# Hijack this help please.



## mapollo

I installed some software (a game for my son) that was riddled with spyware/malware. Webhancer and dcads pop ups for two.

I ran ad-aware and shifted a fair bit of it but I'm doubting that I got it all. _Edit I'm still getting dcads popups._

My hijackthis log is as below. Hows it looking??? 


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:33:11, on 12/12/2007
Platform: Windows XP SP2, v.2135 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2135)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\StickyPad\StickyPad.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
C:\Program Files\DigiGuide Lite TV Guide\DigiGuideLite.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: dcads - {F173E53F-E042-49b6-BD46-983E93DA1B17} - C:\WINDOWS\system32\nse48.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Sticky Pad] C:\Program Files\StickyPad\StickyPad.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: DigiGuide Lite TV Guide.lnk = C:\Program Files\DigiGuide Lite TV Guide\DigiGuideLite.exe
O4 - Global Startup: NETGEAR WG311T Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - http://www.eversoft.co.kr/vmpinstal.../ultramobile/web3d/np_q1_v000suk/page_q1.html
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader_uni.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{718E5D2F-9E83-4D5B-A2BE-2E5C47262ED8}: NameServer = 192.168.1.1
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe


----------



## ceewi1

1. Please download this file - *Combofix* to your desktop
2. Double click ComboFix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall

Please run HijackThis and choose *Do a system scan only*.

Place a check next to the following entries (where still present):
*O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)*
*O2 - BHO: dcads - {F173E53F-E042-49b6-BD46-983E93DA1B17} - C:\WINDOWS\system32\nse48.dll*
Please close all open windows except for HijackThis and choose *Fix checked*

Please reboot and post the ComboFix log and a new HijackThis log.


----------



## mapollo

*Thanks for your help*

The Combofix log is below.

ComboFix 07-12-12.3 - David 2007-12-13  7:45:34.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.643 [GMT 0:00]
Running from: C:\Documents and Settings\David\Desktop\ComboFix.exe
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\dudu
C:\Documents and Settings\All Users\Application Data\dudu\DDD\ddd.conf
C:\Documents and Settings\David\Local Settings\Application Data\baidu
C:\WINDOWS\system32\nse48.dll

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\mmccrd


(((((((((((((((((((((((((   Files Created from 2007-11-13 to 2007-12-13  )))))))))))))))))))))))))))))))
.

2007-12-12 22:32 . 2007-12-12 22:32	<DIR>	d--------	C:\Program Files\Trend Micro
2007-12-12 22:19 . 2007-12-12 22:19	<DIR>	d--------	C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-12 22:19 . 2007-12-12 22:24	<DIR>	d--------	C:\Documents and Settings\David\Application Data\AVG7
2007-12-12 22:19 . 2007-12-12 22:19	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-12 22:19 . 2007-12-12 22:19	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\avg7
2007-12-12 21:54 . 2007-12-12 21:54	244	--ah-----	C:\sqmnoopt04.sqm
2007-12-12 21:54 . 2007-12-12 21:54	232	--ah-----	C:\sqmdata04.sqm
2007-12-12 08:09 . 2007-12-12 08:25	80,118	--a------	C:\WINDOWS\system32\dcads-remove.exe
2007-12-12 08:09 . 2007-12-12 08:09	40,731	--a------	C:\WINDOWS\system32\superiorads-uninst.exe
2007-12-07 23:02 . 2007-12-07 23:02	396	--a------	C:\winrqyc.exe
2007-12-06 09:46 . 2007-12-06 09:46	<DIR>	d---s----	C:\Documents and Settings\LocalService\UserData
2007-12-05 18:48 . 2007-12-05 18:48	396	--a------	C:\sysoqng.exe
2007-12-01 14:43 . 2007-12-13 07:49	54,156	--ah-----	C:\WINDOWS\QTFont.qfn
2007-12-01 14:43 . 2007-12-01 14:43	1,409	--a------	C:\WINDOWS\QTFont.for
2007-12-01 14:42 . 2007-12-01 14:42	<DIR>	d--------	C:\Program Files\QuickTime
2007-12-01 14:42 . 2007-12-01 14:42	<DIR>	d--------	C:\Program Files\iPod
2007-11-23 08:27 . 2007-11-23 08:32	<DIR>	d--------	C:\Program Files\BoardMod
2007-11-21 15:30 . 2002-12-29 01:14	81,920	--a------	C:\WINDOWS\system32\Startup.cpl
2007-11-20 08:04 . 2007-11-20 10:30	<DIR>	d--------	C:\MAVS
2007-11-16 21:26 . 2005-10-21 01:47	30,592	---------	C:\WINDOWS\system32\drivers\rndismpx.sys
2007-11-16 21:26 . 2004-11-18 10:42	22,752	--a------	C:\WINDOWS\system32\spupdsvc.exe
2007-11-16 21:26 . 2005-10-21 01:47	12,800	---------	C:\WINDOWS\system32\drivers\usb8023x.sys
2007-11-14 23:43 . 2007-11-14 23:43	65,536	--a------	C:\WINDOWS\system32\QuickTimeVR.qtx
2007-11-14 23:43 . 2007-11-14 23:43	49,152	--a------	C:\WINDOWS\system32\QuickTime.qts

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-12 08:05	---------	d-----w	C:\Program Files\LimeWire
2007-12-10 19:11	---------	d-----w	C:\Program Files\MSN Messenger
2007-12-08 21:12	---------	d-----w	C:\Program Files\BlackHole
2007-12-08 21:05	---------	d-----w	C:\Program Files\Safari
2007-12-08 21:01	---------	d-----w	C:\Program Files\Apollo DivX to DVD Creator
2007-12-03 12:49	---------	d-----w	C:\Program Files\Azureus
2007-12-03 12:49	---------	d-----w	C:\Documents and Settings\David\Application Data\Azureus
2007-12-01 21:16	---------	d-----w	C:\Documents and Settings\David\Application Data\Canon
2007-12-01 14:42	---------	d-----w	C:\Program Files\iTunes
2007-12-01 14:35	---------	d-----w	C:\Program Files\Apple Software Update
2007-11-20 20:14	---------	d-----w	C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-11-19 15:37	---------	d-----w	C:\Program Files\Java
2007-11-17 18:59	---------	d-----w	C:\Program Files\MP3 Audio Converter
2007-11-16 21:26	---------	d-----w	C:\Program Files\Microsoft ActiveSync
2007-11-11 23:07	---------	d-----w	C:\Program Files\mp3DirectCut
2007-11-04 19:57	---------	d-----w	C:\Program Files\Fast Color Codes
2007-11-03 13:49	---------	d-----w	C:\Program Files\Winamp
2007-11-02 23:27	---------	d-----w	C:\Program Files\NewsReactor
2007-10-18 15:34	---------	d-----w	C:\Documents and Settings\David\Application Data\ZoomBrowser EX
2007-09-28 07:03	2,750	----a-w	C:\Documents and Settings\David\Passwords.zip
2007-09-11 07:36	2,252	----a-w	C:\Documents and Settings\David\MAVSpasswords11_09_2007.zip
2006-09-22 21:32	9,876	-c--a-w	C:\Documents and Settings\David\Application Data\wklnhst.dat
2006-08-28 10:05	44,544	-c--a-w	C:\Documents and Settings\David\Application Data\GDIPFONTCACHEV1.DAT
2006-01-01 17:41	40,484	-c--a-w	C:\WINDOWS\Internet Logs\zlclient_2nd_2006_01_01_10_48_44_small.dmp.zip
2005-12-10 12:52	114	-c--a-w	C:\Documents and Settings\Kids\Application Data\wklnhst.dat
2005-10-18 16:53	28,936	-c--a-w	C:\Documents and Settings\Kids\Application Data\GDIPFONTCACHEV1.DAT
2005-09-20 10:05	456,768	----a-w	C:\WINDOWS\inf\WG311T\WG311T13.sys
2005-08-10 06:29	33,743	-c--a-w	C:\WINDOWS\Internet Logs\zlclient_2nd_2005_08_09_23_33_11_small.dmp.zip
2005-08-03 16:42	33,084	-c--a-w	C:\WINDOWS\Internet Logs\zlclient_2nd_2005_08_03_14_12_51_small.dmp.zip
2004-10-19 18:58	35,232	----a-w	C:\WINDOWS\inf\WG311T\ME_INST.EXE
2004-10-19 18:58	26,112	----a-w	C:\WINDOWS\inf\WG311T\install.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sticky Pad"="C:\Program Files\StickyPad\StickyPad.exe" [2007-04-23 22:13]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-05-19 00:29]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVRaidService"="C:\WINDOWS\system32\nvraidservice.exe" [2004-09-02 07:25]
"NVRTCLK"="C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe" [2003-12-30 09:44]
"NvCplDaemon"="RUNDLL32.exe" [2004-05-18 17:19 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2004-09-30 05:35 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-05-18 17:19 C:\WINDOWS\system32\rundll32.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-08-23 19:41]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-14 23:43]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-12 22:19]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-05-18 17:18]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-12 22:19]

C:\Documents and Settings\David\Start Menu\Programs\Startup\
DigiGuide Lite TV Guide.lnk - C:\Program Files\DigiGuide Lite TV Guide\DigiGuideLite.exe [2006-11-15 12:50:31]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG311T Smart Wizard.lnk - C:\Program Files\NETGEAR\WG311T\wlancfg5.exe [2006-02-22 10:59:32]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"UseDesktopIniCache"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^IDW Logging Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\IDW Logging Tool.lnk
backup=C:\WINDOWS\pss\IDW Logging Tool.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^David^Start Menu^Programs^Startup^Active To-Do List.LNK]
path=C:\Documents and Settings\David\Start Menu\Programs\Startup\Active To-Do List.LNK
backup=C:\WINDOWS\pss\Active To-Do List.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^David^Start Menu^Programs^Startup^³¬¼¶²¥°Ô.lnk]
path=C:\Documents and Settings\David\Start Menu\Programs\Startup\³¬¼¶²¥°Ô.lnk
backup=C:\WINDOWS\pss\³¬¼¶²¥°Ô.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
			C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
			C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-11-15 13:11	267048	--a------	C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
			C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 15:40	155648	--a------	C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pbmini]
			C:\Program Files\pcast\PodcastbarMini\PodcastBarMiniStater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2006-09-09 09:16	196608	--a------	C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
			C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-10-31 18:42	32768	--a--c---	C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
			SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
			C:\Program Files\Common Files\Real\Update_OB\realsched.exe  -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
			C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_8 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Agent]
			C:\Program Files\webHancer\Programs\whagent.exe

R3 GVCplDrv;GVCplDrv;C:\WINDOWS\system32\drivers\GVCplDrv.sys
S0 ecbgfeae;ecbgfeae;C:\WINDOWS\system32\drivers\ecbgfeae.sys
S0 gheihbii;gheihbii;C:\WINDOWS\system32\drivers\gheihbii.sys
S3 MarkFun_NT;MarkFun_NT;\??\C:\Program Files\Gigabyte\ET5\markfun.w32

.
Contents of the 'Scheduled Tasks' folder
"2007-12-01 14:35:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-01 00:00:00 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\ps4EA08o.exe
"2007-12-12 09:00:00 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\system32\ps4EA08o.exe
"2007-12-12 10:00:00 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\system32\ps4EA08o.exe
"2007-12-12 11:00:00 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\system32\ps4EA08o.exe
"2007-12-12 12:00:00 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\system32\ps4EA08o.exe
"2007-12-11 13:00:00 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\system32\ps4EA08o.exe
"2007-12-12 14:00:00 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\system32\ps4EA08o.exe
"2007-12-12 15:00:00 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\system32\ps4EA08o.exe
"2007-12-12 16:00:00 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\system32\ps4EA08o.exe
"2007-12-11 17:00:00 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\system32\ps4EA08o.exe
"2007-12-11 18:00:00 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\system32\ps4EA08o.exe
"2007-10-13 00:00:00 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\system32\ps4EA08o.exe
"2007-12-11 19:00:00 C:\WINDOWS\Tasks\At20.job"
"2007-12-11 20:00:00 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\system32\ps4EA08o.exe
"2007-12-12 21:00:00 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\system32\ps4EA08o.exe
"2007-12-12 22:00:00 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\system32\ps4EA08o.exe
"2007-12-12 23:00:00 C:\WINDOWS\Tasks\At24.job"
"2007-12-01 00:00:00 C:\WINDOWS\Tasks\At25.job"
- C:\WINDOWS\system32\y206v7ox.exe
"2007-10-13 00:00:00 C:\WINDOWS\Tasks\At26.job"
- C:\WINDOWS\system32\y206v7ox.exe
"2007-08-10 01:00:00 C:\WINDOWS\Tasks\At27.job"
- C:\WINDOWS\system32\y206v7ox.exe
"2007-08-10 02:00:00 C:\WINDOWS\Tasks\At28.job"
- C:\WINDOWS\system32\y206v7ox.exe
"2007-07-26 03:00:00 C:\WINDOWS\Tasks\At29.job"
- C:\WINDOWS\system32\y206v7ox.exe
"2007-08-10 01:00:00 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\system32\ps4EA08o.exe
"2007-07-26 04:00:00 C:\WINDOWS\Tasks\At30.job"
"2007-07-26 05:00:00 C:\WINDOWS\Tasks\At31.job"
- C:\WINDOWS\system32\y206v7ox.exe
"2007-10-12 06:00:00 C:\WINDOWS\Tasks\At32.job"
- C:\WINDOWS\system32\y206v7ox.exe
"2007-12-12 08:00:00 C:\WINDOWS\Tasks\At33.job"
- C:\WINDOWS\system32\y206v7ox.exe
"2007-12-12 09:00:00 C:\WINDOWS\Tasks\At34.job"
- C:\WINDOWS\system32\y206v7ox.exe
"2007-12-12 10:00:00 C:\WINDOWS\Tasks\At35.job"
- C:\WINDOWS\system32\y206v7ox.exe
"2007-12-12 11:00:00 C:\WINDOWS\Tasks\At36.job"
- C:\WINDOWS\system32\y206v7ox.exe
"2007-12-12 12:00:00 C:\WINDOWS\Tasks\At37.job"
- C:\WINDOWS\system32\y206v7ox.exe
"2007-12-11 13:00:00 C:\WINDOWS\Tasks\At38.job"
- C:\WINDOWS\system32\y206v7ox.exe
"2007-12-12 14:00:00 C:\WINDOWS\Tasks\At39.job"
- C:\WINDOWS\system32\y206v7ox.exe
"2007-08-10 02:00:00 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\system32\ps4EA08o.exe
"2007-12-12 15:00:00 C:\WINDOWS\Tasks\At40.job"
- C:\WINDOWS\system32\y206v7ox.exe
"2007-12-12 16:00:00 C:\WINDOWS\Tasks\At41.job"
- C:\WINDOWS\system32\y206v7ox.exe
"2007-12-11 17:00:00 C:\WINDOWS\Tasks\At42.job"
- C:\WINDOWS\system32\y206v7ox.exe
"2007-12-11 18:00:00 C:\WINDOWS\Tasks\At43.job"
- C:\WINDOWS\system32\y206v7ox.exe
"2007-12-11 19:00:00 C:\WINDOWS\Tasks\At44.job"
- C:\WINDOWS\system32\y206v7ox.exe
"2007-12-11 20:00:00 C:\WINDOWS\Tasks\At45.job"
- C:\WINDOWS\system32\y206v7ox.exe
"2007-12-12 21:00:00 C:\WINDOWS\Tasks\At46.job"
- C:\WINDOWS\system32\y206v7ox.exe
"2007-12-12 22:00:00 C:\WINDOWS\Tasks\At47.job"
- C:\WINDOWS\system32\y206v7ox.exe
"2007-12-12 23:00:00 C:\WINDOWS\Tasks\At48.job"
- C:\WINDOWS\system32\y206v7ox.exe
"2007-12-01 00:00:45 C:\WINDOWS\Tasks\At49.job"
- C:\WINDOWS\system32\wX36655H.exe
"2007-07-26 03:00:00 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\system32\ps4EA08o.exe
"2007-10-23 10:53:39 C:\WINDOWS\Tasks\At50.job"
- C:\WINDOWS\system32\wX36655H.exe
"2007-10-23 10:53:39 C:\WINDOWS\Tasks\At51.job"
- C:\WINDOWS\system32\wX36655H.exe
"2007-10-23 10:53:39 C:\WINDOWS\Tasks\At52.job"
- C:\WINDOWS\system32\wX36655H.exe
"2007-10-23 10:53:39 C:\WINDOWS\Tasks\At53.job"
- C:\WINDOWS\system32\wX36655H.exe
"2007-10-23 10:53:39 C:\WINDOWS\Tasks\At54.job"
- C:\WINDOWS\system32\wX36655H.exe
"2007-10-23 10:53:39 C:\WINDOWS\Tasks\At55.job"
- C:\WINDOWS\system32\wX36655H.exe
"2007-10-23 10:53:39 C:\WINDOWS\Tasks\At56.job"
- C:\WINDOWS\system32\wX36655H.exe
"2007-12-12 08:01:45 C:\WINDOWS\Tasks\At57.job"
"2007-12-12 09:00:45 C:\WINDOWS\Tasks\At58.job"
- C:\WINDOWS\system32\wX36655H.exe
"2007-12-12 10:00:00 C:\WINDOWS\Tasks\At59.job"
- C:\WINDOWS\system32\wX36655H.exe
"2007-07-26 04:00:00 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\system32\ps4EA08o.exe
"2007-12-12 11:00:00 C:\WINDOWS\Tasks\At60.job"
- C:\WINDOWS\system32\wX36655H.exe
"2007-12-12 12:00:00 C:\WINDOWS\Tasks\At61.job"
- C:\WINDOWS\system32\wX36655H.exe
"2007-12-11 13:01:53 C:\WINDOWS\Tasks\At62.job"
- C:\WINDOWS\system32\wX36655H.exe
"2007-12-12 14:00:00 C:\WINDOWS\Tasks\At63.job"
- C:\WINDOWS\system32\wX36655H.exe
"2007-12-12 15:00:00 C:\WINDOWS\Tasks\At64.job"
- C:\WINDOWS\system32\wX36655H.exe
"2007-12-12 16:00:00 C:\WINDOWS\Tasks\At65.job"
- C:\WINDOWS\system32\wX36655H.exe
"2007-12-11 17:00:45 C:\WINDOWS\Tasks\At66.job"
- C:\WINDOWS\system32\wX36655H.exe
"2007-12-11 18:00:45 C:\WINDOWS\Tasks\At67.job"
- C:\WINDOWS\system32\wX36655H.exe
"2007-12-11 19:00:45 C:\WINDOWS\Tasks\At68.job"
- C:\WINDOWS\system32\wX36655H.exe
"2007-12-11 20:00:45 C:\WINDOWS\Tasks\At69.job"
- C:\WINDOWS\system32\wX36655H.exe
"2007-07-26 05:00:00 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\system32\ps4EA08o.exe
"2007-12-12 21:00:00 C:\WINDOWS\Tasks\At70.job"
- C:\WINDOWS\system32\wX36655H.exe
"2007-12-12 22:00:00 C:\WINDOWS\Tasks\At71.job"
"2007-12-12 23:00:00 C:\WINDOWS\Tasks\At72.job"
- C:\WINDOWS\system32\wX36655H.exe
"2007-10-12 06:00:00 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\system32\ps4EA08o.exe
"2007-12-12 08:00:00 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\system32\ps4EA08o.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-13 07:49:54
Windows 5.1.2600 Service Pack 2, v.2135 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully 
hidden files: 0 

**************************************************************************
.
Completion time: 2007-12-13  7:50:39 - machine was rebooted


----------



## mapollo

*hijack this bit*

the two 02 entries you asked me to delete were removed by Combofix I think.

Here is the latest Hijackthis logfile. Thanks for your help btw.

Scan saved at 07:54:25, on 13/12/2007
Platform: Windows XP SP2, v.2135 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2135)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\StickyPad\StickyPad.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
C:\Program Files\DigiGuide Lite TV Guide\DigiGuideLite.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Sticky Pad] C:\Program Files\StickyPad\StickyPad.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: DigiGuide Lite TV Guide.lnk = C:\Program Files\DigiGuide Lite TV Guide\DigiGuideLite.exe
O4 - Global Startup: NETGEAR WG311T Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - http://www.eversoft.co.kr/vmpinstal.../ultramobile/web3d/np_q1_v000suk/page_q1.html
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader_uni.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{718E5D2F-9E83-4D5B-A2BE-2E5C47262ED8}: NameServer = 192.168.1.1
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe

--
End of file - 7509 bytes


----------



## Buzz1927

Open *Notepad* (Start -> Run -> type *notepad* in the Open field -> OK) and copy and paste the text present *inside* the code box below:



		Code:
	

File::
C:\WINDOWS\system32\drivers\ecbgfeae.sys
C:\WINDOWS\system32\drivers\ecbg feae.sys
C:\WINDOWS\system32\drivers\gheihbii.sys
C:\WINDOWS\system32\drivers\ghei hbii.sys
C:\WINDOWS\system32\dcads-remove.exe
C:\WINDOWS\system32\superiorads-uninst.exe
C:\winrqyc.exe
C:\sysoqng.exe
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At49.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At50.job
C:\WINDOWS\Tasks\At51.job
C:\WINDOWS\Tasks\At52.job
C:\WINDOWS\Tasks\At53.job
C:\WINDOWS\Tasks\At54.job
C:\WINDOWS\Tasks\At55.job
C:\WINDOWS\Tasks\At56.job
C:\WINDOWS\Tasks\At57.job
C:\WINDOWS\Tasks\At58.job
C:\WINDOWS\Tasks\At59.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At60.job
C:\WINDOWS\Tasks\At61.job
C:\WINDOWS\Tasks\At62.job
C:\WINDOWS\Tasks\At63.job
C:\WINDOWS\Tasks\At64.job
C:\WINDOWS\Tasks\At65.job
C:\WINDOWS\Tasks\At66.job
C:\WINDOWS\Tasks\At67.job
C:\WINDOWS\Tasks\At68.job
C:\WINDOWS\Tasks\At69.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At70.job
C:\WINDOWS\Tasks\At71.job
C:\WINDOWS\Tasks\At72.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job

Driver::
ecbgfeae
gheihbii


Save this as *CFScript.txt* and change the *Save as type* to *All Files* and place it on your *desktop*.









Referring to the screenshot above, *drag CFScript.txt into ComboFix.exe*.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply, along with a new HijackThis log.
*CAUTION*:
Do *NOT* mouse-click ComboFix's window while it is running. That may cause it to stall.
Also, please do *NOT* adjust your time format while ComboFix is running.


----------



## mapollo

*Thanks Buzz*

Buzz. Since I posted this I've picked up the lop virus. Does that change things? I've googled abit and havent got the first clue of how to remove it.

Anyway the logs are as shown below. Thanks for your help btw.

Combofix log first....

ComboFix 07-12-12.3 - David 2007-12-15  8:59:28.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.582 [GMT 0:00]
Running from: C:\Documents and Settings\David\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\David\Desktop\CFScript.txt
 * Created a new restore point

FILE
C:\sysoqng.exe
C:\WINDOWS\system32\dcads-remove.exe
C:\WINDOWS\system32\drivers\ecbg feae.sys
C:\WINDOWS\system32\drivers\ecbgfeae.sys
C:\WINDOWS\system32\drivers\ghei hbii.sys
C:\WINDOWS\system32\drivers\gheihbii.sys
C:\WINDOWS\system32\superiorads-uninst.exe
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At49.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At50.job
C:\WINDOWS\Tasks\At51.job
C:\WINDOWS\Tasks\At52.job
C:\WINDOWS\Tasks\At53.job
C:\WINDOWS\Tasks\At54.job
C:\WINDOWS\Tasks\At55.job
C:\WINDOWS\Tasks\At56.job
C:\WINDOWS\Tasks\At57.job
C:\WINDOWS\Tasks\At58.job
C:\WINDOWS\Tasks\At59.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At60.job
C:\WINDOWS\Tasks\At61.job
C:\WINDOWS\Tasks\At62.job
C:\WINDOWS\Tasks\At63.job
C:\WINDOWS\Tasks\At64.job
C:\WINDOWS\Tasks\At65.job
C:\WINDOWS\Tasks\At66.job
C:\WINDOWS\Tasks\At67.job
C:\WINDOWS\Tasks\At68.job
C:\WINDOWS\Tasks\At69.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At70.job
C:\WINDOWS\Tasks\At71.job
C:\WINDOWS\Tasks\At72.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
C:\winrqyc.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\system32\awtst.dll
C:\WINDOWS\system32\awtutsp.dll
C:\WINDOWS\system32\awvts.dll
C:\WINDOWS\system32\byxyyvw.dll
C:\WINDOWS\system32\ddaba.dll
C:\WINDOWS\system32\geedb.dll
C:\WINDOWS\system32\geedd.dll
C:\WINDOWS\system32\hgggebx.dll
C:\WINDOWS\system32\khfdcaa.dll
C:\WINDOWS\system32\mljjg.dll
C:\WINDOWS\system32\mlljj.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pmkhf.dll
C:\WINDOWS\system32\ssqrppo.dll
C:\WINDOWS\system32\ssttt.dll
C:\WINDOWS\system32\tuvspno.dll
C:\WINDOWS\system32\vtsqp.dll
C:\WINDOWS\system32\vturp.dll
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At49.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At50.job
C:\WINDOWS\Tasks\At51.job
C:\WINDOWS\Tasks\At52.job
C:\WINDOWS\Tasks\At53.job
C:\WINDOWS\Tasks\At54.job
C:\WINDOWS\Tasks\At55.job
C:\WINDOWS\Tasks\At56.job
C:\WINDOWS\Tasks\At57.job
C:\WINDOWS\Tasks\At58.job
C:\WINDOWS\Tasks\At59.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At60.job
C:\WINDOWS\Tasks\At61.job
C:\WINDOWS\Tasks\At62.job
C:\WINDOWS\Tasks\At63.job
C:\WINDOWS\Tasks\At64.job
C:\WINDOWS\Tasks\At65.job
C:\WINDOWS\Tasks\At66.job
C:\WINDOWS\Tasks\At67.job
C:\WINDOWS\Tasks\At68.job
C:\WINDOWS\Tasks\At69.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At70.job
C:\WINDOWS\Tasks\At71.job
C:\WINDOWS\Tasks\At72.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\ecbgfeae
-------\gheihbii


(((((((((((((((((((((((((   Files Created from 2007-11-15 to 2007-12-15  )))))))))))))))))))))))))))))))
.

2007-12-14 23:15 . 2007-12-14 23:40	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-14 14:32 . 2007-12-14 14:32	<DIR>	d--hs----	C:\SpyGuardPro
2007-12-14 14:32 . 2007-12-14 14:32	<DIR>	d--------	C:\Documents and Settings\David\Application Data\SpyGuardPro
2007-12-14 14:32 . 2007-12-14 14:32	<DIR>	dr-------	C:\Documents and Settings\All Users\Application Data\SalesMon
2007-12-13 19:23 . 2007-12-14 14:37	39,936	--a------	C:\WINDOWS\mrofinu572.exe.tmp
2007-12-13 19:22 . 2007-12-13 19:22	<DIR>	d--------	C:\WINDOWS\system32\zfd1
2007-12-13 19:22 . 2007-12-13 19:22	<DIR>	d--------	C:\WINDOWS\system32\yb2
2007-12-13 19:22 . 2007-12-13 19:22	<DIR>	d--------	C:\WINDOWS\system32\qui4
2007-12-13 19:22 . 2007-12-13 19:22	<DIR>	d--------	C:\WINDOWS\system32\ineWc01
2007-12-12 22:32 . 2007-12-12 22:32	<DIR>	d--------	C:\Program Files\Trend Micro
2007-12-12 22:19 . 2007-12-12 22:19	<DIR>	d--------	C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-12 22:19 . 2007-12-14 23:44	<DIR>	d--------	C:\Documents and Settings\David\Application Data\AVG7
2007-12-12 22:19 . 2007-12-12 22:19	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-12 22:19 . 2007-12-13 19:24	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\avg7
2007-12-12 21:54 . 2007-12-12 21:54	244	--ah-----	C:\sqmnoopt04.sqm
2007-12-12 21:54 . 2007-12-12 21:54	232	--ah-----	C:\sqmdata04.sqm
2007-12-06 09:46 . 2007-12-06 09:46	<DIR>	d---s----	C:\Documents and Settings\LocalService\UserData
2007-12-01 14:43 . 2007-12-15 09:04	54,156	--ah-----	C:\WINDOWS\QTFont.qfn
2007-12-01 14:43 . 2007-12-01 14:43	1,409	--a------	C:\WINDOWS\QTFont.for
2007-12-01 14:42 . 2007-12-01 14:42	<DIR>	d--------	C:\Program Files\QuickTime
2007-12-01 14:42 . 2007-12-01 14:42	<DIR>	d--------	C:\Program Files\iPod
2007-11-23 08:27 . 2007-11-23 08:32	<DIR>	d--------	C:\Program Files\BoardMod
2007-11-21 15:30 . 2002-12-29 01:14	81,920	--a------	C:\WINDOWS\system32\Startup.cpl
2007-11-20 08:04 . 2007-11-20 10:30	<DIR>	d--------	C:\MAVS
2007-11-16 21:26 . 2005-10-21 01:47	30,592	---------	C:\WINDOWS\system32\drivers\rndismpx.sys
2007-11-16 21:26 . 2004-11-18 10:42	22,752	--a------	C:\WINDOWS\system32\spupdsvc.exe
2007-11-16 21:26 . 2005-10-21 01:47	12,800	---------	C:\WINDOWS\system32\drivers\usb8023x.sys

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-12 08:05	---------	d-----w	C:\Program Files\LimeWire
2007-12-10 19:11	---------	d-----w	C:\Program Files\MSN Messenger
2007-12-08 21:12	---------	d-----w	C:\Program Files\BlackHole
2007-12-08 21:05	---------	d-----w	C:\Program Files\Safari
2007-12-08 21:01	---------	d-----w	C:\Program Files\Apollo DivX to DVD Creator
2007-12-03 12:49	---------	d-----w	C:\Program Files\Azureus
2007-12-03 12:49	---------	d-----w	C:\Documents and Settings\David\Application Data\Azureus
2007-12-01 21:16	---------	d-----w	C:\Documents and Settings\David\Application Data\Canon
2007-12-01 14:42	---------	d-----w	C:\Program Files\iTunes
2007-12-01 14:35	---------	d-----w	C:\Program Files\Apple Software Update
2007-11-20 20:14	---------	d-----w	C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-11-19 15:37	---------	d-----w	C:\Program Files\Java
2007-11-17 18:59	---------	d-----w	C:\Program Files\MP3 Audio Converter
2007-11-16 21:26	---------	d-----w	C:\Program Files\Microsoft ActiveSync
2007-11-11 23:07	---------	d-----w	C:\Program Files\mp3DirectCut
2007-11-04 19:57	---------	d-----w	C:\Program Files\Fast Color Codes
2007-11-03 13:49	---------	d-----w	C:\Program Files\Winamp
2007-11-02 23:27	---------	d-----w	C:\Program Files\NewsReactor
2007-10-18 15:34	---------	d-----w	C:\Documents and Settings\David\Application Data\ZoomBrowser EX
2007-09-28 07:03	2,750	----a-w	C:\Documents and Settings\David\Passwords.zip
2007-09-11 07:36	2,252	----a-w	C:\Documents and Settings\David\MAVSpasswords11_09_2007.zip
2006-09-22 21:32	9,876	-c--a-w	C:\Documents and Settings\David\Application Data\wklnhst.dat
2006-08-28 10:05	44,544	-c--a-w	C:\Documents and Settings\David\Application Data\GDIPFONTCACHEV1.DAT
2006-01-01 17:41	40,484	-c--a-w	C:\WINDOWS\Internet Logs\zlclient_2nd_2006_01_01_10_48_44_small.dmp.zip
2005-12-10 12:52	114	-c--a-w	C:\Documents and Settings\Kids\Application Data\wklnhst.dat
2005-10-18 16:53	28,936	-c--a-w	C:\Documents and Settings\Kids\Application Data\GDIPFONTCACHEV1.DAT
2005-09-20 10:05	456,768	----a-w	C:\WINDOWS\inf\WG311T\WG311T13.sys
2005-08-10 06:29	33,743	-c--a-w	C:\WINDOWS\Internet Logs\zlclient_2nd_2005_08_09_23_33_11_small.dmp.zip
2005-08-03 16:42	33,084	-c--a-w	C:\WINDOWS\Internet Logs\zlclient_2nd_2005_08_03_14_12_51_small.dmp.zip
2004-10-19 18:58	35,232	----a-w	C:\WINDOWS\inf\WG311T\ME_INST.EXE
2004-10-19 18:58	26,112	----a-w	C:\WINDOWS\inf\WG311T\install.exe
.

(((((((((((((((((((((((((((((   snapshot@2007-12-13_ 7.50.20.56   )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-11-02 13:41:52	516,832	----a-w	C:\WINDOWS\system32\capicom.dll
+ 2007-12-12 11:50:02	32,768	----a-w	C:\WINDOWS\system32\ineWc01\ineWc011065.exe
+ 2007-08-03 01:44:02	169,147	----a-w	C:\WINDOWS\system32\qui4\qopre83122.exe
+ 2004-05-18 17:19:08	17,129	----a-w	C:\WINDOWS\system32\tcpdiss.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24171E23-9AE7-4D11-B486-888B2D8448F7}]
			C:\Program Files\Outlook Express\hokesotC:\WINDOWS\system32\qui4\qopre83122.exe.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sticky Pad"="C:\Program Files\StickyPad\StickyPad.exe" [2007-04-23 22:13]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-05-19 00:29]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVRaidService"="C:\WINDOWS\system32\nvraidservice.exe" [2004-09-02 07:25]
"NVRTCLK"="C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe" [2003-12-30 09:44]
"NvCplDaemon"="RUNDLL32.exe" [2004-05-18 17:19 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2004-09-30 05:35 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-05-18 17:19 C:\WINDOWS\system32\rundll32.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-08-23 19:41]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-14 23:43]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-12 22:19]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-05-18 17:18]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-12 22:19]

C:\Documents and Settings\David\Start Menu\Programs\Startup\
DigiGuide Lite TV Guide.lnk - C:\Program Files\DigiGuide Lite TV Guide\DigiGuideLite.exe [2006-11-15 12:50:31]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG311T Smart Wizard.lnk - C:\Program Files\NETGEAR\WG311T\wlancfg5.exe [2006-02-22 10:59:32]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"UseDesktopIniCache"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^IDW Logging Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\IDW Logging Tool.lnk
backup=C:\WINDOWS\pss\IDW Logging Tool.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^David^Start Menu^Programs^Startup^Active To-Do List.LNK]
path=C:\Documents and Settings\David\Start Menu\Programs\Startup\Active To-Do List.LNK
backup=C:\WINDOWS\pss\Active To-Do List.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^David^Start Menu^Programs^Startup^³¬¼¶²¥°Ô.lnk]
path=C:\Documents and Settings\David\Start Menu\Programs\Startup\³¬¼¶²¥°Ô.lnk
backup=C:\WINDOWS\pss\³¬¼¶²¥°Ô.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
			C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
			C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-11-15 13:11	267048	--a------	C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
			C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 15:40	155648	--a------	C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pbmini]
			C:\Program Files\pcast\PodcastbarMini\PodcastBarMiniStater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2006-09-09 09:16	196608	--a------	C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
			C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-10-31 18:42	32768	--a--c---	C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
			SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
			C:\Program Files\Common Files\Real\Update_OB\realsched.exe  -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
			C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_8 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Agent]
			C:\Program Files\webHancer\Programs\whagent.exe

R3 GVCplDrv;GVCplDrv;C:\WINDOWS\system32\drivers\GVCplDrv.sys
S3 MarkFun_NT;MarkFun_NT;\??\C:\Program Files\Gigabyte\ET5\markfun.w32


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{43564368-4375-8601-4371-458454791235]
C:\WINDOWS\system32\tcpdiss.exe /r
.
Contents of the 'Scheduled Tasks' folder
"2007-12-01 14:35:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-15 09:04:38
Windows 5.1.2600 Service Pack 2, v.2135 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully 
hidden files: 0 

**************************************************************************
.
Completion time: 2007-12-15  9:05:17 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-13 07:50


----------



## mapollo

Now Hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:07:46, on 15/12/2007
Platform: Windows XP SP2, v.2135 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2135)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\StickyPad\StickyPad.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
C:\Program Files\DigiGuide Lite TV Guide\DigiGuideLite.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {24171E23-9AE7-4D11-B486-888B2D8448F7} - C:\Program Files\Outlook Express\hokesotC:\WINDOWS\system32\qui4\qopre83122.exe.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Sticky Pad] C:\Program Files\StickyPad\StickyPad.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: DigiGuide Lite TV Guide.lnk = C:\Program Files\DigiGuide Lite TV Guide\DigiGuideLite.exe
O4 - Global Startup: NETGEAR WG311T Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - http://www.eversoft.co.kr/vmpinstal.../ultramobile/web3d/np_q1_v000suk/page_q1.html
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader_uni.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{718E5D2F-9E83-4D5B-A2BE-2E5C47262ED8}: NameServer = 192.168.1.1
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe

--
End of file - 8110 bytes


----------



## ceewi1

I don't see any signs of LOP in your log, I suspect it's been removed by one of your security programs.

Please run HijackThis and choose *Do a system scan only*.

Place a check next to the following entriy:
*O2 - BHO: (no name) - {24171E23-9AE7-4D11-B486-888B2D8448F7} - C:\Program Files\Outlook Express\hokesotC:\WINDOWS\system32\qui4\qopre83122 .exe.dll (file missing)*
Please close all open windows except for HijackThis and choose *Fix checked*

Please delete the following file:
*C:\WINDOWS\mrofinu572.exe.tmp*

Please delete the following folders:
*C:\WINDOWS\system32\zfd1
C:\WINDOWS\system32\yb2
C:\WINDOWS\system32\qui4
C:\WINDOWS\system32\ineWc01*

Please reboot and post a new HijackThis log.

I'd also like to see the results of an online scan.  Please run a complete scan at http://support.f-secure.com/enu/home/ols.shtml and post the results.


----------



## mapollo

*New hijack this log*

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:56:44, on 16/12/2007
Platform: Windows XP SP2, v.2135 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2135)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\StickyPad\StickyPad.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
C:\Program Files\DigiGuide Lite TV Guide\DigiGuideLite.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Sticky Pad] C:\Program Files\StickyPad\StickyPad.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: DigiGuide Lite TV Guide.lnk = C:\Program Files\DigiGuide Lite TV Guide\DigiGuideLite.exe
O4 - Global Startup: NETGEAR WG311T Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - http://www.eversoft.co.kr/vmpinstal.../ultramobile/web3d/np_q1_v000suk/page_q1.html
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader_uni.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{718E5D2F-9E83-4D5B-A2BE-2E5C47262ED8}: NameServer = 192.168.1.1
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe

--
End of file - 7947 bytes


----------



## mapollo

Scanning Report
Sunday, December 16, 2007 10:04:14 - 10:45:30
Computer name: HOMEPC 
Scanning type: Scan system for viruses, rootkits, spyware 
Target: C:\ D:\ E:\ 


--------------------------------------------------------------------------------

Result: 21 malware found
DLoader.EGIN (virus) 
C:\RECYCLER\S-1-5-21-1644491937-220523388-725345543-1003\DC4\QOPRE83122.EXE (Submitted) 
HTML/Exploit!IFrame.G (virus) 
C:\DOCUMENTS AND SETTINGS\DAVID\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\DW9AGI0E\B9[2].HTM (Submitted) 
C:\DOCUMENTS AND SETTINGS\DAVID\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\8XY7CLY7\A[1].HTM (Submitted) 
HTML/IFrame (virus) 
C:\DOCUMENTS AND SETTINGS\DAVID\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\8XY7CLY7\A1[1].HTM (Submitted) 
Tracking Cookie (spyware) 
System (Disinfected) 
System 
System 
System 
System 
System 
System 
System 
System 
System 
System 
System 
System 
System 
System 
System 
W32/Malware (virus) 
C:\PROGRAM FILES\DIGIGUIDE LITE TV GUIDE\DIGIGUIDELITEUPGRADER.EXE (Submitted) 

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 39818 
System: 4793 
Not scanned: 3 
Actions:
Disinfected: 1 
Renamed: 0 
Deleted: 0 
None: 20 
Submitted: 5 
Files not scanned:
C:\PAGEFILE.SYS 
C:\WINDOWS\SYSTEM32\TCPDISS.EXE 
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT


----------



## mapollo

I did a reboot and then did another virus scan. It didn't get everything. New report from 2nd virus scan is below

Scanning Report
Sunday, December 16, 2007 11:13:25 - 11:54:41
Computer name: HOMEPC 
Scanning type: Scan system for viruses, rootkits, spyware 
Target: C:\ D:\ E:\ 


--------------------------------------------------------------------------------

Result: 9 malware found
DLoader.EGIN (virus) 
C:\RECYCLER\S-1-5-21-1644491937-220523388-725345543-1003\DC4\QOPRE83122.EXE (Submitted) 
HTML/Exploit!IFrame.G (virus) 
C:\DOCUMENTS AND SETTINGS\DAVID\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\DW9AGI0E\B9[2].HTM (Submitted) 
C:\DOCUMENTS AND SETTINGS\DAVID\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\CMWO7QLP\A[2].HTM (Submitted) 
HTML/IFrame (virus) 
C:\DOCUMENTS AND SETTINGS\DAVID\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\8XY7CLY7\A1[1].HTM (Submitted) 
JS/IFrame (virus) 
C:\DOCUMENTS AND SETTINGS\DAVID\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\83C7MB63\ADCPM1[1].HTM (Submitted) 
Tracking Cookie (spyware) 
System (Disinfected) 
System 
System 
W32/Malware (virus) 
C:\PROGRAM FILES\DIGIGUIDE LITE TV GUIDE\DIGIGUIDELITEUPGRADER.EXE (Submitted) 

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 40007 
System: 4794 
Not scanned: 3 
Actions:
Disinfected: 1 
Renamed: 0 
Deleted: 0 
None: 8 
Submitted: 6 
Files not scanned:
C:\PAGEFILE.SYS 
C:\WINDOWS\SYSTEM32\TCPDISS.EXE 
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT 

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure Libra: 2.4.2, 2007-12-14 
F-Secure AVP: 7.0.171, 2007-12-14 
F-Secure Orion: 1.2.37, 2007-12-14 
F-Secure Blacklight: 1.0.64 
F-Secure Draco: 1.0.35, 2007-11-28 
F-Secure Pegasus: 1.19.0, 2007-11-10 
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX 
Use Advanced heuristics


----------



## ceewi1

That's not actually too bad, most of those files are temporary files, and I'd like more information about that last one before doing anything with it.  Let's remove the temporary files, and check that last one more thoroughly.

Please download *ATF Cleaner* by Atribune.

You may wish to print these instructions, or copy them to a Notepad document, as you will be unable to access the Internet while in Safe Mode to read from this site.

Please reboot into Safe Mode (tap F8 just before Windows starts to load and select Safe Mode from the list).

Please run ATF Cleaner:

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser

Click *Firefox* at the top and choose: *Select All*
Click the *Empty Selected* button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
Click *Opera* at the top and choose: *Select All*
Click the *Empty Selected* button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Please reboot into normal Windows.

Please go to http://virusscan.jotti.org , click on Browse, and upload the following file for analysis:

*C:\PROGRAM FILES\DIGIGUIDE LITE TV GUIDE\DIGIGUIDELITEUPGRADER.EXE*

Then click Submit.  Allow the file to be scanned, and then please copy and paste the results here for me to see.

If that scanner is busy, please use this one: http://www.virustotal.com/


----------



## mapollo

I can't get into safe mode by tapping F8. It looks like my USB keyboard doesn't get power until Windows is loaded.

Would this work. If I go into msconfig and on the BOOT/INI tab check SAFEBOOT / minimal. Then reboot.

I'm guessing I would have access to msconfig in safemode to change it back.

Please advise....


----------



## ceewi1

Yes, that will work to get into Safe Mode, and yes, you are correct that you will need to change it back to get back to Normal Mode.


----------



## mapollo

Thanks for your help.

Temporary Internet files deleted by using ATF cleaner.

DIGIGUIDELITEUPGRADER.EXE file uploaded to  http://virusscan.jotti.org 

Results as follows...

Scan taken on 17 Dec 2007 12:04:01 (GMT)  
A-Squared  Found nothing 
AntiVir  Found nothing 
ArcaVir  Found nothing 
Avast  Found nothing 
AVG Antivirus  Found nothing 
BitDefender  Found nothing 
ClamAV  Found nothing 
CPsecure  Found nothing 
Dr.Web  Found nothing 
F-Prot Antivirus  Found nothing 
F-Secure Anti-Virus  Found nothing 
Fortinet  Found nothing 
Ikarus  Found nothing 
Kaspersky Anti-Virus  Found nothing 
NOD32  Found nothing 
Norman Virus Control  Found Sandbox: W32/Malware; [ General information ]

* Display message box (DigiGuide Lite) : Unable to restart program because: (0) ??, ??, .
* File length: 241664 bytes.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\DigiGuideLiteUpgrade.log.
* Deletes file lowcase.eml.
* Deletes file TEST.EML.
* Deletes file TEST.HTM.
* Deletes file lowcase.htm.
* Deletes file VBRULES.TXT.
* Deletes file GUNNAR.EXE.
* Deletes existing software modules.
* Deletes file WRITE.EXE.
* Deletes file RUNDLL32.EXE.
* Deletes file TEST.RAR.
* Deletes file WIN.INI.
* Deletes file WIN.COM.
* Deletes file SYSTEM.DAT.
* Deletes file USER.DAT.
* Deletes file CLASSES.DAT.
* Deletes file HOSTS.
* Deletes file EXPLORER.EXE.
* Deletes file NTOSKRNL.EXE.
* Deletes file ICMP.DLL.
* Deletes file DIGIGU~1.LOG.  
Panda Antivirus  Found nothing 
Rising Antivirus  Found nothing 
Sophos Antivirus  Found nothing 
VirusBuster  Found nothing 
VBA32  Found nothing


----------



## jimkonow

uhm...dont delete those files. for the love of god, please tell me you did not delete those files!!!!!


----------



## mapollo

I didn't delete those files. 

It's just a copy and paste of the results from http://virusscan.jotti.org.

Chill


----------



## jimkonow

/stop perspiration.

good...so, what is it you need direction with?


----------



## mapollo

The following file below showed up as a virus in an earlier scan.

W32/Malware (virus) 
C:\PROGRAM FILES\DIGIGUIDE LITE TV GUIDE\DIGIGUIDELITEUPGRADER.EXE (Submitted)

ceewi1 wanted to know more about that file before doing anything with it. Hence the http://virusscan.jotti.org scan. I just uploaded the DIGIGUIDELITEUPGRADER.EXE file to the jotti site and scanned it. The results are as above. It looks like just one Anti-Virus prog had a problem with it.


----------



## jimkonow

hmm...do you use a program relevant to that, or have a TV tuner hooked up to the PC? if not, i know a certain file thats gonna be deleted


----------



## ceewi1

I'd say that's a false positive, everything I can find on that program indicates it is legitimate.  If you use Digiguide Lite TV Guide, I'd say it's safe to keep it.


----------



## mapollo

*I'm still having problems*

Thanks in advance for your patience.

Today I'm still having problems. I thought we had sorted it ,
Its a good job its only spyware/ virus and not a matter of life or death

OK. AVG is reporting lots of threats today about a dozen. One example is wavvsnet.exe Trojan Horse SHeur.AHDR. I'm healing these as they show but they come back later.

I also noticed in add remove/programs something called "outerinfo". I try to delete it and it tells me I dont have the right permissions to delete it and then it hides and comes back later.

Latest Hijack this log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:45:52, on 18/12/2007
Platform: Windows XP SP2, v.2135 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2135)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\StickyPad\StickyPad.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ineWc01\ineWc011065.exe
C:\WINDOWS\system32\ineWc01\ineWc011065.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Sticky Pad] C:\Program Files\StickyPad\StickyPad.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: NETGEAR WG311T Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - http://www.eversoft.co.kr/vmpinstal.../ultramobile/web3d/np_q1_v000suk/page_q1.html
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader_uni.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{718E5D2F-9E83-4D5B-A2BE-2E5C47262ED8}: NameServer = 192.168.1.1
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe

--
End of file - 7880 bytes


----------



## GameMaster

Ceewi mentioned sth as he won't come here today anymore, so I'll just try to help.
If that programme you saw in add or remove programmes is a Trojan of course you will not be able to remove it.
But you can do it using CCleaner or other unninstalling software. Possible that all of Trojans are placed there, so my advice is that you get CCleaner 
http://www.filehippo.com/download/91d3b585c87e9a61236a9f922b94aadb/download/
and use the Tools-choose a file and unninstall.
Otherwise I don't know did you try with SDFix http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
If no, download and save to desktop, run in safe mode.


----------



## ceewi1

Given that Outerinfo hasn't shown up in any of your logfiles so far, it's likely that the program has been removed, and we can just take out the entry in Add or Remove programs.  Let's make sure of that first, though.  I can also see that one of the folders we removed has reappeared, so we'll need to take care of that one as well.

Please delete your current version of ComboFix and download the new one: *Combofix* to your desktop.  Double click ComboFix.exe & follow the prompts.  When finished, it shall produce a log for you. Post that log in your next reply.
Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall

I'd also like to see the results of another online scan.

Please use the *Internet Explorer* browser (or FireFox with IETab), and do an online scan with *Kaspersky Online Scanner*

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add Or Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(*Note*.. _for Internet *Explorer 7* users: If at any time you have trouble with the *Accept* button of the license, click on the *Zoom* tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%_.)
The program launches and downloads the latest definition files. 
Once the files are downloaded click on *Next*
 Click on *Scan Settings* and configure as follows:
 Scan using the following Anti-Virus database:
*Extended*

Scan Options:
*Scan Archives*

*Scan Mail Bases*


 Click *OK* and, under select a target to scan, select *My Computer*
When the scan is done, in the _Scan is completed _window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.








To obtain the report:
Click on: *Save Report As* (above - red blinking arrow)
Next, in the _Save as _prompt, _Save in_ area, select: *Desktop*
In the _File name_ area, use KScan, or something similar
In _Save as type_, click the drop arrow and select: *Text file [*.txt]*
Then, click: *Save*
Please post the *Kaspersky Online Scanner Report *in your reply along with the ComboFix log.


----------



## mapollo

So first I took out "outerinfo" entry in add remove/programs using CCleaner. I use that program often but didn't realise it can be used to remove programs. I do now.

Then I ran the new copy of Combofix. Log is below. I lost my internet after the restart but typing netsh winsock reset into the cmd prompt worked. I encounted that LSP problem last week so I knew how to fix it. 

Combofix log

ComboFix 07-12-19.3 - David 2007-12-19  8:02:58.3 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.587 [GMT 0:00]
Running from: C:\Documents and Settings\David\Desktop\ComboFix.exe
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\system32\pac.txt

.
(((((((((((((((((((((((((   Files Created from 2007-11-19 to 2007-12-19  )))))))))))))))))))))))))))))))
.

2007-12-18 23:08 . 2007-12-18 23:08	<DIR>	d--------	C:\Documents and Settings\David\Application Data\PrevxCSI
2007-12-18 23:08 . 2007-12-18 23:08	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Prevx
2007-12-18 18:30 . 2007-12-18 18:30	<DIR>	d--------	C:\Temp\tpBe12
2007-12-18 18:30 . 2007-12-19 08:05	<DIR>	d--------	C:\Temp
2007-12-17 19:22 . 2007-12-18 18:32	<DIR>	d--------	C:\WINDOWS\system32\zfd1
2007-12-17 19:22 . 2007-12-18 18:32	<DIR>	d--------	C:\WINDOWS\system32\yb2
2007-12-17 19:22 . 2007-12-17 19:22	<DIR>	d--------	C:\WINDOWS\system32\qui4
2007-12-17 19:22 . 2007-12-17 19:22	<DIR>	d--------	C:\WINDOWS\system32\ineWc01
2007-12-15 19:19 . 2007-12-17 16:29	<DIR>	d--------	C:\Documents and Settings\Kids\Application Data\AVG7
2007-12-14 23:15 . 2007-12-14 23:40	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-14 14:32 . 2007-12-14 14:32	<DIR>	d--hs----	C:\SpyGuardPro
2007-12-14 14:32 . 2007-12-14 14:32	<DIR>	d--------	C:\Documents and Settings\David\Application Data\SpyGuardPro
2007-12-14 14:32 . 2007-12-14 14:32	<DIR>	dr-------	C:\Documents and Settings\All Users\Application Data\SalesMon
2007-12-12 22:32 . 2007-12-12 22:32	<DIR>	d--------	C:\Program Files\Trend Micro
2007-12-12 22:19 . 2007-12-12 22:19	<DIR>	d--------	C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-12 22:19 . 2007-12-19 08:01	<DIR>	d--------	C:\Documents and Settings\David\Application Data\AVG7
2007-12-12 22:19 . 2007-12-12 22:19	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-12 22:19 . 2007-12-13 19:24	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\avg7
2007-12-12 21:54 . 2007-12-12 21:54	244	--ah-----	C:\sqmnoopt04.sqm
2007-12-12 21:54 . 2007-12-12 21:54	232	--ah-----	C:\sqmdata04.sqm
2007-12-06 09:46 . 2007-12-06 09:46	<DIR>	d---s----	C:\Documents and Settings\LocalService\UserData
2007-12-01 14:43 . 2007-12-19 07:44	54,156	--ah-----	C:\WINDOWS\QTFont.qfn
2007-12-01 14:43 . 2007-12-01 14:43	1,409	--a------	C:\WINDOWS\QTFont.for
2007-12-01 14:42 . 2007-12-01 14:42	<DIR>	d--------	C:\Program Files\QuickTime
2007-12-01 14:42 . 2007-12-01 14:42	<DIR>	d--------	C:\Program Files\iPod
2007-11-23 08:27 . 2007-11-23 08:32	<DIR>	d--------	C:\Program Files\BoardMod
2007-11-21 15:30 . 2002-12-29 01:14	81,920	--a------	C:\WINDOWS\system32\Startup.cpl
2007-11-20 08:04 . 2007-11-20 10:30	<DIR>	d--------	C:\MAVS

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-18 21:42	---------	d-----w	C:\Documents and Settings\David\Application Data\Canon
2007-12-17 19:59	---------	d-----w	C:\Program Files\DigiGuide Lite TV Guide
2007-12-12 08:05	---------	d-----w	C:\Program Files\LimeWire
2007-12-10 19:11	---------	d-----w	C:\Program Files\MSN Messenger
2007-12-08 21:12	---------	d-----w	C:\Program Files\BlackHole
2007-12-08 21:05	---------	d-----w	C:\Program Files\Safari
2007-12-08 21:01	---------	d-----w	C:\Program Files\Apollo DivX to DVD Creator
2007-12-03 12:49	---------	d-----w	C:\Program Files\Azureus
2007-12-03 12:49	---------	d-----w	C:\Documents and Settings\David\Application Data\Azureus
2007-12-01 14:42	---------	d-----w	C:\Program Files\iTunes
2007-12-01 14:35	---------	d-----w	C:\Program Files\Apple Software Update
2007-11-20 20:14	---------	d-----w	C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-11-19 15:37	---------	d-----w	C:\Program Files\Java
2007-11-17 18:59	---------	d-----w	C:\Program Files\MP3 Audio Converter
2007-11-16 21:26	---------	d-----w	C:\Program Files\Microsoft ActiveSync
2007-11-11 23:07	---------	d-----w	C:\Program Files\mp3DirectCut
2007-11-04 19:57	---------	d-----w	C:\Program Files\Fast Color Codes
2007-11-03 13:49	---------	d-----w	C:\Program Files\Winamp
2007-11-02 23:27	---------	d-----w	C:\Program Files\NewsReactor
2007-10-17 17:23	10,752	----a-w	C:\WINDOWS\system32\WhoisCL.exe
2007-09-28 07:03	2,750	----a-w	C:\Documents and Settings\David\Passwords.zip
2007-09-11 07:36	2,252	----a-w	C:\Documents and Settings\David\MAVSpasswords11_09_2007.zip
2006-09-22 21:32	9,876	-c--a-w	C:\Documents and Settings\David\Application Data\wklnhst.dat
2006-08-28 10:05	44,544	-c--a-w	C:\Documents and Settings\David\Application Data\GDIPFONTCACHEV1.DAT
2006-01-01 17:41	40,484	-c--a-w	C:\WINDOWS\Internet Logs\zlclient_2nd_2006_01_01_10_48_44_small.dmp.zip
2005-12-10 12:52	114	-c--a-w	C:\Documents and Settings\Kids\Application Data\wklnhst.dat
2005-10-18 16:53	28,936	-c--a-w	C:\Documents and Settings\Kids\Application Data\GDIPFONTCACHEV1.DAT
2005-09-20 10:05	456,768	----a-w	C:\WINDOWS\inf\WG311T\WG311T13.sys
2005-08-10 06:29	33,743	-c--a-w	C:\WINDOWS\Internet Logs\zlclient_2nd_2005_08_09_23_33_11_small.dmp.zip
2005-08-03 16:42	33,084	-c--a-w	C:\WINDOWS\Internet Logs\zlclient_2nd_2005_08_03_14_12_51_small.dmp.zip
2004-10-19 18:58	35,232	----a-w	C:\WINDOWS\inf\WG311T\ME_INST.EXE
2004-10-19 18:58	26,112	----a-w	C:\WINDOWS\inf\WG311T\install.exe
.

(((((((((((((((((((((((((((((   snapshot@2007-12-13_ 7.50.20.56   )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-05-07 16:38:46	500,120	----a-w	C:\WINDOWS\Downloaded Program Files\daas_s.dll
+ 2007-05-07 16:39:00	192,920	----a-w	C:\WINDOWS\Downloaded Program Files\fsauc.dll
+ 2007-05-07 16:39:24	254,360	----a-w	C:\WINDOWS\Downloaded Program Files\fscax.dll
+ 2004-11-02 13:41:52	516,832	----a-w	C:\WINDOWS\system32\capicom.dll
+ 2007-12-12 11:50:02	32,768	----a-w	C:\WINDOWS\system32\ineWc01\ineWc011065.exe
+ 2007-08-03 01:44:02	169,147	----a-w	C:\WINDOWS\system32\qui4\qopre83122.exe
- 2007-07-22 18:39:27	279,552	----a-w	C:\WINDOWS\system32\swreg.exe
+ 2007-12-13 21:26:50	156,160	----a-w	C:\WINDOWS\system32\swreg.exe
+ 2004-05-18 17:19:08	17,129	----a-w	C:\WINDOWS\system32\tcpdiss.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sticky Pad"="C:\Program Files\StickyPad\StickyPad.exe" [2007-04-23 22:13]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVRaidService"="C:\WINDOWS\system32\nvraidservice.exe" [2004-09-02 07:25]
"NVRTCLK"="C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe" [2003-12-30 09:44]
"NvCplDaemon"="RUNDLL32.exe" [2004-05-18 17:19 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2004-09-30 05:35 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-05-18 17:19 C:\WINDOWS\system32\rundll32.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-08-23 19:41]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-14 23:43]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-12 22:19]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-05-18 17:18]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-12 22:19]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG311T Smart Wizard.lnk - C:\Program Files\NETGEAR\WG311T\wlancfg5.exe [2006-02-22 10:59:32]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"UseDesktopIniCache"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^IDW Logging Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\IDW Logging Tool.lnk
backup=C:\WINDOWS\pss\IDW Logging Tool.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^David^Start Menu^Programs^Startup^Active To-Do List.LNK]
path=C:\Documents and Settings\David\Start Menu\Programs\Startup\Active To-Do List.LNK
backup=C:\WINDOWS\pss\Active To-Do List.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^David^Start Menu^Programs^Startup^³¬¼¶²¥°Ô.lnk]
path=C:\Documents and Settings\David\Start Menu\Programs\Startup\³¬¼¶²¥°Ô.lnk
backup=C:\WINDOWS\pss\³¬¼¶²¥°Ô.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
			C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
			C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-11-15 13:11	267048	--a------	C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
			C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 15:40	155648	--a------	C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pbmini]
			C:\Program Files\pcast\PodcastbarMini\PodcastBarMiniStater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2006-09-09 09:16	196608	--a------	C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
			C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-10-31 18:42	32768	--a--c---	C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
			SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
			C:\Program Files\Common Files\Real\Update_OB\realsched.exe  -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
			C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_8 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Agent]
			C:\Program Files\webHancer\Programs\whagent.exe

R3 GVCplDrv;GVCplDrv;C:\WINDOWS\system32\drivers\GVCplDrv.sys [2004-05-02 08:47]
S3 MarkFun_NT;MarkFun_NT;C:\Program Files\Gigabyte\ET5\markfun.w32 [2003-04-15 09:16]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{43564368-4375-8601-4371-458454791235]
C:\WINDOWS\system32\tcpdiss.exe /r
.
Contents of the 'Scheduled Tasks' folder
"2007-12-01 14:35:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-19 08:05:11
Windows 5.1.2600 Service Pack 2, v.2135 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully 
hidden files: 0 

**************************************************************************
.
Completion time: 2007-12-19  8:05:35


----------



## mapollo

*and the Kapersky online scanner log*

I'm in London until Thursday afternoon UK time. I'll pick up your reply/advice then.

Heres the Kapersky log

-------------------------------------------------------------------------------
 KASPERSKY ONLINE SCANNER REPORT
 Wednesday, December 19, 2007 10:05:26 AM
 Operating System: Microsoft Windows XP Professional, Service Pack 2, v.2135 (Build 2600)
 Kaspersky Online Scanner version: 5.0.98.0
 Kaspersky Anti-Virus database last update: 19/12/2007
 Kaspersky Anti-Virus database records: 487478
-------------------------------------------------------------------------------

Scan Settings:
	Scan using the following antivirus database: extended
	Scan Archives: true
	Scan Mail Bases: true

Scan Target - My Computer:
	C:\
	D:\
	E:\
	F:\
	G:\

Scan Statistics:
	Total number of scanned objects: 94306
	Number of viruses found: 8
	Number of infected objects: 31
	Number of suspicious objects: 0
	Duration of the scan process: 00:51:05

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck	Object is locked	skipped
C:\Documents and Settings\David\Application Data\$_hpcst$.hpc	Object is locked	skipped
C:\Documents and Settings\David\Cookies\index.dat	Object is locked	skipped
C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Messenger\barra58@hotmail.com\SharingMetadata\Logs\Dfsr00005.log	Object is locked	skipped
C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Messenger\barra58@hotmail.com\SharingMetadata\pending.dat	Object is locked	skipped
C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Messenger\barra58@hotmail.com\SharingMetadata\Working\database_8AA0_EA5_A00E_9839\dfsr.db	Object is locked	skipped
C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Messenger\barra58@hotmail.com\SharingMetadata\Working\database_8AA0_EA5_A00E_9839\fsr.log	Object is locked	skipped
C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Messenger\barra58@hotmail.com\SharingMetadata\Working\database_8AA0_EA5_A00E_9839\fsrtmp.log	Object is locked	skipped
C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Messenger\barra58@hotmail.com\SharingMetadata\Working\database_8AA0_EA5_A00E_9839\tmp.edb	Object is locked	skipped
C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Windows Live Contacts\barra58@hotmail.com\real\members.stg	Object is locked	skipped
C:\Documents and Settings\David\Local Settings\History\History.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\David\Local Settings\History\History.IE5\MSHist012007121920071220\index.dat	Object is locked	skipped
C:\Documents and Settings\David\Local Settings\Temp\WCESLog.log	Object is locked	skipped
C:\Documents and Settings\David\Local Settings\Temp\~DF1856.tmp	Object is locked	skipped
C:\Documents and Settings\David\Local Settings\Temp\~DF9580.tmp	Object is locked	skipped
C:\Documents and Settings\David\Local Settings\Temp\~DF958B.tmp	Object is locked	skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\David\NTUSER.DAT	Object is locked	skipped
C:\Documents and Settings\David\ntuser.dat.LOG	Object is locked	skipped
C:\Documents and Settings\David\Shared\[Full] paint picture windows with Bonus\setup.exe/data0009/stream/data0004	Infected: not-a-virus:AdWare.Win32.TrafficSol.o	skipped
C:\Documents and Settings\David\Shared\[Full] paint picture windows with Bonus\setup.exe/data0009/stream	Infected: not-a-virus:AdWare.Win32.TrafficSol.o	skipped
C:\Documents and Settings\David\Shared\[Full] paint picture windows with Bonus\setup.exe/data0009	Infected: not-a-virus:AdWare.Win32.TrafficSol.o	skipped
C:\Documents and Settings\David\Shared\[Full] paint picture windows with Bonus\setup.exe	NSIS: infected - 3	skipped
C:\Documents and Settings\David\Shared\[Full] paint picture windows with Bonus.zip/setup.exe/data0009/stream/data0004	Infected: not-a-virus:AdWare.Win32.TrafficSol.o	skipped
C:\Documents and Settings\David\Shared\[Full] paint picture windows with Bonus.zip/setup.exe/data0009/stream	Infected: not-a-virus:AdWare.Win32.TrafficSol.o	skipped
C:\Documents and Settings\David\Shared\[Full] paint picture windows with Bonus.zip/setup.exe/data0009	Infected: not-a-virus:AdWare.Win32.TrafficSol.o	skipped
C:\Documents and Settings\David\Shared\[Full] paint picture windows with Bonus.zip/setup.exe	Infected: not-a-virus:AdWare.Win32.TrafficSol.o	skipped
C:\Documents and Settings\David\Shared\[Full] paint picture windows with Bonus.zip	ZIP: infected - 4	skipped
C:\Documents and Settings\LocalService\Cookies\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\NTUSER.DAT	Object is locked	skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG	Object is locked	skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat	Object is locked	skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT	Object is locked	skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG	Object is locked	skipped
C:\System Volume Information\_restore{5DB408FA-B333-411C-A99B-3870D68A5F6E}\RP3\A0001126.exe	Infected: Trojan-Downloader.Win32.Agent.gat	skipped
C:\System Volume Information\_restore{5DB408FA-B333-411C-A99B-3870D68A5F6E}\RP3\A0001127.exe	Infected: Trojan-Downloader.Win32.Agent.gat	skipped
C:\System Volume Information\_restore{5DB408FA-B333-411C-A99B-3870D68A5F6E}\RP4\A0001204.exe	Infected: Trojan-Downloader.Win32.Agent.gat	skipped
C:\System Volume Information\_restore{5DB408FA-B333-411C-A99B-3870D68A5F6E}\RP4\A0001206.dll	Infected: not-a-virus:AdWare.Win32.Virtumonde.byj	skipped
C:\System Volume Information\_restore{5DB408FA-B333-411C-A99B-3870D68A5F6E}\RP4\A0001208.dll	Infected: not-a-virus:AdWare.Win32.Virtumonde.byj	skipped
C:\System Volume Information\_restore{5DB408FA-B333-411C-A99B-3870D68A5F6E}\RP4\A0001212.dll	Infected: not-a-virus:AdWare.Win32.Virtumonde.byj	skipped
C:\System Volume Information\_restore{5DB408FA-B333-411C-A99B-3870D68A5F6E}\RP4\A0001216.dll	Infected: not-a-virus:AdWare.Win32.Virtumonde.byj	skipped
C:\System Volume Information\_restore{5DB408FA-B333-411C-A99B-3870D68A5F6E}\RP4\A0001218.dll	Infected: not-a-virus:AdWare.Win32.Virtumonde.byj	skipped
C:\System Volume Information\_restore{5DB408FA-B333-411C-A99B-3870D68A5F6E}\RP4\A0001219.dll	Infected: not-a-virus:AdWare.Win32.Virtumonde.bxe	skipped
C:\System Volume Information\_restore{5DB408FA-B333-411C-A99B-3870D68A5F6E}\RP4\A0001224.dll	Infected: not-a-virus:AdWare.Win32.Virtumonde.byj	skipped
C:\System Volume Information\_restore{5DB408FA-B333-411C-A99B-3870D68A5F6E}\RP4\A0001318.exe/data0002	Infected: not-a-virus:AdWare.Win32.TTC.a	skipped
C:\System Volume Information\_restore{5DB408FA-B333-411C-A99B-3870D68A5F6E}\RP4\A0001318.exe	NSIS: infected - 1	skipped
C:\System Volume Information\_restore{5DB408FA-B333-411C-A99B-3870D68A5F6E}\RP5\A0001473.dll	Infected: not-a-virus:AdWare.Win32.TTC.a	skipped
C:\System Volume Information\_restore{5DB408FA-B333-411C-A99B-3870D68A5F6E}\RP5\A0001474.exe	Infected: Trojan-Downloader.Win32.Small.gzs	skipped
C:\System Volume Information\_restore{5DB408FA-B333-411C-A99B-3870D68A5F6E}\RP5\A0001475.exe	Infected: Trojan-Downloader.Win32.Small.buy	skipped
C:\System Volume Information\_restore{5DB408FA-B333-411C-A99B-3870D68A5F6E}\RP6\A0001485.exe/data0002	Infected: not-a-virus:AdWare.Win32.TTC.a	skipped
C:\System Volume Information\_restore{5DB408FA-B333-411C-A99B-3870D68A5F6E}\RP6\A0001485.exe	NSIS: infected - 1	skipped
C:\System Volume Information\_restore{5DB408FA-B333-411C-A99B-3870D68A5F6E}\RP7\change.log	Object is locked	skipped
C:\WINDOWS\Debug\PASSWD.LOG	Object is locked	skipped
C:\WINDOWS\SchedLgU.Txt	Object is locked	skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log	Object is locked	skipped
C:\WINDOWS\Sti_Trace.log	Object is locked	skipped
C:\WINDOWS\system32\CatRoot2\edb.log	Object is locked	skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb	Object is locked	skipped
C:\WINDOWS\system32\config\AppEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\default	Object is locked	skipped
C:\WINDOWS\system32\config\default.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\SAM	Object is locked	skipped
C:\WINDOWS\system32\config\SAM.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\SecEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\SECURITY	Object is locked	skipped
C:\WINDOWS\system32\config\SECURITY.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\software	Object is locked	skipped
C:\WINDOWS\system32\config\software.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\SysEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\system	Object is locked	skipped
C:\WINDOWS\system32\config\system.LOG	Object is locked	skipped
C:\WINDOWS\system32\h323log.txt	Object is locked	skipped
C:\WINDOWS\system32\qui4\qopre83122.exe/data0002	Infected: not-a-virus:AdWare.Win32.TTC.a	skipped
C:\WINDOWS\system32\qui4\qopre83122.exe	NSIS: infected - 1	skipped
C:\WINDOWS\system32\tcpdiss.exe	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP	Object is locked	skipped
C:\WINDOWS\today.exe/csrss.exe	Infected: not-a-virus:AdWare.Win32.Dm.ab	skipped
C:\WINDOWS\today.exe/RRToday.dll	Infected: not-a-virus:AdWare.Win32.Dm.ab	skipped
C:\WINDOWS\today.exe	ZIP: infected - 2	skipped
C:\WINDOWS\wiadebug.log	Object is locked	skipped
C:\WINDOWS\wiaservc.log	Object is locked	skipped
C:\WINDOWS\WindowsUpdate.log	Object is locked	skipped

Scan process completed.


----------



## ceewi1

OK, no rush on my part 

Please *download* the *OTMoveIt by OldTimer*.

 *Save* it to your *desktop*.
 Please double-click *OTMoveIt.exe* to run it.
*Copy the file paths below to the clipboard* by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose copy):

*C:\WINDOWS\system32\qui4
C:\WINDOWS\today.exe
C:\Documents and Settings\David\Shared\[Full] paint picture windows with Bonus
C:\Documents and Settings\David\Shared\[Full] paint picture windows with Bonus.zip
C:\Temp
C:\WINDOWS\system32\zfd1
C:\WINDOWS\system32\yb2
C:\WINDOWS\system32\ineWc01*


 Return to OTMoveIt, right click on the *Paste List of Files/Folders to be moved* window and choose *Paste*.
Click the red *Moveit!* button.
*Copy everything on the Results window to the clipboard* by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose copy), and paste it on your next reply along with a new ComboFix log.
Close *OTMoveIt*
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose *Yes.*


----------



## mapollo

OTMoveIt results...


C:\WINDOWS\system32\qui4 moved successfully.
C:\WINDOWS\today.exe moved successfully.
C:\Documents and Settings\David\Shared\[Full] paint picture windows with Bonus moved successfully.
C:\Documents and Settings\David\Shared\[Full] paint picture windows with Bonus.zip moved successfully.
C:\Temp\tpBe12 moved successfully.
C:\Temp moved successfully.
C:\WINDOWS\system32\zfd1 moved successfully.
C:\WINDOWS\system32\yb2 moved successfully.
C:\WINDOWS\system32\ineWc01 moved successfully.

Created on 12/20/2007 16:13:41


----------



## mapollo

and now the combofix log as requested.

ComboFix 07-12-19.3 - David 2007-12-20 16:51:07.5 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.622 [GMT 0:00]
Running from: C:\Documents and Settings\David\Desktop\ComboFix.exe
.

(((((((((((((((((((((((((   Files Created from 2007-11-20 to 2007-12-20  )))))))))))))))))))))))))))))))
.

2007-12-19 08:18 . 2007-12-19 08:18	<DIR>	d--------	C:\WINDOWS\system32\Kaspersky Lab
2007-12-19 08:18 . 2007-12-19 08:18	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-18 23:08 . 2007-12-18 23:08	<DIR>	d--------	C:\Documents and Settings\David\Application Data\PrevxCSI
2007-12-18 23:08 . 2007-12-18 23:08	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Prevx
2007-12-15 19:19 . 2007-12-17 16:29	<DIR>	d--------	C:\Documents and Settings\Kids\Application Data\AVG7
2007-12-14 23:15 . 2007-12-14 23:40	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-14 14:32 . 2007-12-14 14:32	<DIR>	d--hs----	C:\SpyGuardPro
2007-12-14 14:32 . 2007-12-14 14:32	<DIR>	d--------	C:\Documents and Settings\David\Application Data\SpyGuardPro
2007-12-14 14:32 . 2007-12-14 14:32	<DIR>	dr-------	C:\Documents and Settings\All Users\Application Data\SalesMon
2007-12-12 22:32 . 2007-12-12 22:32	<DIR>	d--------	C:\Program Files\Trend Micro
2007-12-12 22:19 . 2007-12-12 22:19	<DIR>	d--------	C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-12 22:19 . 2007-12-19 08:01	<DIR>	d--------	C:\Documents and Settings\David\Application Data\AVG7
2007-12-12 22:19 . 2007-12-12 22:19	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-12 22:19 . 2007-12-13 19:24	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\avg7
2007-12-12 21:54 . 2007-12-12 21:54	244	--ah-----	C:\sqmnoopt04.sqm
2007-12-12 21:54 . 2007-12-12 21:54	232	--ah-----	C:\sqmdata04.sqm
2007-12-06 09:46 . 2007-12-06 09:46	<DIR>	d---s----	C:\Documents and Settings\LocalService\UserData
2007-12-01 14:43 . 2007-12-20 16:32	54,156	--ah-----	C:\WINDOWS\QTFont.qfn
2007-12-01 14:43 . 2007-12-01 14:43	1,409	--a------	C:\WINDOWS\QTFont.for
2007-12-01 14:42 . 2007-12-01 14:42	<DIR>	d--------	C:\Program Files\QuickTime
2007-12-01 14:42 . 2007-12-01 14:42	<DIR>	d--------	C:\Program Files\iPod
2007-11-23 08:27 . 2007-11-23 08:32	<DIR>	d--------	C:\Program Files\BoardMod
2007-11-21 15:30 . 2002-12-29 01:14	81,920	--a------	C:\WINDOWS\system32\Startup.cpl
2007-11-20 08:04 . 2007-11-20 10:30	<DIR>	d--------	C:\MAVS

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-18 21:42	---------	d-----w	C:\Documents and Settings\David\Application Data\Canon
2007-12-17 19:59	---------	d-----w	C:\Program Files\DigiGuide Lite TV Guide
2007-12-12 08:05	---------	d-----w	C:\Program Files\LimeWire
2007-12-10 19:11	---------	d-----w	C:\Program Files\MSN Messenger
2007-12-08 21:12	---------	d-----w	C:\Program Files\BlackHole
2007-12-08 21:05	---------	d-----w	C:\Program Files\Safari
2007-12-08 21:01	---------	d-----w	C:\Program Files\Apollo DivX to DVD Creator
2007-12-03 12:49	---------	d-----w	C:\Program Files\Azureus
2007-12-03 12:49	---------	d-----w	C:\Documents and Settings\David\Application Data\Azureus
2007-12-01 14:42	---------	d-----w	C:\Program Files\iTunes
2007-12-01 14:35	---------	d-----w	C:\Program Files\Apple Software Update
2007-11-20 20:14	---------	d-----w	C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-11-19 15:37	---------	d-----w	C:\Program Files\Java
2007-11-17 18:59	---------	d-----w	C:\Program Files\MP3 Audio Converter
2007-11-16 21:26	---------	d-----w	C:\Program Files\Microsoft ActiveSync
2007-11-11 23:07	---------	d-----w	C:\Program Files\mp3DirectCut
2007-11-04 19:57	---------	d-----w	C:\Program Files\Fast Color Codes
2007-11-03 13:49	---------	d-----w	C:\Program Files\Winamp
2007-11-02 23:27	---------	d-----w	C:\Program Files\NewsReactor
2007-10-17 17:23	10,752	----a-w	C:\WINDOWS\system32\WhoisCL.exe
2007-09-28 07:03	2,750	----a-w	C:\Documents and Settings\David\Passwords.zip
2007-09-11 07:36	2,252	----a-w	C:\Documents and Settings\David\MAVSpasswords11_09_2007.zip
2006-09-22 21:32	9,876	-c--a-w	C:\Documents and Settings\David\Application Data\wklnhst.dat
2006-08-28 10:05	44,544	-c--a-w	C:\Documents and Settings\David\Application Data\GDIPFONTCACHEV1.DAT
2006-01-01 17:41	40,484	-c--a-w	C:\WINDOWS\Internet Logs\zlclient_2nd_2006_01_01_10_48_44_small.dmp.zip
2005-12-10 12:52	114	-c--a-w	C:\Documents and Settings\Kids\Application Data\wklnhst.dat
2005-10-18 16:53	28,936	-c--a-w	C:\Documents and Settings\Kids\Application Data\GDIPFONTCACHEV1.DAT
2005-09-20 10:05	456,768	----a-w	C:\WINDOWS\inf\WG311T\WG311T13.sys
2005-08-10 06:29	33,743	-c--a-w	C:\WINDOWS\Internet Logs\zlclient_2nd_2005_08_09_23_33_11_small.dmp.zip
2005-08-03 16:42	33,084	-c--a-w	C:\WINDOWS\Internet Logs\zlclient_2nd_2005_08_03_14_12_51_small.dmp.zip
2004-10-19 18:58	35,232	----a-w	C:\WINDOWS\inf\WG311T\ME_INST.EXE
2004-10-19 18:58	26,112	----a-w	C:\WINDOWS\inf\WG311T\install.exe
.

(((((((((((((((((((((((((((((   snapshot@2007-12-13_ 7.50.20.56   )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-05-07 16:38:46	500,120	----a-w	C:\WINDOWS\Downloaded Program Files\daas_s.dll
+ 2007-05-07 16:39:00	192,920	----a-w	C:\WINDOWS\Downloaded Program Files\fsauc.dll
+ 2007-05-07 16:39:24	254,360	----a-w	C:\WINDOWS\Downloaded Program Files\fscax.dll
+ 2004-11-02 13:41:52	516,832	----a-w	C:\WINDOWS\system32\capicom.dll
+ 2005-05-24 12:27:16	213,048	----a-w	C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 15:47:20	94,208	----a-w	C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 15:49:54	950,272	----a-w	C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2007-07-22 18:39:27	279,552	----a-w	C:\WINDOWS\system32\swreg.exe
+ 2007-12-13 21:26:50	156,160	----a-w	C:\WINDOWS\system32\swreg.exe
+ 2004-05-18 17:19:08	17,129	----a-w	C:\WINDOWS\system32\tcpdiss.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sticky Pad"="C:\Program Files\StickyPad\StickyPad.exe" [2007-04-23 22:13]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVRaidService"="C:\WINDOWS\system32\nvraidservice.exe" [2004-09-02 07:25]
"NVRTCLK"="C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe" [2003-12-30 09:44]
"NvCplDaemon"="RUNDLL32.exe" [2004-05-18 17:19 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2004-09-30 05:35 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-05-18 17:19 C:\WINDOWS\system32\rundll32.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-08-23 19:41]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-14 23:43]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-12 22:19]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-05-18 17:18]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-12 22:19]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG311T Smart Wizard.lnk - C:\Program Files\NETGEAR\WG311T\wlancfg5.exe [2006-02-22 10:59:32]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"UseDesktopIniCache"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^IDW Logging Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\IDW Logging Tool.lnk
backup=C:\WINDOWS\pss\IDW Logging Tool.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^David^Start Menu^Programs^Startup^Active To-Do List.LNK]
path=C:\Documents and Settings\David\Start Menu\Programs\Startup\Active To-Do List.LNK
backup=C:\WINDOWS\pss\Active To-Do List.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^David^Start Menu^Programs^Startup^³¬¼¶²¥°Ô.lnk]
path=C:\Documents and Settings\David\Start Menu\Programs\Startup\³¬¼¶²¥°Ô.lnk
backup=C:\WINDOWS\pss\³¬¼¶²¥°Ô.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
			C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
			C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-11-15 13:11	267048	--a------	C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
			C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 15:40	155648	--a------	C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pbmini]
			C:\Program Files\pcast\PodcastbarMini\PodcastBarMiniStater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2006-09-09 09:16	196608	--a------	C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
			C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-10-31 18:42	32768	--a--c---	C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
			SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
			C:\Program Files\Common Files\Real\Update_OB\realsched.exe  -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
			C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_8 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Agent]
			C:\Program Files\webHancer\Programs\whagent.exe

R3 GVCplDrv;GVCplDrv;C:\WINDOWS\system32\drivers\GVCplDrv.sys [2004-05-02 08:47]
S3 MarkFun_NT;MarkFun_NT;C:\Program Files\Gigabyte\ET5\markfun.w32 [2003-04-15 09:16]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{43564368-4375-8601-4371-458454791235]
C:\WINDOWS\system32\tcpdiss.exe /r
.
Contents of the 'Scheduled Tasks' folder
"2007-12-01 14:35:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-20 16:53:01
Windows 5.1.2600 Service Pack 2, v.2135 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully 
hidden files: 0 

**************************************************************************
.
Completion time: 2007-12-20 16:53:28
C:\ComboFix2.txt ... 2007-12-19 08:05


----------



## ceewi1

Open *Notepad* (Start -> Run -> type *notepad* in the Open field -> OK) and copy and paste the text present *inside* the code box below:



		Code:
	

File::
C:\WINDOWS\system32\tcpdiss.exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{43564368-4375-8601-4371-458454791235]


Save this as *CFScript.txt* and change the *Save as type* to *All Files* and place it on your *desktop*.









Referring to the screenshot above, *drag CFScript.txt into ComboFix.exe*.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
*CAUTION*:
Do *NOT* mouse-click ComboFix's window while it is running. That may cause it to stall.
Also, please do *NOT* adjust your time format while ComboFix is running.

How is your system running now?


----------



## mapollo

latest combofix log after running CFScript.txt. I'll post how my machine is running later.

ComboFix 07-12-19.3 - David 2007-12-21  7:57:05.6 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.604 [GMT 0:00]
Running from: C:\Documents and Settings\David\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\David\Desktop\CFScript.txt
 * Created a new restore point

FILE
C:\WINDOWS\system32\tcpdiss.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\tcpdiss.exe

.
(((((((((((((((((((((((((   Files Created from 2007-11-21 to 2007-12-21  )))))))))))))))))))))))))))))))
.

2007-12-20 17:26 . 2007-12-20 17:26	<DIR>	d--------	C:\WINDOWS\system32\ineWc01
2007-12-20 17:26 . 2007-12-20 17:26	<DIR>	d--------	C:\Temp\tpBe12
2007-12-20 17:26 . 2007-12-20 17:26	<DIR>	d--------	C:\Temp
2007-12-19 08:18 . 2007-12-19 08:18	<DIR>	d--------	C:\WINDOWS\system32\Kaspersky Lab
2007-12-19 08:18 . 2007-12-19 08:18	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-18 23:08 . 2007-12-18 23:08	<DIR>	d--------	C:\Documents and Settings\David\Application Data\PrevxCSI
2007-12-18 23:08 . 2007-12-18 23:08	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Prevx
2007-12-15 19:19 . 2007-12-17 16:29	<DIR>	d--------	C:\Documents and Settings\Kids\Application Data\AVG7
2007-12-14 23:15 . 2007-12-14 23:40	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-14 14:32 . 2007-12-14 14:32	<DIR>	d--hs----	C:\SpyGuardPro
2007-12-14 14:32 . 2007-12-14 14:32	<DIR>	d--------	C:\Documents and Settings\David\Application Data\SpyGuardPro
2007-12-14 14:32 . 2007-12-14 14:32	<DIR>	dr-------	C:\Documents and Settings\All Users\Application Data\SalesMon
2007-12-12 22:32 . 2007-12-12 22:32	<DIR>	d--------	C:\Program Files\Trend Micro
2007-12-12 22:19 . 2007-12-12 22:19	<DIR>	d--------	C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-12 22:19 . 2007-12-19 08:01	<DIR>	d--------	C:\Documents and Settings\David\Application Data\AVG7
2007-12-12 22:19 . 2007-12-12 22:19	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-12 22:19 . 2007-12-13 19:24	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\avg7
2007-12-12 21:54 . 2007-12-12 21:54	244	--ah-----	C:\sqmnoopt04.sqm
2007-12-12 21:54 . 2007-12-12 21:54	232	--ah-----	C:\sqmdata04.sqm
2007-12-06 09:46 . 2007-12-06 09:46	<DIR>	d---s----	C:\Documents and Settings\LocalService\UserData
2007-12-01 14:43 . 2007-12-21 07:41	54,156	--ah-----	C:\WINDOWS\QTFont.qfn
2007-12-01 14:43 . 2007-12-01 14:43	1,409	--a------	C:\WINDOWS\QTFont.for
2007-12-01 14:42 . 2007-12-01 14:42	<DIR>	d--------	C:\Program Files\QuickTime
2007-12-01 14:42 . 2007-12-01 14:42	<DIR>	d--------	C:\Program Files\iPod
2007-11-23 08:27 . 2007-11-23 08:32	<DIR>	d--------	C:\Program Files\BoardMod
2007-11-21 15:30 . 2002-12-29 01:14	81,920	--a------	C:\WINDOWS\system32\Startup.cpl

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-18 21:42	---------	d-----w	C:\Documents and Settings\David\Application Data\Canon
2007-12-17 19:59	---------	d-----w	C:\Program Files\DigiGuide Lite TV Guide
2007-12-12 08:05	---------	d-----w	C:\Program Files\LimeWire
2007-12-10 19:11	---------	d-----w	C:\Program Files\MSN Messenger
2007-12-08 21:12	---------	d-----w	C:\Program Files\BlackHole
2007-12-08 21:05	---------	d-----w	C:\Program Files\Safari
2007-12-08 21:01	---------	d-----w	C:\Program Files\Apollo DivX to DVD Creator
2007-12-03 12:49	---------	d-----w	C:\Program Files\Azureus
2007-12-03 12:49	---------	d-----w	C:\Documents and Settings\David\Application Data\Azureus
2007-12-01 14:42	---------	d-----w	C:\Program Files\iTunes
2007-12-01 14:35	---------	d-----w	C:\Program Files\Apple Software Update
2007-11-20 20:14	---------	d-----w	C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-11-19 15:37	---------	d-----w	C:\Program Files\Java
2007-11-17 18:59	---------	d-----w	C:\Program Files\MP3 Audio Converter
2007-11-16 21:26	---------	d-----w	C:\Program Files\Microsoft ActiveSync
2007-11-11 23:07	---------	d-----w	C:\Program Files\mp3DirectCut
2007-11-04 19:57	---------	d-----w	C:\Program Files\Fast Color Codes
2007-11-03 13:49	---------	d-----w	C:\Program Files\Winamp
2007-11-02 23:27	---------	d-----w	C:\Program Files\NewsReactor
2007-10-17 17:23	10,752	----a-w	C:\WINDOWS\system32\WhoisCL.exe
2007-09-28 07:03	2,750	----a-w	C:\Documents and Settings\David\Passwords.zip
2007-09-11 07:36	2,252	----a-w	C:\Documents and Settings\David\MAVSpasswords11_09_2007.zip
2006-09-22 21:32	9,876	-c--a-w	C:\Documents and Settings\David\Application Data\wklnhst.dat
2006-08-28 10:05	44,544	-c--a-w	C:\Documents and Settings\David\Application Data\GDIPFONTCACHEV1.DAT
2006-01-01 17:41	40,484	-c--a-w	C:\WINDOWS\Internet Logs\zlclient_2nd_2006_01_01_10_48_44_small.dmp.zip
2005-12-10 12:52	114	-c--a-w	C:\Documents and Settings\Kids\Application Data\wklnhst.dat
2005-10-18 16:53	28,936	-c--a-w	C:\Documents and Settings\Kids\Application Data\GDIPFONTCACHEV1.DAT
2005-09-20 10:05	456,768	----a-w	C:\WINDOWS\inf\WG311T\WG311T13.sys
2005-08-10 06:29	33,743	-c--a-w	C:\WINDOWS\Internet Logs\zlclient_2nd_2005_08_09_23_33_11_small.dmp.zip
2005-08-03 16:42	33,084	-c--a-w	C:\WINDOWS\Internet Logs\zlclient_2nd_2005_08_03_14_12_51_small.dmp.zip
2004-10-19 18:58	35,232	----a-w	C:\WINDOWS\inf\WG311T\ME_INST.EXE
2004-10-19 18:58	26,112	----a-w	C:\WINDOWS\inf\WG311T\install.exe
.

(((((((((((((((((((((((((((((   snapshot@2007-12-13_ 7.50.20.56   )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-05-07 16:38:46	500,120	----a-w	C:\WINDOWS\Downloaded Program Files\daas_s.dll
+ 2007-05-07 16:39:00	192,920	----a-w	C:\WINDOWS\Downloaded Program Files\fsauc.dll
+ 2007-05-07 16:39:24	254,360	----a-w	C:\WINDOWS\Downloaded Program Files\fscax.dll
+ 2004-11-02 13:41:52	516,832	----a-w	C:\WINDOWS\system32\capicom.dll
+ 2007-12-12 11:50:02	32,768	----a-w	C:\WINDOWS\system32\ineWc01\ineWc011065.exe
+ 2005-05-24 12:27:16	213,048	----a-w	C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 15:47:20	94,208	----a-w	C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 15:49:54	950,272	----a-w	C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2007-07-22 18:39:27	279,552	----a-w	C:\WINDOWS\system32\swreg.exe
+ 2007-12-13 21:26:50	156,160	----a-w	C:\WINDOWS\system32\swreg.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sticky Pad"="C:\Program Files\StickyPad\StickyPad.exe" [2007-04-23 22:13]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVRaidService"="C:\WINDOWS\system32\nvraidservice.exe" [2004-09-02 07:25]
"NVRTCLK"="C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe" [2003-12-30 09:44]
"NvCplDaemon"="RUNDLL32.exe" [2004-05-18 17:19 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2004-09-30 05:35 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-05-18 17:19 C:\WINDOWS\system32\rundll32.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-08-23 19:41]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-14 23:43]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-12 22:19]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-05-18 17:18]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-12 22:19]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG311T Smart Wizard.lnk - C:\Program Files\NETGEAR\WG311T\wlancfg5.exe [2006-02-22 10:59:32]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"UseDesktopIniCache"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^IDW Logging Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\IDW Logging Tool.lnk
backup=C:\WINDOWS\pss\IDW Logging Tool.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^David^Start Menu^Programs^Startup^Active To-Do List.LNK]
path=C:\Documents and Settings\David\Start Menu\Programs\Startup\Active To-Do List.LNK
backup=C:\WINDOWS\pss\Active To-Do List.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^David^Start Menu^Programs^Startup^³¬¼¶²¥°Ô.lnk]
path=C:\Documents and Settings\David\Start Menu\Programs\Startup\³¬¼¶²¥°Ô.lnk
backup=C:\WINDOWS\pss\³¬¼¶²¥°Ô.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
			C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
			C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-11-15 13:11	267048	--a------	C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
			C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 15:40	155648	--a------	C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pbmini]
			C:\Program Files\pcast\PodcastbarMini\PodcastBarMiniStater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2006-09-09 09:16	196608	--a------	C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
			C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-10-31 18:42	32768	--a--c---	C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
			SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
			C:\Program Files\Common Files\Real\Update_OB\realsched.exe  -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
			C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_8 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Agent]
			C:\Program Files\webHancer\Programs\whagent.exe

R3 GVCplDrv;GVCplDrv;C:\WINDOWS\system32\drivers\GVCplDrv.sys [2004-05-02 08:47]
S3 MarkFun_NT;MarkFun_NT;C:\Program Files\Gigabyte\ET5\markfun.w32 [2003-04-15 09:16]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-01 14:35:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-21 07:59:16
Windows 5.1.2600 Service Pack 2, v.2135 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully 
hidden files: 0 

**************************************************************************
.
Completion time: 2007-12-21  7:59:40
C:\ComboFix2.txt ... 2007-12-20 16:53
C:\ComboFix3.txt ... 2007-12-19 08:05


----------



## ceewi1

Still a few more to get:

Open *Notepad* (Start -> Run -> type *notepad* in the Open field -> OK) and copy and paste the text present *inside* the code box below:



		Code:
	

File::
C:\Documents and Settings\David\Application Data\wklnhst.dat

Folder::
C:\Temp
C:\SpyGuardPro
C:\Documents and Settings\David\Application Data\SpyGuardPro
C:\Documents and Settings\All Users\Application Data\SalesMon
C:\WINDOWS\system32\ineWc01


Save this as *CFScript.txt* and change the *Save as type* to *All Files* and place it on your *desktop*.









Referring to the screenshot above, *drag CFScript.txt into ComboFix.exe*.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply, along with a new HijackThis log.
*CAUTION*:
Do *NOT* mouse-click ComboFix's window while it is running. That may cause it to stall.
Also, please do *NOT* adjust your time format while ComboFix is running.


----------



## mapollo

Latest combofix log....

ComboFix 07-12-19.3 - David 2007-12-21 13:54:43.7 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.613 [GMT 0:00]
Running from: C:\Documents and Settings\David\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\David\Desktop\CFScripts.txt
 * Created a new restore point

FILE
C:\Documents and Settings\David\Application Data\wklnhst.dat
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\SalesMon
C:\Documents and Settings\David\Application Data\SpyGuardPro
C:\Documents and Settings\David\Application Data\SpyGuardPro\Logs\threats.log
C:\Documents and Settings\David\Application Data\wklnhst.dat
C:\SpyGuardPro
C:\Temp
C:\WINDOWS\system32\ineWc01
C:\WINDOWS\system32\ineWc01\ineWc011065.exe

.
(((((((((((((((((((((((((   Files Created from 2007-11-21 to 2007-12-21  )))))))))))))))))))))))))))))))
.

2007-12-19 08:18 . 2007-12-19 08:18	<DIR>	d--------	C:\WINDOWS\system32\Kaspersky Lab
2007-12-19 08:18 . 2007-12-19 08:18	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-18 23:08 . 2007-12-18 23:08	<DIR>	d--------	C:\Documents and Settings\David\Application Data\PrevxCSI
2007-12-18 23:08 . 2007-12-18 23:08	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Prevx
2007-12-15 19:19 . 2007-12-17 16:29	<DIR>	d--------	C:\Documents and Settings\Kids\Application Data\AVG7
2007-12-14 23:15 . 2007-12-14 23:40	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-12 22:32 . 2007-12-12 22:32	<DIR>	d--------	C:\Program Files\Trend Micro
2007-12-12 22:19 . 2007-12-12 22:19	<DIR>	d--------	C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-12 22:19 . 2007-12-19 08:01	<DIR>	d--------	C:\Documents and Settings\David\Application Data\AVG7
2007-12-12 22:19 . 2007-12-12 22:19	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-12 22:19 . 2007-12-13 19:24	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\avg7
2007-12-12 21:54 . 2007-12-12 21:54	244	--ah-----	C:\sqmnoopt04.sqm
2007-12-12 21:54 . 2007-12-12 21:54	232	--ah-----	C:\sqmdata04.sqm
2007-12-06 09:46 . 2007-12-06 09:46	<DIR>	d---s----	C:\Documents and Settings\LocalService\UserData
2007-12-01 14:43 . 2007-12-21 11:37	54,156	--ah-----	C:\WINDOWS\QTFont.qfn
2007-12-01 14:43 . 2007-12-01 14:43	1,409	--a------	C:\WINDOWS\QTFont.for
2007-12-01 14:42 . 2007-12-01 14:42	<DIR>	d--------	C:\Program Files\QuickTime
2007-12-01 14:42 . 2007-12-01 14:42	<DIR>	d--------	C:\Program Files\iPod
2007-11-23 08:27 . 2007-11-23 08:32	<DIR>	d--------	C:\Program Files\BoardMod
2007-11-21 15:30 . 2002-12-29 01:14	81,920	--a------	C:\WINDOWS\system32\Startup.cpl

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-18 21:42	---------	d-----w	C:\Documents and Settings\David\Application Data\Canon
2007-12-17 19:59	---------	d-----w	C:\Program Files\DigiGuide Lite TV Guide
2007-12-12 08:05	---------	d-----w	C:\Program Files\LimeWire
2007-12-10 19:11	---------	d-----w	C:\Program Files\MSN Messenger
2007-12-08 21:12	---------	d-----w	C:\Program Files\BlackHole
2007-12-08 21:05	---------	d-----w	C:\Program Files\Safari
2007-12-08 21:01	---------	d-----w	C:\Program Files\Apollo DivX to DVD Creator
2007-12-03 12:49	---------	d-----w	C:\Program Files\Azureus
2007-12-03 12:49	---------	d-----w	C:\Documents and Settings\David\Application Data\Azureus
2007-12-01 14:42	---------	d-----w	C:\Program Files\iTunes
2007-12-01 14:35	---------	d-----w	C:\Program Files\Apple Software Update
2007-11-20 20:14	---------	d-----w	C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-11-19 15:37	---------	d-----w	C:\Program Files\Java
2007-11-17 18:59	---------	d-----w	C:\Program Files\MP3 Audio Converter
2007-11-16 21:26	---------	d-----w	C:\Program Files\Microsoft ActiveSync
2007-11-11 23:07	---------	d-----w	C:\Program Files\mp3DirectCut
2007-11-04 19:57	---------	d-----w	C:\Program Files\Fast Color Codes
2007-11-03 13:49	---------	d-----w	C:\Program Files\Winamp
2007-11-02 23:27	---------	d-----w	C:\Program Files\NewsReactor
2007-10-17 17:23	10,752	----a-w	C:\WINDOWS\system32\WhoisCL.exe
2007-09-28 07:03	2,750	----a-w	C:\Documents and Settings\David\Passwords.zip
2007-09-11 07:36	2,252	----a-w	C:\Documents and Settings\David\MAVSpasswords11_09_2007.zip
2006-08-28 10:05	44,544	-c--a-w	C:\Documents and Settings\David\Application Data\GDIPFONTCACHEV1.DAT
2006-01-01 17:41	40,484	-c--a-w	C:\WINDOWS\Internet Logs\zlclient_2nd_2006_01_01_10_48_44_small.dmp.zip
2005-12-10 12:52	114	-c--a-w	C:\Documents and Settings\Kids\Application Data\wklnhst.dat
2005-10-18 16:53	28,936	-c--a-w	C:\Documents and Settings\Kids\Application Data\GDIPFONTCACHEV1.DAT
2005-09-20 10:05	456,768	----a-w	C:\WINDOWS\inf\WG311T\WG311T13.sys
2005-08-10 06:29	33,743	-c--a-w	C:\WINDOWS\Internet Logs\zlclient_2nd_2005_08_09_23_33_11_small.dmp.zip
2005-08-03 16:42	33,084	-c--a-w	C:\WINDOWS\Internet Logs\zlclient_2nd_2005_08_03_14_12_51_small.dmp.zip
2004-10-19 18:58	35,232	----a-w	C:\WINDOWS\inf\WG311T\ME_INST.EXE
2004-10-19 18:58	26,112	----a-w	C:\WINDOWS\inf\WG311T\install.exe
.

(((((((((((((((((((((((((((((   snapshot@2007-12-13_ 7.50.20.56   )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-05-07 16:38:46	500,120	----a-w	C:\WINDOWS\Downloaded Program Files\daas_s.dll
+ 2007-05-07 16:39:00	192,920	----a-w	C:\WINDOWS\Downloaded Program Files\fsauc.dll
+ 2007-05-07 16:39:24	254,360	----a-w	C:\WINDOWS\Downloaded Program Files\fscax.dll
+ 2004-11-02 13:41:52	516,832	----a-w	C:\WINDOWS\system32\capicom.dll
- 2007-12-12 22:19:17	3,968	----a-w	C:\WINDOWS\system32\drivers\avgclean.sys
+ 2007-12-21 11:39:38	10,760	----a-w	C:\WINDOWS\system32\drivers\avgclean.sys
- 2007-12-12 22:19:17	19,904	----a-w	C:\WINDOWS\system32\drivers\avgmfx86.sys
+ 2007-12-21 11:39:34	26,952	----a-w	C:\WINDOWS\system32\drivers\avgmfx86.sys
+ 2005-05-24 12:27:16	213,048	----a-w	C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 15:47:20	94,208	----a-w	C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 15:49:54	950,272	----a-w	C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2007-07-22 18:39:27	279,552	----a-w	C:\WINDOWS\system32\swreg.exe
+ 2007-12-13 21:26:50	156,160	----a-w	C:\WINDOWS\system32\swreg.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sticky Pad"="C:\Program Files\StickyPad\StickyPad.exe" [2007-04-23 22:13]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVRaidService"="C:\WINDOWS\system32\nvraidservice.exe" [2004-09-02 07:25]
"NVRTCLK"="C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe" [2003-12-30 09:44]
"NvCplDaemon"="RUNDLL32.exe" [2004-05-18 17:19 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2004-09-30 05:35 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-05-18 17:19 C:\WINDOWS\system32\rundll32.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-08-23 19:41]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-14 23:43]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 11:39]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-05-18 17:18]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-12 22:19]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG311T Smart Wizard.lnk - C:\Program Files\NETGEAR\WG311T\wlancfg5.exe [2006-02-22 10:59:32]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"UseDesktopIniCache"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^IDW Logging Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\IDW Logging Tool.lnk
backup=C:\WINDOWS\pss\IDW Logging Tool.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^David^Start Menu^Programs^Startup^Active To-Do List.LNK]
path=C:\Documents and Settings\David\Start Menu\Programs\Startup\Active To-Do List.LNK
backup=C:\WINDOWS\pss\Active To-Do List.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^David^Start Menu^Programs^Startup^³¬¼¶²¥°Ô.lnk]
path=C:\Documents and Settings\David\Start Menu\Programs\Startup\³¬¼¶²¥°Ô.lnk
backup=C:\WINDOWS\pss\³¬¼¶²¥°Ô.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
			C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
			C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-11-15 13:11	267048	--a------	C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
			C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 15:40	155648	--a------	C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pbmini]
			C:\Program Files\pcast\PodcastbarMini\PodcastBarMiniStater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2006-09-09 09:16	196608	--a------	C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
			C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-10-31 18:42	32768	--a--c---	C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
			SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
			C:\Program Files\Common Files\Real\Update_OB\realsched.exe  -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
			C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_8 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Agent]
			C:\Program Files\webHancer\Programs\whagent.exe

R3 GVCplDrv;GVCplDrv;C:\WINDOWS\system32\drivers\GVCplDrv.sys [2004-05-02 08:47]
S3 MarkFun_NT;MarkFun_NT;C:\Program Files\Gigabyte\ET5\markfun.w32 [2003-04-15 09:16]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-01 14:35:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-21 13:57:00
Windows 5.1.2600 Service Pack 2, v.2135 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully 
hidden files: 0 

**************************************************************************
.
Completion time: 2007-12-21 13:57:23
C:\ComboFix2.txt ... 2007-12-21 07:59
C:\ComboFix3.txt ... 2007-12-20 16:53


----------



## mapollo

and latest Hijack this log as requested..

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:04:26, on 21/12/2007
Platform: Windows XP SP2, v.2135 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2135)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\StickyPad\StickyPad.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Sticky Pad] C:\Program Files\StickyPad\StickyPad.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: NETGEAR WG311T Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - http://www.eversoft.co.kr/vmpinstal.../ultramobile/web3d/np_q1_v000suk/page_q1.html
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader_uni.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{718E5D2F-9E83-4D5B-A2BE-2E5C47262ED8}: NameServer = 192.168.1.1
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe

--
End of file - 7936 bytes


----------



## ceewi1

There's only one entry in your HijackThis log left that I'd recommend removing.

Please run HijackThis and choose *Do a system scan only*.

Place a check next to the following entry:
*O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - http://www.eversoft.co.kr/vmpinstall...k/page_q1.html*
Please close all open windows except for HijackThis and choose *Fix checked*

How is your system running now?


----------



## mapollo

ceewi1 said:


> How is your system running now?



It seems to have run fine now for the last 36 hours or so. Thanks to you my friend.

I deleted the last entry as suggested.

It took a while and a great deal of patience from you and I thank you (again) for that.

Happy holidays.


----------



## ceewi1

You're most welcome, I'm glad the problem is solved.  Merry Christmas and a Happy New Year!

Below I have included some ideas on how to prevent future infections.

Please consider using these ideas to help secure your computer.  While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection.  While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future.

Please navigate to http://windowsupdate.microsoft.com and download all the Critical Updates for Windows. These will patch many of the security holes through which attackers can gain access to your computer. 

Please either enable *Automatic Updates* under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly.  They usually have security updates every month.  You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed.   *This is a crucial security measuer.*

As a minimum, you need at least an antivirus, firewall and some type of anti-spyware program.

Some good free firewalls are ZoneAlarm, Kerio, or Outpost.  All of these will provide a far greater level of protection than the firewall built into Windows.
A tutorial on understanding and using firewalls may be found here.

I notice you are running Spybot, which is good.  You might also want to consider installing and running some of the following programs; they are either free or have free versions of commercial programs, and will work alongside Spybot to protect you:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for real-time protection against spyware and hijackers may be found here.

If you use Internet Explorer, it is a good idea to use IE-Spyad which provides protections against malicious websites.  

Please *keep these programs up-to-date* and run them whenever you suspect a problem to prevent malware problems.  A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection.  However, it is important to run only one resident program of each type since they can conflict and become less effective.  That means only one antivirus, firewall and scanning anti-spyware program at a time.  Passive protectors, like SpywareBlaster and IE-Spyad can be run with any of them.  

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs.  If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately.  It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information.  Ask in a security forum that you trust if you are not sure.  If you are unsure are looking for anti-spyware programs, you can find out if it is a rogue here:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

Please consider using an *alternate browser*. Mozilla's Firefox browser is a very good alternative.  In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScripts, can make it even more secure.  Opera is another good option.
If you are interested, Firefox may be downloaded from here
Opera is available here:  http://www.opera.com/download/

Hopefully these steps will help to keep you error free.  If you run into more difficulty, we will certainly do what we can to help.


----------

