvc1dm
2009-05-07 20:25:40 . 2004-05-04 10:53:40 1645320 ----a-w C:\Windows\gdiplus.dll
2009-05-03 04:27:58 . 2009-05-03 04:27:58 0 d-----w C:\Program Files\Elaborate Bytes
2009-05-02 07:47:11 . 2009-05-02 07:51:28 0 d-----w C:\Users\Lars\AppData\Roam
2009-05-02 07:46:45 . 2009-05-02 07:51:43 0 d-----w C:\Users\Lars\AppData\Roam
2009-05-01 23:05:26 . 2009-05-01 23:05:26 0 d-----w C:\Users\Lars\AppData\Loca
2009-05-01 23:01:54 . 2009-05-01 23:01:54 0 d-----w C:\Program Files\Common Files\CyberLink
2009-04-30 20:45:16 . 2009-05-08 22:22:43 0 d-----w C:\Program Files\Combined Community Codec Pack
2009-04-30 20:44:44 . 2009-04-30 20:44:45 0 d-----w C:\Program Files\AC3Filter
2009-04-30 17:33:20 . 2009-04-30 17:33:20 0 d-----w C:\Users\Lars\AppData\Loca
2009-04-28 15:15:19 . 2009-04-28 15:15:19 0 d-----w C:\Program Files\Daniusoft
2009-04-21 09:35:00 . 2009-04-21 09:38:04 0 d-----w C:\iPAQ
.
((((((((((((((((((((((((((
.
2009-05-15 06:44:41 . 2007-10-26 09:19:39 92362 ----a-w C:\Windows\system32\perfc0
2009-05-15 06:44:41 . 2007-10-26 09:19:39 502388 ----a-w C:\Windows\system32\perfh0
2009-05-15 04:57:56 . 2007-10-24 21:29:49 8376 ----a-w C:\Users\Lars\AppData\Loca
2009-05-14 15:28:56 . 2009-05-14 14:16:49 0 d-----w C:\Program Files\Malwarebytes' Anti-Malware
2009-05-13 01:00:16 . 2006-11-02 11:18:33 0 d-----w C:\Program Files\Windows Mail
2009-05-13 00:10:53 . 2008-10-19 14:54:09 8224 ----a-w C:\Users\EmmaOgAndreas\App
2009-05-10 19:44:31 . 2008-01-28 21:55:15 0 d-----w C:\Program Files\Fake Voice
2009-05-10 14:49:22 . 2008-04-02 18:55:25 0 d-----w C:\Program Files\PPMate
2009-05-10 14:08:31 . 2006-11-02 10:25:05 86016 ----a-w C:\Windows\inf\infstor.dat
2009-05-10 14:08:31 . 2006-11-02 10:25:05 86016 ----a-w C:\Windows\inf\infpub.dat
2009-05-10 14:08:31 . 2006-11-02 10:25:05 143360 ----a-w C:\Windows\inf\infstrng.da
2009-05-10 08:37:38 . 2008-10-23 16:39:23 0 d-----w C:\Users\Lars\AppData\Roam
2009-05-10 08:37:38 . 2007-11-10 12:28:06 0 d-----w C:\Program Files\SUPERAntiSpyware
2009-05-10 08:36:50 . 2007-10-25 02:24:10 0 d-----w C:\Program Files\Common Files\Wise Installation Wizard
2009-05-07 21:41:17 . 2007-10-26 09:42:50 0 d-----w C:\Program Files\ESET
2009-05-07 20:25:41 . 2009-01-29 13:11:45 0 d-----w C:\Program Files\VSO
2009-05-06 21:04:59 . 2007-10-28 14:53:53 112048 ----a-w C:\Users\Camilla\AppData\L
2009-05-06 21:00:10 . 2007-10-24 21:30:11 112048 ----a-w C:\Users\Lars\AppData\Loca
2009-05-05 18:46:33 . 2007-10-28 15:36:13 0 d-----w C:\Program Files\Microsoft Works
2009-05-04 20:20:23 . 2007-10-25 04:05:26 0 d--h--w C:\Program Files\InstallShield Installation Information
2009-05-04 20:19:50 . 2008-11-19 20:26:10 0 d-----w C:\Program Files\Veetle
2009-05-03 04:08:19 . 2007-10-26 20:25:48 0 d-----w C:\Program Files\CyberLink
2009-04-21 09:38:08 . 2007-12-20 18:00:36 0 d-----w C:\Program Files\HP
2009-04-10 17:40:42 . 2008-03-21 10:06:49 0 d-----w C:\Program Files\DVD Shrink
2009-04-06 13:32:54 . 2009-05-14 14:16:50 38496 ----a-w C:\Windows\system32\driver
2009-04-06 13:32:46 . 2009-05-14 14:16:52 15504 ----a-w C:\Windows\system32\driver
2009-04-04 19:11:00 . 2007-10-28 10:27:40 0 d-----w C:\Program Files\Common Files\Adobe
2009-04-02 20:35:44 . 2009-04-02 20:35:44 0 d-----w C:\Program Files\CLICK
2009-04-01 19:39:22 . 2009-04-01 19:39:21 0 d-----w C:\Program Files\Common Files\Deterministic Networks
2009-04-01 15:10:29 . 2008-02-28 23:08:58 0 d-----w C:\Program Files\THQ
2009-03-31 14:14:50 . 2008-05-31 18:10:19 181192 ---ha-w C:\Windows\system32\mlfcac
2009-03-28 09:32:22 . 2009-03-28 09:32:22 0 d-----w C:\Program Files\QuickPar
2009-03-17 15:44:57 . 2007-10-26 20:28:41 0 d-----w C:\Program Files\Google
2009-03-17 03:38:46 . 2009-04-15 18:07:04 13824 ----a-w C:\Windows\system32\apilog
2009-03-17 03:38:44 . 2009-04-15 18:07:04 24064 ----a-w C:\Windows\system32\amxrea
2009-03-09 17:00:55 . 2009-03-09 17:00:55 0 ----a-w C:\Users\Lars\temp.dat
2009-03-08 11:34:57 . 2009-03-31 19:05:30 914944 ----a-w C:\Windows\system32\winine
2009-03-08 11:34:28 . 2009-03-31 19:05:33 43008 ----a-w C:\Windows\system32\licmgr
2009-03-08 11:33:38 . 2009-03-31 19:05:34 18944 ----a-w C:\Windows\system32\corpol
2009-03-08 11:33:17 . 2009-03-31 19:05:31 109056 ----a-w C:\Windows\system32\iesysp
2009-03-08 11:33:16 . 2009-03-31 19:05:31 109568 ----a-w C:\Windows\system32\PDMSet
2009-03-08 11:33:15 . 2009-03-31 19:05:31 132608 ----a-w C:\Windows\system32\ieUnat
2009-03-08 11:33:15 . 2009-03-31 19:05:31 107520 ----a-w C:\Windows\system32\Regist
2009-03-08 11:33:15 . 2009-03-31 19:05:31 107008 ----a-w C:\Windows\system32\SetIEI
2009-03-08 11:33:15 . 2009-03-31 19:05:31 103936 ----a-w C:\Windows\system32\SetDep
2009-03-08 11:33:04 . 2009-03-31 19:05:32 420352 ----a-w C:\Windows\system32\vbscri
2009-03-08 11:32:54 . 2009-03-31 19:05:34 72704 ----a-w C:\Windows\system32\admpar
2009-03-08 11:32:49 . 2009-03-31 19:05:33 71680 ----a-w C:\Windows\system32\iesetu
2009-03-08 11:32:38 . 2009-03-31 19:05:33 66560 ----a-w C:\Windows\system32\wextra
2009-03-08 11:32:32 . 2009-03-31 19:05:31 169472 ----a-w C:\Windows\system32\iexpre
2009-03-08 11:31:37 . 2009-03-31 19:05:34 34816 ----a-w C:\Windows\system32\imguti
2009-03-08 11:31:17 . 2009-03-31 19:05:34 48128 ----a-w C:\Windows\system32\mshtml
2009-03-08 11:31:00 . 2009-03-31 19:05:31 45568 ----a-w C:\Windows\system32\mshta.
2009-03-08 11:22:37 . 2009-03-31 19:05:34 156160 ----a-w C:\Windows\system32\msls31
2009-03-03 04:46:01 . 2009-04-15 18:07:22 3599328 ----a-w C:\Windows\system32\ntkrnl
2009-03-03 04:46:01 . 2009-04-15 18:07:21 3547632 ----a-w C:\Windows\system32\ntoskr
2009-03-03 04:39:36 . 2009-04-15 18:07:20 183296 ----a-w C:\Windows\system32\sdohlp
2009-03-03 04:39:32 . 2009-04-15 18:07:23 551424 ----a-w C:\Windows\system32\rpcss.
2009-03-03 04:39:22 . 2009-04-15 18:07:20 26112 ----a-w C:\Windows\system32\printf
2009-03-03 04:37:11 . 2009-04-15 18:07:20 98304 ----a-w C:\Windows\system32\iasrec
2009-03-03 04:37:11 . 2009-04-15 18:07:20 54784 ----a-w C:\Windows\system32\iasads
2009-03-03 04:37:11 . 2009-04-15 18:07:20 44032 ----a-w C:\Windows\system32\iasdat
2009-03-03 03:04:59 . 2009-04-15 18:07:21 666624 ----a-w C:\Windows\system32\printf
2009-03-03 02:38:13 . 2009-04-15 18:07:20 17408 ----a-w C:\Windows\system32\iashos
2009-02-26 10:46:56 . 2009-02-26 10:46:56 74760 ----a-w C:\Windows\system32\driver
2009-02-26 10:46:56 . 2009-02-26 10:46:56 25608 ----a-w C:\Windows\system32\driver
2009-02-22 10:48:14 . 2009-02-22 10:02:03 34 ----a-w C:\Users\EmmaOgAndreas\jag
2009-02-19 08:55:20 . 2009-02-19 08:55:20 15384 ----a-w C:\Windows\system32\driver
2009-02-19 08:54:48 . 2009-02-19 08:54:48 1222680 ----a-w C:\Windows\system32\driver
2009-02-19 08:53:16 . 2009-02-19 08:53:16 1179672 ----a-w C:\Windows\system32\driver
2009-02-19 08:52:42 . 2009-02-19 08:52:42 95768 ----a-w C:\Windows\system32\driver
2009-02-19 08:52:04 . 2009-02-19 08:52:04 159256 ----a-w C:\Windows\system32\driver
2009-02-19 08:51:26 . 2009-02-19 08:51:26 14360 ----a-w C:\Windows\system32\driver
2009-02-19 08:50:46 . 2009-02-19 08:50:46 129560 ----a-w C:\Windows\system32\driver
2009-02-19 08:45:16 . 2009-02-19 08:45:16 535320 ----a-w C:\Windows\system32\driver
2009-02-19 08:44:40 . 2009-02-19 08:44:40 511000 ----a-w C:\Windows\system32\driver
2009-02-19 08:43:50 . 2009-02-19 08:43:50 1353240 ----a-w C:\Windows\system32\driver
2009-02-19 08:43:10 . 2009-02-19 08:43:10 73752 ----a-w C:\Windows\system32\driver
2009-02-19 08:42:26 . 2009-02-19 08:42:26 198168 ----a-w C:\Windows\system32\driver
2009-02-19 07:00:14 . 2008-01-15 04:01:40 86016 ----a-w C:\Windows\system32\ctcoin
2009-02-19 07:00:14 . 2008-01-15 04:01:40 181248 ----a-w C:\Windows\system32\ctdvin
2009-02-19 06:59:04 . 2009-02-19 06:59:04 14336 ----a-w C:\Windows\system32\a3d.dl
2009-02-19 06:58:38 . 2009-02-19 06:58:38 13312 ----a-w C:\Windows\system32\ac3api
2009-02-19 06:58:02 . 2009-02-19 06:58:02 2560 ----a-w C:\Windows\system32\CtxfiR
2009-02-19 06:58:00 . 2009-02-19 06:58:00 42496 ----a-w C:\Windows\system32\CTxfiB
2009-02-19 06:57:58 . 2009-02-19 06:57:58 39424 ----a-w C:\Windows\system32\CTxfiS
2009-02-19 06:57:58 . 2009-02-19 06:57:58 24576 ----a-w C:\Windows\system32\Ctxfih
2009-02-19 06:54:06 . 2009-02-19 06:54:06 47104 ----a-w C:\Windows\system32\CTxfiR
2009-02-19 06:54:02 . 2009-02-19 06:54:02 15360 ----a-w C:\Windows\system32\Ct20xs
2009-02-19 06:53:56 . 2009-02-19 06:53:56 1212928 ----a-w C:\Windows\system32\CTxfis
2009-02-19 06:47:06 . 2008-02-21 03:04:18 51787 ----a-w C:\Windows\system32\ctdlan
2009-02-19 06:47:06 . 2008-02-21 03:04:18 384428 ----a-w C:\Windows\system32\ctdnls
2009-02-19 06:46:32 . 2009-02-19 06:46:32 201216 ----a-w C:\Windows\system32\ctemup
2009-02-19 06:43:48 . 2009-02-19 06:43:48 193024 ----a-w C:\Windows\system32\ct_oal
2009-02-19 06:43:44 . 2009-02-19 06:43:44 50688 ----a-w C:\Windows\system32\ctasio
2009-02-19 06:43:36 . 2009-02-19 06:43:36 53248 ----a-w C:\Windows\system32\ctdpro
2009-02-19 06:42:54 . 2009-02-19 06:42:54 74240 ----a-w C:\Windows\system32\ctosus
2009-02-19 06:42:52 . 2009-02-19 06:42:52 10240 ----a-w C:\Windows\system32\sfman3
2009-02-19 06:42:50 . 2009-02-19 06:42:50 130560 ----a-w C:\Windows\system32\sfms32
2009-02-19 06:42:44 . 2009-02-19 06:42:44 16384 ----a-w C:\Windows\system32\regpli
2006-11-22 14:58:11 . 2006-11-22 14:58:11 8192 --sha-w C:\Windows\Users\Default\N
.
((((((((((((((((((((((((((
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWAR
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 07:33:39 202240]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe
"IncrediMail"="C:\Program Files\IncrediMail\bin\IncM
"ehTray.exe"="C:\Windows\e
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-08-08 12:11:12 490952]
[HKEY_LOCAL_MACHINE\SOFTWA
"WPCUMI"="C:\Windows\syste
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-10-10 05:28:32 36352]
"SunJavaUpdateSched"="C:\P
"LogitechCommunicationsMan
"LifeChat"="c:\Program Files\Microsoft LifeChat\LifeChat.exe" [2008-08-21 09:16:56 267296]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 19:34:40 49152]
"EverioService"="C:\Progra
"etMonitor"="C:\Windows\et
"AVGIDS"="C:\Program Files\AVG\AVG8\IdentityPro
"AVG8_TRAY"="C:\PROGRA~1\A
"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware\AA
"NeroFilterCheck"="C:\Prog
[HKEY_LOCAL_MACHINE\softwa
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\softwa
"AppInit_DLLs"=C:\Windows\
[HKEY_LOCAL_MACHINE\SYSTEM
@="Service"
[HKLM\~\startupfolder\C:^P
path=C:\ProgramData\Micros
backup=C:\Windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonSta
[HKLM\~\startupfolder\C:^P
path=C:\ProgramData\Micros
backup=C:\Windows\pss\Logi
backupExtension=.CommonSta
[HKLM\~\startupfolder\C:^P
path=C:\ProgramData\Micros
backup=C:\Windows\pss\Quic
backupExtension=.CommonSta
[HKEY_LOCAL_MACHINE\softwa
"UACDisableNotify"=dword:0
[HKLM\~\services\sharedacc
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedacc
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"= C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enab
[HKLM\~\services\sharedacc
"{30471418-D31B-4DEE-9ECA-
"{539AD9C6-9097-44F1-B9DA-
"{9DD004BD-76BC-4F65-ADFE-
"{A7FA87C4-ECD0-4FA4-B03E-
"{2A8841B5-7D8C-458B-BBF8-
"{FA38AD53-AF86-4259-B453-
"{F3C41857-8C63-42E3-926C-
"TCP Query User{B822B438-2D5C-442E-B8
"UDP Query User{3A3BA820-6444-40D9-A1
"{EC7CD5A0-4118-444B-9806-
"{5C22172A-D26B-4AE5-93C1-
"TCP Query User{31383E43-1747-4EF9-BD
"UDP Query User{D6F0886C-DB32-4589-AA
"TCP Query User{571F19BB-CCE1-46F4-9B
"UDP Query User{AF8F77E4-B47A-4ADE-92
"{87244075-6D60-4E8F-B51F-
"{74864C2D-1A73-4326-975D-
"{504DD735-0A66-4BC3-B021-
"{E2CF730D-0AA2-4D35-A671-
"{46D1E131-150D-4B11-A2DE-
"{1A0CCE22-3738-41B2-B121-
"TCP Query User{FBE5EC3C-24D0-42CD-B0
"UDP Query User{2BD03585-0CCF-441A-B5
"TCP Query User{1F9A3EAF-C4E2-4C05-A0
"UDP Query User{1DEAE99E-59C2-439D-A2
"{B9051207-5699-4E3D-A1F6-
"{5BA757F4-01E3-44DA-AA79-
"TCP Query User{DAD976BA-862A-48B3-9D
"UDP Query User{2884C220-188B-49A9-85
"{B198D27E-73C3-47F7-AD53-
"{B67E0675-427F-41B7-B2BC-
"{A8974B9D-1240-40FE-B31D-
"{2FD7DAE2-7AC3-4BA9-A1FE-
"{79989C2A-7482-4EA1-89C8-
"{4C225B18-DEDB-4B83-83F2-
"{5E224F79-B425-4FEF-8200-
"{F76B08C3-17A6-4503-B07E-
"{3919F47A-315E-4A1A-AE2D-
"{9CB2A16A-B461-4463-B700-
"{08663E7B-9A74-4178-B51F-
"{E446B26B-75B5-454E-90D8-
"{BF199DD6-2D8C-44E5-A285-
"TCP Query User{46FC2F39-4F27-4B3C-8A
"UDP Query User{5B44DA43-2916-4B9E-95
"{53EAAC54-3AF8-45A2-BE1A-
"{08B691AD-A3ED-484A-B1F1-
"{2B34CCA0-99CA-445C-8A0E-
"{E0639972-B2C8-422B-9CC3-
"{AC1EAA2F-0AAD-4A8D-9071-
"{2E32CCCC-AE8F-49DB-829F-
"TCP Query User{29A944B8-D27D-4B81-A9
"UDP Query User{43430C6B-25C6-4316-9A
"TCP Query User{53939F42-4C07-4493-A9
"UDP Query User{BA4C9F24-DED7-4B80-B7
"TCP Query User{E9E39D17-6D30-4020-84
"UDP Query User{FCD80E81-DC3C-4641-94
"TCP Query User{3B1EC8F4-25DE-420C-A4
"UDP Query User{E9A85774-5328-4AC5-AC
"{7510586A-F97F-4E24-9C91-
"{E38E9C52-EE42-42C8-8505-
"{5F2E4C05-3198-493D-BBFB-
"{C355A61B-7416-4AB6-9865-
"TCP Query User{CDFA3DEA-02B7-458E-B0
"UDP Query User{4CB0BAC7-816F-492C-8B
"TCP Query User{7140D20F-0CEA-4CD6-B6
"UDP Query User{53654654-A298-4A06-95
"{BA701B04-5F72-423C-9A13-
"{9F8E78EA-EBD2-49F8-8B16-
"{E832E931-2A48-4685-8BCB-
"{26FA698A-C492-4EC4-B4E2-
[HKLM\~\services\sharedacc
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedacc
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedacc
"C:\\Program Files\\PPMate\\ppmate.exe"
"C:\\Program Files\\PPMate\\ppamnet.exe
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"= C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enab
R3 athena;athena;C:\Windows\s
R3 AVGIDSDriver;AVGIDSDriver;
R3 AVGIDSFilter;AVGIDSFilter;
R3 AVGIDSShim;AVGIDSShim;C:\P
R3 CT20XUT;CT20XUT;C:\Windows
R3 CTEXFIFX;CTEXFIFX;C:\Windo
R3 CTHWIUT;CTHWIUT;C:\Windows
R3 DCamUSBET;ET USB 2750 Camera;C:\Windows\system32
R3 FiltUSBET;ET USB Device Lower Filter;C:\Windows\system32
R3 ha20x22k;Creative 20X2 HAL Driver;C:\Windows\system32
R3 ScanUSBET;ET USB Still Image Capture Device;C:\Windows\system32
R3 SIS163u;SiS163 usb Wireless LAN Adapter Driver;C:\Windows\system32
R3 SndTAudio;SndTAudio;C:\Win
R3 SndTVideo;SndTVideo;C:\Win
R4 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AV
R4 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\A
R4 avgfws8;AVG8 Firewall;C:\PROGRA~1\AVG\A
R4 AVGIDSAgent;AVGIDSAgent;C:
R4 AVGIDSWatcher;AVGIDSWatche
S0 AVGIDSErHr;AVGIDSErHr;C:\W
S0 AvgRkx86;avgrkx86.sys;C:\W
S0 Lbd;Lbd;C:\Windows\system3
S1 Avgfwfd;AVG network filter service;C:\Windows\system3
S1 AvgLdx86;AVG AVI Loader Driver x86;C:\Windows\System32\Dr
S1 AvgTdiX;AVG8 Network Redirector;C:\Windows\Syst
S2 {95808DC4-FA4A-4C74-92FE-5
S2 fssfltr;fssfltr;C:\Windows
S2 fsssvc;Windows Live Family Safety;C:\Program Files\Windows Live\Family Safety\fsssvc.exe [2009-02-06 17:08:58 533360]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;C:\Program Files\Lavasoft\Ad-Aware\AA
S3 b57nd60x;%SvcDispName%;C:\
S3 CT20XUT.SYS;CT20XUT.SYS;C:
S3 CTEXFIFX.SYS;CTEXFIFX.SYS;
S3 CTHWIUT.SYS;CTHWIUT.SYS;C:
S3 physX32;physX32;C:\Windows
S3 tenCapture;tenCapture;C:\W
--- Other Services/Drivers In Memory ---
*Deregistered* - {95808DC4-FA4A-4C74-92FE-5
*Deregistered* - AFD
*Deregistered* - Avgfwfd
*Deregistered* - AVGIDSErHr
*Deregistered* - AvgLdx86
*Deregistered* - AvgMfx86
*Deregistered* - AvgRkx86
*Deregistered* - AvgTdiX
*Deregistered* - Beep
*Deregistered* - bowser
*Deregistered* - cdfs
*Deregistered* - CLFS
*Deregistered* - crcdisk
*Deregistered* - CT20XUT.SYS
*Deregistered* - CTEXFIFX.SYS
*Deregistered* - CTHWIUT.SYS
*Deregistered* - ctprxy2k
*Deregistered* - ctsfm2k
*Deregistered* - CVPNDRVA
*Deregistered* - DfsC
*Deregistered* - DNE
*Deregistered* - DXGKrnl
*Deregistered* - Ecache
*Deregistered* - emupia
*Deregistered* - FileInfo
*Deregistered* - FltMgr
*Deregistered* - fssfltr
*Deregistered* - fvevol
*Deregistered* - ha20x2k
*Deregistered* - HTTP
*Deregistered* - iScsiPrt
*Deregistered* - kbdclass
*Deregistered* - KSecDD
*Deregistered* - Lbd
*Deregistered* - lltdio
*Deregistered* - LVPr2Mon
*Deregistered* - LVUSBSta
*Deregistered* - mouclass
*Deregistered* - MountMgr
*Deregistered* - mpsdrv
*Deregistered* - MRxDAV
*Deregistered* - mrxsmb
*Deregistered* - mrxsmb10
*Deregistered* - mrxsmb20
*Deregistered* - Msfs
*Deregistered* - msisadrv
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NativeWifiP
*Deregistered* - NDIS
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - netbt
*Deregistered* - Npfs
*Deregistered* - nsiproxy
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - NVR0Dev
*Deregistered* - nvraid
*Deregistered* - nvstor
*Deregistered* - ossrv
*Deregistered* - Pcouffin
*Deregistered* - PEAUTH
*Deregistered* - PptpMiniport
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasPppoe
*Deregistered* - RasSstp
*Deregistered* - rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RDPENCDD
*Deregistered* - RDPWD
*Deregistered* - rspndr
*Deregistered* - secdrv
*Deregistered* - Smb
*Deregistered* - spldr
*Deregistered* - sptd
*Deregistered* - srv
*Deregistered* - srv2
*Deregistered* - srvnet
*Deregistered* - swenum
*Deregistered* - Tcpip
*Deregistered* - tcpipreg
*Deregistered* - TDTCP
*Deregistered* - tdx
*Deregistered* - tssecsrv
*Deregistered* - tunmp
*Deregistered* - tunnel
*Deregistered* - udfs
*Deregistered* - umbus
*Deregistered* - VgaSave
*Deregistered* - volmgr
*Deregistered* - volmgrx
*Deregistered* - volsnap
*Deregistered* - Wanarpv6
*Deregistered* - Wdf01000
*Deregistered* - ws2ifsl
[HKEY_LOCAL_MACHINE\softwa
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
[HKEY_CURRENT_USER\softwar
\shell\AutoRun\command - H:\setupSNK.exe
[HKEY_CURRENT_USER\softwar
\shell\AutoRun\command - C:\Windows\system32\RunDLL
[HKEY_CURRENT_USER\softwar
\shell\AutoRun\command - H:\setupSNK.exe
[HKEY_LOCAL_MACHINE\softwa
"C:\Windows\System32\rundl
[HKEY_LOCAL_MACHINE\softwa
%SystemRoot%\system32\soun
[HKEY_LOCAL_MACHINE\softwa
%SystemRoot%\system32\soun
.
Contents of the 'Scheduled Tasks' folder
2009-05-12 C:\Windows\Tasks\Ad-Aware Update (Weekly).job
- C:\Program Files\Lavasoft\Ad-Aware\Ad
2009-04-14 C:\Windows\Tasks\GBMPro6 Task - New Backup Job.job
- C:\Program Files\Genie-Soft\GBMPro 6.0\GBMPro.exe [2008-08-03 20:13:25 . 2005-05-15 12:58:50]
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{6638A9DE-0745-
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = 192.168.0.102:808
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - C:\Windows\system32\GPhoto
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Offic
LSP: C:\Windows\system32\wpclsp
DPF: {B015B944-7316-49AE-AC84-A
DPF: {D216644A-C6DB-49D9-BBCF-D
FF - ProfilePath -
.
**************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-15 08:52:50
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ... this is not a cut and paste error, the log stops here.
**************************
HiJackThis :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:09:43, on 15/05/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LV
C:\Windows\system32\tasken
C:\Windows\system32\Dwm.ex
C:\Windows\Explorer.EXE
C:\Windows\System32\wpcumi
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Com
C:\Program Files\Microsoft LifeChat\LifeChat.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\CyberLink\PCM4Everio
C:\Windows\etMon.exe
C:\Program Files\AVG\AVG8\IdentityPro
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Lavasoft\Ad-Aware\AA
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.ex
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Windows\system32\wbem\u
C:\Windows\ehome\ehmsas.ex
C:\Program Files\IncrediMail\bin\ImAp
C:\Windows\System32\mobsyn
C:\Program Files\Trend Micro\HijackThis\HijackThi
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
R1 - HKCU\Software\Microsoft\Wi
R0 - HKCU\Software\Microsoft\In
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4
O2 - BHO: Windows Live Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d
O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-9
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-7
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-C
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-7
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-0
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-7
O4 - HKLM\..\Run: [WPCUMI] C:\Windows\system32\WpcUmi
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusche
O4 - HKLM\..\Run: [LogitechCommunicationsMan
O4 - HKLM\..\Run: [LifeChat] "c:\Program Files\Microsoft LifeChat\LifeChat.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [EverioService] "C:\Program Files\CyberLink\PCM4Everio
O4 - HKLM\..\Run: [etMonitor] C:\Windows\etMon.exe
O4 - HKLM\..\Run: [AVGIDS] "C:\Program Files\AVG\AVG8\IdentityPro
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtr
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AA
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncM
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.ex
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - Global Startup: Birthday Checker.lnk = C:\Program Files\SS Birthday Reminder\Birthday Checker.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O9 - Extra button: @C:\Windows\WindowsMobile\
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-0
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-3
O16 - DPF: {1E54D648-B804-468d-BC78-4
O16 - DPF: {474F00F5-3853-492C-AC3A-4
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-9
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-C
O16 - DPF: {B015B944-7316-49AE-AC84-A
O16 - DPF: {D216644A-C6DB-49D9-BBCF-D
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-F
O20 - AppInit_DLLs: C:\Windows\System32\avgrss
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AA
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LV
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPr
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexing
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneSer
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
--
End of file - 9279 bytes
**************************
Malwarebytes' Anti-Malware 1.36
Database version: 2131
Windows 6.0.6001 Service Pack 1
15/05/2009 07:04:14
mbam-log-2009-05-15 (07-04-14).txt
Scan type: Quick Scan
Objects scanned: 86205
Time elapsed: 3 minute(s), 24 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Hope this is ok-
Chris
Does this PC get strange security warnings and pop ups?
ppamnet.exe does not look legit -seems like it is something that can (and did) turn off your firewall to communicate with the outside. Seems like this PC is part of some botnet because it is listing for connections on TCP and UDP. It also can run other bad things and hijack processes
First thing you want to do is run a boot time AV scan either Avast or livecd - you may have to scan a fe times
After that run HJT and re-post the log.
BTW, this computer has a ton of junk installed on it
Are you using AVG and NOD32?
ppamnet.exe does not look legit -seems like it is something that can (and did) turn off your firewall to communicate with the outside. Seems like this PC is part of some botnet because it is listing for connections on TCP and UDP. It also can run other bad things and hijack processes
First thing you want to do is run a boot time AV scan either Avast or livecd - you may have to scan a fe times
After that run HJT and re-post the log.
BTW, this computer has a ton of junk installed on it
Are you using AVG and NOD32?
Yes, there are a couple of infections that I can see as well, but I would ask you to scan your PC with either TrendMicro HouseCall based at: http://housecall.trendmicro.com/ or BitDefender Online Scanner based at http://www.bitdefender.com/scanner/online/free.html?url=scan8/ie.html
The above 2 scans will also remove any infections present on your PC. Sometimes, a virus can have the same name as a legitimate file and at such times, online scanners can be quite helpful in making sure that we don't delete the legitimate file. They will point out the malicious files and we will remove them (unless they can't do it themselves).
The above 2 scans will also remove any infections present on your PC. Sometimes, a virus can have the same name as a legitimate file and at such times, online scanners can be quite helpful in making sure that we don't delete the legitimate file. They will point out the malicious files and we will remove them (unless they can't do it themselves).
ASKER
Hi again,
I found a folder called ESET on the C:\drive, I could not delete it bacause it was in use. I got rid of it by booting to a comand prompt. There is a lot of junk on the PC, I have found around 11 different "viewing programmes" for watching live football, I have deleted all of them, PPAMNET.exe was one of these.
Ok I ran bitdefender twice the first time it found :
Infected Files
1
Virus Detected
Trojan.Generic.391361
1
I rebooted and ran it again, it found nothing. Trend Micros Houscall was still running after 3 hours so I gave up on that.
Here is the Hijack this log :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:24:24, on 15/05/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LV ComSer.exe
C:\Windows\system32\tasken g.exe
C:\Windows\system32\Dwm.ex e
C:\Windows\System32\wpcumi .exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Com munication s_Helper.e xe
C:\Program Files\Microsoft LifeChat\LifeChat.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\CyberLink\PCM4Everio \EverioSer vice.exe
C:\Windows\etMon.exe
C:\Program Files\AVG\AVG8\IdentityPro tection\ag ent\Bin\AV GIDSUI.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Lavasoft\Ad-Aware\AA WTray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.ex e
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Windows\ehome\ehmsas.ex e
C:\Program Files\IncrediMail\bin\ImAp p.exe
C:\Windows\system32\wbem\u nsecapp.ex e
C:\Program Files\AVG\AVG8\IdentityPro tection\ag ent\Bin\AV GIDSMonito r.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThi s.exe
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyServer = 192.168.0.102:808
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\In ternet Explorer\Toolbar,LinksFold erName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Common Files\Adobe\Acrobat\Active X\AcroIEHe lper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4 C09146192C A} - C:\Program Files\Real\RealPlayer\rpbr owserrecor dplugin.dl l
O2 - BHO: Windows Live Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d 13f3d2976a c} - C:\Program Files\Windows Live\Family Safety\fssbho.dll
O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-9 0988571CEC B} - C:\Program Files\Windows Live\Messenger\wlchtc.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D 4DAF1D92D4 3} - C:\Program Files\Java\jre6\bin\ssv.dl l
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5 164760863C 6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-7 9A187E2698 E} - C:\PROGRA~1\AVG\AVG8\AVGTO O~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C F10577473F 7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-C E66B5AD205 D} - C:\Program Files\Google\GoogleToolbar Notifier\5 .0.926.345 0\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-7 6C02E2E7C4 E} - C:\Program Files\Google\Google Toolbar\Component\fastsear ch_219B3E1 547538286. dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9 C25C1C588A 9} - C:\Program Files\Java\jre6\bin\jp2ssv .dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-0 09027A5CD4 F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-7 9A187E2698 E} - C:\PROGRA~1\AVG\AVG8\AVGTO O~1.DLL
O4 - HKLM\..\Run: [WPCUMI] C:\Windows\system32\WpcUmi .exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusche d.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsMan ager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Com munication s_Helper.e xe"
O4 - HKLM\..\Run: [LifeChat] "c:\Program Files\Microsoft LifeChat\LifeChat.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [EverioService] "C:\Program Files\CyberLink\PCM4Everio \EverioSer vice.exe"
O4 - HKLM\..\Run: [etMonitor] C:\Windows\etMon.exe
O4 - HKLM\..\Run: [AVGIDS] "C:\Program Files\AVG\AVG8\IdentityPro tection\ag ent\bin\AV GIDSUI.exe "
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtr ay.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AA WTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck. exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe " /background
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncM ail.exe /c
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.ex e
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Windows Update] C:\Windows\system32\Winuda te32.exe
O4 - Global Startup: Birthday Checker.lnk = C:\Program Files\SS Birthday Reminder\Birthday Checker.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\ GPhotos.sc r/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2 \Office12\ EXCEL.EXE/ 3000
O9 - Extra button: @C:\Windows\WindowsMobile\ INetRepl.d ll,-222 - {2EAF5BB1-070F-11D3-9307-0 0C04FAE2D4 F} - C:\Windows\WindowsMobile\I NetRepl.dl l
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-0 0C04FAE2D4 F} - C:\Windows\WindowsMobile\I NetRepl.dl l
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\ INetRepl.d ll,-223 - {2EAF5BB2-070F-11D3-9307-0 0C04FAE2D4 F} - C:\Windows\WindowsMobile\I NetRepl.dl l
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0 800200c9a6 6} - C:\Windows\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0 800200c9a6 6} - C:\Windows\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3 C9C571A826 3} - C:\PROGRA~1\MICROS~2\Offic e12\REFIEB AR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp .dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp .dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp .dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp .dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp .dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp .dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp .dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp .dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp .dll
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-3 14DEE697D8 3} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4 AFFED8E262 E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8 226143CFC0 A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-4 76512BBC33 6} (UploadListView Class) - http://picasaweb.google.co.uk/s/v/e/36.24/KBTUZDFvTZs/uploader2.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-9 89993B5D08 B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D 4730F4EE49 9} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A 704AD929EE E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-C C0F2172161 6} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {B015B944-7316-49AE-AC84-A CCA9379EA3 2} (IPCamPlugIn Control) - http://86.144.102.131:8085/IPCamPluginMJPEG.cab
O16 - DPF: {D216644A-C6DB-49D9-BBCF-D 38FE7991BF 2} (Util Class) - https://danid.dk/csp/authenticode/digitalsignatur-csp.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-F BDDE494F8D 1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\Windows\System32\avgrss tx.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E 902F9D95C8 1} - C:\Windows\System32\DreamS cene.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgem c.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwd svc.exe
O23 - Service: AVGIDSAgent - AVG - C:\Program Files\AVG\AVG8\IdentityPro tection\ag ent\Bin\AV GIDSAgent. exe
O23 - Service: AVGIDSWatcher - AVG - C:\Program Files\AVG\AVG8\IdentityPro tection\ag ent\Bin\AV GIDSWatche r.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterServi ce.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AA WService.e xe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LV ComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPr cSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexing Service.ex e
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneSer vice.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc .exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
--
End of file - 10622 bytes
Good hunting :-)
Chris
I found a folder called ESET on the C:\drive, I could not delete it bacause it was in use. I got rid of it by booting to a comand prompt. There is a lot of junk on the PC, I have found around 11 different "viewing programmes" for watching live football, I have deleted all of them, PPAMNET.exe was one of these.
Ok I ran bitdefender twice the first time it found :
Infected Files
1
Virus Detected
Trojan.Generic.391361
1
I rebooted and ran it again, it found nothing. Trend Micros Houscall was still running after 3 hours so I gave up on that.
Here is the Hijack this log :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:24:24, on 15/05/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LV
C:\Windows\system32\tasken
C:\Windows\system32\Dwm.ex
C:\Windows\System32\wpcumi
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Com
C:\Program Files\Microsoft LifeChat\LifeChat.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\CyberLink\PCM4Everio
C:\Windows\etMon.exe
C:\Program Files\AVG\AVG8\IdentityPro
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Lavasoft\Ad-Aware\AA
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.ex
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Windows\ehome\ehmsas.ex
C:\Program Files\IncrediMail\bin\ImAp
C:\Windows\system32\wbem\u
C:\Program Files\AVG\AVG8\IdentityPro
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThi
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
R1 - HKCU\Software\Microsoft\Wi
R0 - HKCU\Software\Microsoft\In
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4
O2 - BHO: Windows Live Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d
O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-9
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-7
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-C
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-7
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-0
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-7
O4 - HKLM\..\Run: [WPCUMI] C:\Windows\system32\WpcUmi
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusche
O4 - HKLM\..\Run: [LogitechCommunicationsMan
O4 - HKLM\..\Run: [LifeChat] "c:\Program Files\Microsoft LifeChat\LifeChat.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [EverioService] "C:\Program Files\CyberLink\PCM4Everio
O4 - HKLM\..\Run: [etMonitor] C:\Windows\etMon.exe
O4 - HKLM\..\Run: [AVGIDS] "C:\Program Files\AVG\AVG8\IdentityPro
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtr
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AA
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncM
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.ex
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Windows Update] C:\Windows\system32\Winuda
O4 - Global Startup: Birthday Checker.lnk = C:\Program Files\SS Birthday Reminder\Birthday Checker.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O9 - Extra button: @C:\Windows\WindowsMobile\
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-0
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-3
O16 - DPF: {1E54D648-B804-468d-BC78-4
O16 - DPF: {215B8138-A3CF-44C5-803F-8
O16 - DPF: {474F00F5-3853-492C-AC3A-4
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-9
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-C
O16 - DPF: {B015B944-7316-49AE-AC84-A
O16 - DPF: {D216644A-C6DB-49D9-BBCF-D
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-F
O20 - AppInit_DLLs: C:\Windows\System32\avgrss
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgem
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwd
O23 - Service: AVGIDSAgent - AVG - C:\Program Files\AVG\AVG8\IdentityPro
O23 - Service: AVGIDSWatcher - AVG - C:\Program Files\AVG\AVG8\IdentityPro
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AA
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LV
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPr
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexing
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneSer
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
--
End of file - 10622 bytes
Good hunting :-)
Chris
First off -
you have a trojan proxy still running locally on port 808
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyServer = 192.168.0.102:808
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyOverride = *.local
you have a trojan proxy still running locally on port 808
R1 - HKCU\Software\Microsoft\Wi
R1 - HKCU\Software\Microsoft\Wi
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Also - keep in mind the boot time scan - this will kill anything before it can load itself into memory
ChrisDriven,
I would have HJT fix this entry:
O4 - HKCU\..\Run: [Windows Update] C:\Windows\system32\Winuda te32.exe
Then I would try downloading a fresh (not re-named) copy of Combofix and run another scan. Please post the log here.
warturtle,
On 13th. May ( ID: 24378966 ) I posted the following:
"...Try renaming Mbam BEFORE you download it.
Please post a current HJT scan log.
You could also try running an online scan:
http://www.bitdefender.com/scan8/ie.html
http://housecall.trendmicro.com/uk/
Good luck!!!..."
Please don't duplicate posts.
I would have HJT fix this entry:
O4 - HKCU\..\Run: [Windows Update] C:\Windows\system32\Winuda
Then I would try downloading a fresh (not re-named) copy of Combofix and run another scan. Please post the log here.
warturtle,
On 13th. May ( ID: 24378966 ) I posted the following:
"...Try renaming Mbam BEFORE you download it.
Please post a current HJT scan log.
You could also try running an online scan:
http://www.bitdefender.com/scan8/ie.html
http://housecall.trendmicro.com/uk/
Good luck!!!..."
Please don't duplicate posts.
@phototropic
Sorry, Bud. Didn't see the original post because it was way up there...my bad!
@chrisdriven
Could you please upload the below files on www.virustotal.com and let us know, if they're being flagged as infections?
C:\Windows\system32\driver s\czvqaigs .sys
C:\Users\EmmaOgAndreas\App Data\Local \GDIPFONTC ACHEV1.DAT
C:\Windows\system32\PDMSet up.exe
C:\Windows\system32\iashos t.exe
C:\Windows\system32\regpli b.exe
C:\Program Files\CyberLink\PowerDVD\0 00.fcl
O:\Info.exe
And you said that AVG flagged 11 rootkits in the scan but was unable to delete them. Are you able to upload avg.txt file that you said initially, so that we can see what files are being flagged as rootkits?
Sorry, Bud. Didn't see the original post because it was way up there...my bad!
@chrisdriven
Could you please upload the below files on www.virustotal.com and let us know, if they're being flagged as infections?
C:\Windows\system32\driver
C:\Users\EmmaOgAndreas\App
C:\Windows\system32\PDMSet
C:\Windows\system32\iashos
C:\Windows\system32\regpli
C:\Program Files\CyberLink\PowerDVD\0
O:\Info.exe
And you said that AVG flagged 11 rootkits in the scan but was unable to delete them. Are you able to upload avg.txt file that you said initially, so that we can see what files are being flagged as rootkits?