Possible Trojan/Keylogger - HijackThis/ComboFix logs inside...

[Bonkman9]

Ran through everything in your Spyware Removal Guide, Osiris...very concise and helpful.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:34:18, on 04/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\G15NetSpeed.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [Launch LgDevAgt] "C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe"
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/activegs.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15031/CTSUEng.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
O16 - DPF: {4E218431-2F07-40BD-A9D3-035324C1F13F} (DyynoX Class) - http://webserver.dyyno.com/DyynoClient/DyynoCAB.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1200618327171
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1201290579671
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-09.sun.com/s/ESD7/JS...4/&filename=jinstall-6u13-windows-i586-jc.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15106/CTPID.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7456 bytes

 

[Bonkman9]

And the ComboFix log:

ComboFix 09-04-22.02 - Scott 04/21/2009 13:47.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2893 [GMT -7:00]
Running from: e:\downloads\ComboFix.exe
FW: ZoneAlarm Firewall *enabled*
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\tmp.reg

.
((((((((((((((((((((((((( Files Created from 2009-03-22 to 2009-04-22 )))))))))))))))))))))))))))))))
.

2009-04-21 19:10 . 2009-04-21 19:10 -------- d-----w c:\documents and settings\Scott\Application Data\Malwarebytes
2009-04-21 19:10 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-21 19:10 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-21 19:10 . 2009-04-21 19:10 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-21 19:10 . 2009-04-21 19:10 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-21 19:00 . 2009-04-21 19:00 -------- d-----w C:\VundoFix Backups
2009-04-21 18:51 . 2009-04-21 18:51 -------- d-sh--w c:\documents and settings\Administrator\IETldCache
2009-04-21 18:36 . 2009-04-21 18:36 -------- d-----w c:\program files\CCleaner
2009-04-21 18:08 . 2009-04-21 18:08 -------- d-----w c:\program files\CleanUp!
2009-04-21 17:40 . 2009-04-21 17:40 -------- d-----w c:\program files\MSConfig CleanUp
2009-04-21 06:57 . 2009-04-21 06:57 -------- d-----w c:\program files\Trend Micro
2009-04-21 06:42 . 2009-04-21 06:42 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-04-21 05:46 . 2009-04-21 05:46 -------- d-----w c:\windows\system32\Adobe
2009-04-21 04:46 . 2009-04-21 04:46 -------- d-sh--w c:\documents and settings\Scott\IECompatCache
2009-04-21 04:44 . 2009-04-21 04:44 -------- d-sh--w c:\documents and settings\Scott\PrivacIE
2009-04-21 04:41 . 2009-04-21 04:41 -------- d-sh--w c:\documents and settings\Scott\IETldCache
2009-04-21 04:38 . 2009-04-21 04:39 -------- dc-h--w c:\windows\ie8
2009-04-20 19:08 . 2009-04-20 19:08 -------- d-----w C:\fsaua.data
2009-04-20 17:43 . 2009-04-20 17:43 -------- d-----w c:\program files\Uniblue
2009-04-20 06:00 . 2009-04-20 06:00 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-20 05:46 . 2009-02-16 07:10 1221512 ----a-w c:\windows\system32\zpeng25.dll
2009-04-20 05:46 . 2009-04-20 05:46 -------- d-----w c:\windows\system32\ZoneLabs
2009-04-20 05:46 . 2009-04-20 05:46 -------- d-----w c:\program files\Zone Labs
2009-04-20 05:46 . 2009-04-21 20:44 350192 ----a-w c:\windows\system32\vsconfig.xml
2009-04-20 00:17 . 2009-03-09 19:06 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-04-19 21:23 . 2009-03-09 19:06 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-19 21:19 . 2009-04-19 21:19 -------- dc-h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-19 21:19 . 2009-04-19 21:23 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-04-19 21:19 . 2009-04-19 21:19 -------- d-----w c:\program files\Lavasoft
2009-04-19 03:26 . 2009-04-19 03:26 -------- d-----w c:\program files\Alwil Software
2009-04-18 22:40 . 2009-04-20 18:37 -------- d-----w c:\documents and settings\Scott\Application Data\Wireshark
2009-04-18 22:26 . 2009-04-18 22:26 -------- d-----w c:\documents and settings\Scott\Local Settings\Application Data\Blizzard Entertainment
2009-04-18 21:46 . 2009-04-18 21:46 -------- d-----w c:\program files\WinPcap
2009-04-18 21:46 . 2009-04-18 21:46 -------- d-----w c:\program files\Wireshark
2009-04-15 16:10 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-15 16:10 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 16:10 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 16:10 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 16:10 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 16:10 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 16:10 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 16:10 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-15 16:10 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 16:08 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 16:08 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 16:08 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-15 05:08 . 2009-03-27 17:03 215465 ----a-w c:\windows\system32\nvapps.nvb
2009-04-15 05:08 . 2009-04-21 20:44 209540 ----a-w c:\windows\system32\nvapps.xml
2009-04-15 05:08 . 2009-03-27 17:03 453152 ----a-w c:\windows\system32\nvudisp.exe
2009-04-15 05:08 . 2009-03-27 17:03 19054 ----a-w c:\windows\system32\nvdisp.nvu
2009-04-15 05:08 . 2009-03-27 15:14 453152 ----a-w c:\windows\system32\NVUNINST.EXE
2009-04-10 23:23 . 2009-04-10 23:23 41808 ----a-w c:\windows\system32\xfcodec.dll
2009-04-08 22:22 . 2006-10-19 10:11 12096 ----a-w c:\windows\system32\drivers\AsInsHelp64.sys
2009-04-08 22:22 . 2006-10-19 10:11 10304 ----a-w c:\windows\system32\drivers\AsInsHelp32.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-21 20:43 . 2009-04-20 05:48 2908 ----a-w C:\aaw7boot.log
2009-04-21 19:09 . 2009-04-21 19:00 135 ----a-w C:\VundoFix.txt
2009-04-21 18:52 . 2009-04-21 18:51 2521 ----a-w C:\rapport.txt
2009-04-21 18:40 . 2008-01-19 08:04 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-21 17:36 . 2008-12-19 19:39 -------- d-----w c:\program files\Unity
2009-04-21 17:35 . 2008-08-30 21:06 -------- d-----w c:\program files\Winamp
2009-04-21 17:32 . 2008-01-18 00:57 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-21 17:32 . 2008-03-20 20:01 -------- d-----w c:\program files\HOTALBUMMyBOX
2009-04-21 05:26 . 2008-01-19 08:38 -------- d-----w c:\documents and settings\Scott\Application Data\Xfire
2009-04-20 06:00 . 2008-01-22 00:41 -------- d-----w c:\program files\Java
2009-04-20 05:46 . 2008-01-18 23:44 4212 ---ha-w c:\windows\system32\zllictbl.dat
2009-04-19 21:00 . 2008-01-19 00:17 -------- d-----w c:\program files\Symantec
2009-04-19 21:00 . 2008-01-19 00:17 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-19 21:00 . 2008-01-19 00:17 -------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-04-19 21:00 . 2008-01-19 00:17 -------- d-----w c:\program files\Symantec AntiVirus
2009-04-19 02:43 . 2008-01-19 08:04 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-17 07:52 . 2008-01-19 08:38 -------- d-s---w c:\program files\Xfire
2009-04-15 05:08 . 2008-08-20 01:34 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-08 22:22 . 2008-01-18 02:32 -------- d-----w c:\program files\ASUS
2009-04-02 02:10 . 2008-11-01 10:21 -------- d-----w c:\documents and settings\Scott\Application Data\gtk-2.0
2009-03-08 11:34 . 2006-06-23 19:33 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 11:34 . 2003-03-31 12:00 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 11:33 . 2003-03-31 12:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 11:33 . 2003-03-31 12:00 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 11:32 . 2003-03-31 12:00 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 11:32 . 2003-03-31 12:00 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 11:31 . 2003-03-31 12:00 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 11:31 . 2003-03-31 12:00 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 11:31 . 2003-03-31 12:00 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 11:22 . 2003-03-31 12:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2003-03-31 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 23:29 . 2008-11-25 04:39 -------- d-----w c:\documents and settings\Scott\Application Data\Move Networks
2009-02-26 11:13 . 2008-01-25 20:47 -------- d-----w c:\program files\Microsoft Silverlight
2009-02-09 12:10 . 2003-03-31 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2005-07-26 04:31 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2003-03-31 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2003-03-31 12:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2003-03-31 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2003-03-31 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2003-03-31 12:00 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2003-03-31 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2002-08-29 01:04 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2003-03-31 12:00 56832 ----a-w c:\windows\system32\secur32.dll
2009-01-21 21:47 . 2008-01-18 02:39 444952 ----a-w c:\windows\system32\wrap_oal.dll
2009-01-21 21:47 . 2008-01-18 02:39 109080 ----a-w c:\windows\system32\OpenAL32.dll
2009-01-21 21:35 . 2008-11-29 10:27 307181 ----a-w C:\CTSUFile.txt
2008-11-04 06:32 . 2008-09-03 02:55 27136 ----a-w c:\documents and settings\Scott\Application Data\GDIPFONTCACHEV1.DAT
2008-09-06 19:34 . 2008-01-18 02:30 27136 ----a-w c:\documents and settings\Scott\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-03-31 23:49 . 2008-01-31 20:46 22328 ----a-w c:\documents and settings\Scott\Application Data\PnkBstrK.sys
2008-06-08 01:54 . 2008-06-08 01:54 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008060720080608\index.dat
.

------- Sigcheck -------

[-] 2006-04-20 11:51 359808 1DBF125862891817F374F407626967F4 c:\windows\$hf_mig$\KB917953\SP2GDR\tcpip.sys
[-] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[-] 2007-10-30 17:20 360064 90CAFF4B094573449A0872A0F919B178 c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\ServicePackFiles\i386\TCPIP.SYS
[-] 2009-01-21 00:45 361344 8E036EEC565910417EA020CE0962AA24 c:\windows\system32\dllcache\TCPIP.SYS
[-] 2009-01-21 00:45 361344 8E036EEC565910417EA020CE0962AA24 c:\windows\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2007-07-23 77824]
"Launch LgDevAgt"="c:\program files\Logitech\GamePanel Software\LgDevAgt.exe" [2008-11-06 358920]
"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2008-11-06 1548296]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13684736]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-03-27 1657376]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PnkBstrA"=2 (0x2)
"Adobe LM Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"d:\\Games\\Crysis\\Bin32\\Crysis.exe"=
"d:\\Games\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"d:\\Games\\Civilization 4\\Civilization4.exe"=
"d:\\Games\\Civilization 4\\Warlords\\Civ4Warlords.exe"=
"d:\\Games\\Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"d:\\Games\\Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"d:\\Games\\Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"d:\\Games\\Mythos\\bin\\Mythos.exe"=
"d:\\Games\\CoD4\\iw3mp.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"d:\\Games\\Steam\\steamapps\\bluesilverprod@yahoo.com\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"d:\\Games\\Mass Effect\\Binaries\\MassEffect.exe"=
"d:\\Games\\Mass Effect\\MassEffectLauncher.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"d:\\Games\\World of Warcraft\\Repair.exe"=
"d:\\Games\\World of Warcraft\\Launcher.exe"=
"d:\\Games\\World of Warcraft\\BackgroundDownloader.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDPeer Name Resolution Protocol (PNRP)
"9022:TCP"= 9022:TCP:*isabled:Virtual DJ
"9022:UDP"= 9022:UDP:*isabled:VirtualDJ 2
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.SYS [2008-06-28 99352]
R3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.SYS [2008-06-28 555032]
R3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\System32\drivers\CTERFXFX.SYS [2008-06-28 100888]
R3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.SYS [2008-06-28 100888]
R3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.SYS [2008-06-28 566296]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
R3 uisp;Motorola USB ICP driver; [x]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-03-09 64160]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
S3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\System32\drivers\COMMONFX.SYS [2008-06-28 99352]
S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\System32\drivers\CTAUDFX.SYS [2008-06-28 555032]
S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\System32\drivers\CTSBLFX.SYS [2008-06-28 566296]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-04-19 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
Notify-NavLogon - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
DPF: ActiveGS.cab - hxxp://www.virtualapple.org/activegs.cab
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
DPF: {4E218431-2F07-40BD-A9D3-035324C1F13F} - hxxp://webserver.dyyno.com/DyynoClient/DyynoCAB.CAB
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-21 13:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1417001333-515967899-682003330-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:da,11,59,44,56,d2,e7,c7,b3,d6,ca,e9,fc,ab,dc,05,a3,c6,07,c7,96,73,ac,
6b,6d,0b,74,f9,6f,02,61,f2,91,ef,25,67,d4,6a,b9,99,fe,83,b1,d4,a9,ac,a5,bd,\
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22

[HKEY_USERS\S-1-5-21-1417001333-515967899-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:23,dc,15,b6,b5,b0,62,19,4a,da,3a,e5,26,52,6c,41,ad,55,be,aa,77,
d9,19,2d,60,66,22,65,f9,20,dc,62,4a,10,42,15,48,4f,83,c0,b8,f4,99,11,11,07,\
"rkeysecu"=hex:3e,80,9e,c4,40,b4,90,83,87,8e,33,49,64,ac,f8,d9

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•A~*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(968)
c:\windows\system32\nvappfilter.dll
.
Completion time: 2009-04-21 13:52
ComboFix-quarantined-files.txt 2009-04-21 20:51

Pre-Run: 180,187,025,408 bytes free
Post-Run: 180,179,435,520 bytes free

253 --- E O F --- 2009-04-16 07:47

 

[Osiris]

Log looks good

 

[Bonkman9]

Thank you for the confirmation, sir!

 

[Osiris]

Anytime