Hijack this help please.

M

mapollo

New Member
I installed some software (a game for my son) that was riddled with spyware/malware. Webhancer and dcads pop ups for two.

I ran ad-aware and shifted a fair bit of it but I'm doubting that I got it all. Edit I'm still getting dcads popups.

My hijackthis log is as below. Hows it looking???


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:33:11, on 12/12/2007
Platform: Windows XP SP2, v.2135 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2135)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\StickyPad\StickyPad.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
C:\Program Files\DigiGuide Lite TV Guide\DigiGuideLite.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: dcads - {F173E53F-E042-49b6-BD46-983E93DA1B17} - C:\WINDOWS\system32\nse48.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Sticky Pad] C:\Program Files\StickyPad\StickyPad.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: DigiGuide Lite TV Guide.lnk = C:\Program Files\DigiGuide Lite TV Guide\DigiGuideLite.exe
O4 - Global Startup: NETGEAR WG311T Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - http://www.eversoft.co.kr/vmpinstal.../ultramobile/web3d/np_q1_v000suk/page_q1.html
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader_uni.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{718E5D2F-9E83-4D5B-A2BE-2E5C47262ED8}: NameServer = 192.168.1.1
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
 
Last edited:
ceewi1

ceewi1

VIP Member
1. Please download this file - Combofix to your desktop
2. Double click ComboFix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall

Please run HijackThis and choose Do a system scan only.

Place a check next to the following entries (where still present):
  • O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
  • O2 - BHO: dcads - {F173E53F-E042-49b6-BD46-983E93DA1B17} - C:\WINDOWS\system32\nse48.dll
Please close all open windows except for HijackThis and choose Fix checked

Please reboot and post the ComboFix log and a new HijackThis log.
 
M

mapollo

New Member
Thanks for your help

The Combofix log is below.

ComboFix 07-12-12.3 - David 2007-12-13 7:45:34.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.643 [GMT 0:00]
Running from: C:\Documents and Settings\David\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\dudu
C:\Documents and Settings\All Users\Application Data\dudu\DDD\ddd.conf
C:\Documents and Settings\David\Local Settings\Application Data\baidu
C:\WINDOWS\system32\nse48.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\mmccrd


((((((((((((((((((((((((( Files Created from 2007-11-13 to 2007-12-13 )))))))))))))))))))))))))))))))
.

2007-12-12 22:32 . 2007-12-12 22:32 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-12 22:19 . 2007-12-12 22:19 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-12 22:19 . 2007-12-12 22:24 <DIR> d-------- C:\Documents and Settings\David\Application Data\AVG7
2007-12-12 22:19 . 2007-12-12 22:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-12 22:19 . 2007-12-12 22:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-12-12 21:54 . 2007-12-12 21:54 244 --ah----- C:\sqmnoopt04.sqm
2007-12-12 21:54 . 2007-12-12 21:54 232 --ah----- C:\sqmdata04.sqm
2007-12-12 08:09 . 2007-12-12 08:25 80,118 --a------ C:\WINDOWS\system32\dcads-remove.exe
2007-12-12 08:09 . 2007-12-12 08:09 40,731 --a------ C:\WINDOWS\system32\superiorads-uninst.exe
2007-12-07 23:02 . 2007-12-07 23:02 396 --a------ C:\winrqyc.exe
2007-12-06 09:46 . 2007-12-06 09:46 <DIR> d---s---- C:\Documents and Settings\LocalService\UserData
2007-12-05 18:48 . 2007-12-05 18:48 396 --a------ C:\sysoqng.exe
2007-12-01 14:43 . 2007-12-13 07:49 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-01 14:43 . 2007-12-01 14:43 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-01 14:42 . 2007-12-01 14:42 <DIR> d-------- C:\Program Files\QuickTime
2007-12-01 14:42 . 2007-12-01 14:42 <DIR> d-------- C:\Program Files\iPod
2007-11-23 08:27 . 2007-11-23 08:32 <DIR> d-------- C:\Program Files\BoardMod
2007-11-21 15:30 . 2002-12-29 01:14 81,920 --a------ C:\WINDOWS\system32\Startup.cpl
2007-11-20 08:04 . 2007-11-20 10:30 <DIR> d-------- C:\MAVS
2007-11-16 21:26 . 2005-10-21 01:47 30,592 --------- C:\WINDOWS\system32\drivers\rndismpx.sys
2007-11-16 21:26 . 2004-11-18 10:42 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-11-16 21:26 . 2005-10-21 01:47 12,800 --------- C:\WINDOWS\system32\drivers\usb8023x.sys
2007-11-14 23:43 . 2007-11-14 23:43 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2007-11-14 23:43 . 2007-11-14 23:43 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-12 08:05 --------- d-----w C:\Program Files\LimeWire
2007-12-10 19:11 --------- d-----w C:\Program Files\MSN Messenger
2007-12-08 21:12 --------- d-----w C:\Program Files\BlackHole
2007-12-08 21:05 --------- d-----w C:\Program Files\Safari
2007-12-08 21:01 --------- d-----w C:\Program Files\Apollo DivX to DVD Creator
2007-12-03 12:49 --------- d-----w C:\Program Files\Azureus
2007-12-03 12:49 --------- d-----w C:\Documents and Settings\David\Application Data\Azureus
2007-12-01 21:16 --------- d-----w C:\Documents and Settings\David\Application Data\Canon
2007-12-01 14:42 --------- d-----w C:\Program Files\iTunes
2007-12-01 14:35 --------- d-----w C:\Program Files\Apple Software Update
2007-11-20 20:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-11-19 15:37 --------- d-----w C:\Program Files\Java
2007-11-17 18:59 --------- d-----w C:\Program Files\MP3 Audio Converter
2007-11-16 21:26 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-11-11 23:07 --------- d-----w C:\Program Files\mp3DirectCut
2007-11-04 19:57 --------- d-----w C:\Program Files\Fast Color Codes
2007-11-03 13:49 --------- d-----w C:\Program Files\Winamp
2007-11-02 23:27 --------- d-----w C:\Program Files\NewsReactor
2007-10-18 15:34 --------- d-----w C:\Documents and Settings\David\Application Data\ZoomBrowser EX
2007-09-28 07:03 2,750 ----a-w C:\Documents and Settings\David\Passwords.zip
2007-09-11 07:36 2,252 ----a-w C:\Documents and Settings\David\MAVSpasswords11_09_2007.zip
2006-09-22 21:32 9,876 -c--a-w C:\Documents and Settings\David\Application Data\wklnhst.dat
2006-08-28 10:05 44,544 -c--a-w C:\Documents and Settings\David\Application Data\GDIPFONTCACHEV1.DAT
2006-01-01 17:41 40,484 -c--a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2006_01_01_10_48_44_small.dmp.zip
2005-12-10 12:52 114 -c--a-w C:\Documents and Settings\Kids\Application Data\wklnhst.dat
2005-10-18 16:53 28,936 -c--a-w C:\Documents and Settings\Kids\Application Data\GDIPFONTCACHEV1.DAT
2005-09-20 10:05 456,768 ----a-w C:\WINDOWS\inf\WG311T\WG311T13.sys
2005-08-10 06:29 33,743 -c--a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2005_08_09_23_33_11_small.dmp.zip
2005-08-03 16:42 33,084 -c--a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2005_08_03_14_12_51_small.dmp.zip
2004-10-19 18:58 35,232 ----a-w C:\WINDOWS\inf\WG311T\ME_INST.EXE
2004-10-19 18:58 26,112 ----a-w C:\WINDOWS\inf\WG311T\install.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sticky Pad"="C:\Program Files\StickyPad\StickyPad.exe" [2007-04-23 22:13]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-05-19 00:29]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVRaidService"="C:\WINDOWS\system32\nvraidservice.exe" [2004-09-02 07:25]
"NVRTCLK"="C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe" [2003-12-30 09:44]
"NvCplDaemon"="RUNDLL32.exe" [2004-05-18 17:19 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2004-09-30 05:35 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-05-18 17:19 C:\WINDOWS\system32\rundll32.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-08-23 19:41]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-14 23:43]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-12 22:19]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-05-18 17:18]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-12 22:19]

C:\Documents and Settings\David\Start Menu\Programs\Startup\
DigiGuide Lite TV Guide.lnk - C:\Program Files\DigiGuide Lite TV Guide\DigiGuideLite.exe [2006-11-15 12:50:31]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG311T Smart Wizard.lnk - C:\Program Files\NETGEAR\WG311T\wlancfg5.exe [2006-02-22 10:59:32]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"UseDesktopIniCache"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^IDW Logging Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\IDW Logging Tool.lnk
backup=C:\WINDOWS\pss\IDW Logging Tool.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^David^Start Menu^Programs^Startup^Active To-Do List.LNK]
path=C:\Documents and Settings\David\Start Menu\Programs\Startup\Active To-Do List.LNK
backup=C:\WINDOWS\pss\Active To-Do List.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^David^Start Menu^Programs^Startup^³¬¼¶²¥°Ô.lnk]
path=C:\Documents and Settings\David\Start Menu\Programs\Startup\³¬¼¶²¥°Ô.lnk
backup=C:\WINDOWS\pss\³¬¼¶²¥°Ô.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-11-15 13:11 267048 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 15:40 155648 --a------ C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pbmini]
C:\Program Files\pcast\PodcastbarMini\PodcastBarMiniStater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2006-09-09 09:16 196608 --a------ C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-10-31 18:42 32768 --a--c--- C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_8 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Agent]
C:\Program Files\webHancer\Programs\whagent.exe

R3 GVCplDrv;GVCplDrv;C:\WINDOWS\system32\drivers\GVCplDrv.sys
S0 ecbgfeae;ecbgfeae;C:\WINDOWS\system32\drivers\ecbgfeae.sys
S0 gheihbii;gheihbii;C:\WINDOWS\system32\drivers\gheihbii.sys
S3 MarkFun_NT;MarkFun_NT;\??\C:\Program Files\Gigabyte\ET5\markfun.w32

.
Contents of the 'Scheduled Tasks' folder
"2007-12-01 14:35:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-01 00:00:00 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\ps4EA08o.exe
"2007-12-12 09:00:00 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\system32\ps4EA08o.exe
"2007-12-12 10:00:00 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\system32\ps4EA08o.exe
"2007-12-12 11:00:00 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\system32\ps4EA08o.exe
"2007-12-12 12:00:00 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\system32\ps4EA08o.exe
"2007-12-11 13:00:00 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\system32\ps4EA08o.exe
"2007-12-12 14:00:00 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\system32\ps4EA08o.exe
"2007-12-12 15:00:00 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\system32\ps4EA08o.exe
"2007-12-12 16:00:00 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\system32\ps4EA08o.exe
"2007-12-11 17:00:00 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\system32\ps4EA08o.exe
"2007-12-11 18:00:00 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\system32\ps4EA08o.exe
"2007-10-13 00:00:00 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\system32\ps4EA08o.exe
"2007-12-11 19:00:00 C:\WINDOWS\Tasks\At20.job"
"2007-12-11 20:00:00 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\system32\ps4EA08o.exe
"2007-12-12 21:00:00 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\system32\ps4EA08o.exe
"2007-12-12 22:00:00 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\system32\ps4EA08o.exe
"2007-12-12 23:00:00 C:\WINDOWS\Tasks\At24.job"
"2007-12-01 00:00:00 C:\WINDOWS\Tasks\At25.job"
- C:\WINDOWS\system32\y206v7ox.exe
"2007-10-13 00:00:00 C:\WINDOWS\Tasks\At26.job"
- C:\WINDOWS\system32\y206v7ox.exe
"2007-08-10 01:00:00 C:\WINDOWS\Tasks\At27.job"
- C:\WINDOWS\system32\y206v7ox.exe
"2007-08-10 02:00:00 C:\WINDOWS\Tasks\At28.job"
- C:\WINDOWS\system32\y206v7ox.exe
"2007-07-26 03:00:00 C:\WINDOWS\Tasks\At29.job"
- C:\WINDOWS\system32\y206v7ox.exe
"2007-08-10 01:00:00 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\system32\ps4EA08o.exe
"2007-07-26 04:00:00 C:\WINDOWS\Tasks\At30.job"
"2007-07-26 05:00:00 C:\WINDOWS\Tasks\At31.job"
- C:\WINDOWS\system32\y206v7ox.exe
"2007-10-12 06:00:00 C:\WINDOWS\Tasks\At32.job"
- C:\WINDOWS\system32\y206v7ox.exe
"2007-12-12 08:00:00 C:\WINDOWS\Tasks\At33.job"
- C:\WINDOWS\system32\y206v7ox.exe
"2007-12-12 09:00:00 C:\WINDOWS\Tasks\At34.job"
- C:\WINDOWS\system32\y206v7ox.exe
"2007-12-12 10:00:00 C:\WINDOWS\Tasks\At35.job"
- C:\WINDOWS\system32\y206v7ox.exe
"2007-12-12 11:00:00 C:\WINDOWS\Tasks\At36.job"
- C:\WINDOWS\system32\y206v7ox.exe
"2007-12-12 12:00:00 C:\WINDOWS\Tasks\At37.job"
- C:\WINDOWS\system32\y206v7ox.exe
"2007-12-11 13:00:00 C:\WINDOWS\Tasks\At38.job"
- C:\WINDOWS\system32\y206v7ox.exe
"2007-12-12 14:00:00 C:\WINDOWS\Tasks\At39.job"
- C:\WINDOWS\system32\y206v7ox.exe
"2007-08-10 02:00:00 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\system32\ps4EA08o.exe
"2007-12-12 15:00:00 C:\WINDOWS\Tasks\At40.job"
- C:\WINDOWS\system32\y206v7ox.exe
"2007-12-12 16:00:00 C:\WINDOWS\Tasks\At41.job"
- C:\WINDOWS\system32\y206v7ox.exe
"2007-12-11 17:00:00 C:\WINDOWS\Tasks\At42.job"
- C:\WINDOWS\system32\y206v7ox.exe
"2007-12-11 18:00:00 C:\WINDOWS\Tasks\At43.job"
- C:\WINDOWS\system32\y206v7ox.exe
"2007-12-11 19:00:00 C:\WINDOWS\Tasks\At44.job"
- C:\WINDOWS\system32\y206v7ox.exe
"2007-12-11 20:00:00 C:\WINDOWS\Tasks\At45.job"
- C:\WINDOWS\system32\y206v7ox.exe
"2007-12-12 21:00:00 C:\WINDOWS\Tasks\At46.job"
- C:\WINDOWS\system32\y206v7ox.exe
"2007-12-12 22:00:00 C:\WINDOWS\Tasks\At47.job"
- C:\WINDOWS\system32\y206v7ox.exe
"2007-12-12 23:00:00 C:\WINDOWS\Tasks\At48.job"
- C:\WINDOWS\system32\y206v7ox.exe
"2007-12-01 00:00:45 C:\WINDOWS\Tasks\At49.job"
- C:\WINDOWS\system32\wX36655H.exe
"2007-07-26 03:00:00 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\system32\ps4EA08o.exe
"2007-10-23 10:53:39 C:\WINDOWS\Tasks\At50.job"
- C:\WINDOWS\system32\wX36655H.exe
"2007-10-23 10:53:39 C:\WINDOWS\Tasks\At51.job"
- C:\WINDOWS\system32\wX36655H.exe
"2007-10-23 10:53:39 C:\WINDOWS\Tasks\At52.job"
- C:\WINDOWS\system32\wX36655H.exe
"2007-10-23 10:53:39 C:\WINDOWS\Tasks\At53.job"
- C:\WINDOWS\system32\wX36655H.exe
"2007-10-23 10:53:39 C:\WINDOWS\Tasks\At54.job"
- C:\WINDOWS\system32\wX36655H.exe
"2007-10-23 10:53:39 C:\WINDOWS\Tasks\At55.job"
- C:\WINDOWS\system32\wX36655H.exe
"2007-10-23 10:53:39 C:\WINDOWS\Tasks\At56.job"
- C:\WINDOWS\system32\wX36655H.exe
"2007-12-12 08:01:45 C:\WINDOWS\Tasks\At57.job"
"2007-12-12 09:00:45 C:\WINDOWS\Tasks\At58.job"
- C:\WINDOWS\system32\wX36655H.exe
"2007-12-12 10:00:00 C:\WINDOWS\Tasks\At59.job"
- C:\WINDOWS\system32\wX36655H.exe
"2007-07-26 04:00:00 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\system32\ps4EA08o.exe
"2007-12-12 11:00:00 C:\WINDOWS\Tasks\At60.job"
- C:\WINDOWS\system32\wX36655H.exe
"2007-12-12 12:00:00 C:\WINDOWS\Tasks\At61.job"
- C:\WINDOWS\system32\wX36655H.exe
"2007-12-11 13:01:53 C:\WINDOWS\Tasks\At62.job"
- C:\WINDOWS\system32\wX36655H.exe
"2007-12-12 14:00:00 C:\WINDOWS\Tasks\At63.job"
- C:\WINDOWS\system32\wX36655H.exe
"2007-12-12 15:00:00 C:\WINDOWS\Tasks\At64.job"
- C:\WINDOWS\system32\wX36655H.exe
"2007-12-12 16:00:00 C:\WINDOWS\Tasks\At65.job"
- C:\WINDOWS\system32\wX36655H.exe
"2007-12-11 17:00:45 C:\WINDOWS\Tasks\At66.job"
- C:\WINDOWS\system32\wX36655H.exe
"2007-12-11 18:00:45 C:\WINDOWS\Tasks\At67.job"
- C:\WINDOWS\system32\wX36655H.exe
"2007-12-11 19:00:45 C:\WINDOWS\Tasks\At68.job"
- C:\WINDOWS\system32\wX36655H.exe
"2007-12-11 20:00:45 C:\WINDOWS\Tasks\At69.job"
- C:\WINDOWS\system32\wX36655H.exe
"2007-07-26 05:00:00 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\system32\ps4EA08o.exe
"2007-12-12 21:00:00 C:\WINDOWS\Tasks\At70.job"
- C:\WINDOWS\system32\wX36655H.exe
"2007-12-12 22:00:00 C:\WINDOWS\Tasks\At71.job"
"2007-12-12 23:00:00 C:\WINDOWS\Tasks\At72.job"
- C:\WINDOWS\system32\wX36655H.exe
"2007-10-12 06:00:00 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\system32\ps4EA08o.exe
"2007-12-12 08:00:00 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\system32\ps4EA08o.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-13 07:49:54
Windows 5.1.2600 Service Pack 2, v.2135 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-13 7:50:39 - machine was rebooted
 
M

mapollo

New Member
hijack this bit

the two 02 entries you asked me to delete were removed by Combofix I think.

Here is the latest Hijackthis logfile. Thanks for your help btw.

Scan saved at 07:54:25, on 13/12/2007
Platform: Windows XP SP2, v.2135 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2135)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\StickyPad\StickyPad.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
C:\Program Files\DigiGuide Lite TV Guide\DigiGuideLite.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Sticky Pad] C:\Program Files\StickyPad\StickyPad.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: DigiGuide Lite TV Guide.lnk = C:\Program Files\DigiGuide Lite TV Guide\DigiGuideLite.exe
O4 - Global Startup: NETGEAR WG311T Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - http://www.eversoft.co.kr/vmpinstal.../ultramobile/web3d/np_q1_v000suk/page_q1.html
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader_uni.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{718E5D2F-9E83-4D5B-A2BE-2E5C47262ED8}: NameServer = 192.168.1.1
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe

--
End of file - 7509 bytes
 
Buzz1927

Buzz1927

Digaredd
  • Open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: 
    File::
C:\WINDOWS\system32\drivers\ecbgfeae.sys
C:\WINDOWS\system32\drivers\ecbg feae.sys
C:\WINDOWS\system32\drivers\gheihbii.sys
C:\WINDOWS\system32\drivers\ghei hbii.sys
C:\WINDOWS\system32\dcads-remove.exe
C:\WINDOWS\system32\superiorads-uninst.exe
C:\winrqyc.exe
C:\sysoqng.exe
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At49.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At50.job
C:\WINDOWS\Tasks\At51.job
C:\WINDOWS\Tasks\At52.job
C:\WINDOWS\Tasks\At53.job
C:\WINDOWS\Tasks\At54.job
C:\WINDOWS\Tasks\At55.job
C:\WINDOWS\Tasks\At56.job
C:\WINDOWS\Tasks\At57.job
C:\WINDOWS\Tasks\At58.job
C:\WINDOWS\Tasks\At59.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At60.job
C:\WINDOWS\Tasks\At61.job
C:\WINDOWS\Tasks\At62.job
C:\WINDOWS\Tasks\At63.job
C:\WINDOWS\Tasks\At64.job
C:\WINDOWS\Tasks\At65.job
C:\WINDOWS\Tasks\At66.job
C:\WINDOWS\Tasks\At67.job
C:\WINDOWS\Tasks\At68.job
C:\WINDOWS\Tasks\At69.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At70.job
C:\WINDOWS\Tasks\At71.job
C:\WINDOWS\Tasks\At72.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job

Driver::
ecbgfeae
gheihbii
  • Save this as CFScript.txt and change the Save as type to All Files and place it on your desktop.


    CFScript.gif



  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply, along with a new HijackThis log.
CAUTION:
Do NOT mouse-click ComboFix's window while it is running. That may cause it to stall.
Also, please do NOT adjust your time format while ComboFix is running.
 
M

mapollo

New Member
Thanks Buzz

Buzz. Since I posted this I've picked up the lop virus. Does that change things? I've googled abit and havent got the first clue of how to remove it.

Anyway the logs are as shown below. Thanks for your help btw.

Combofix log first....

ComboFix 07-12-12.3 - David 2007-12-15 8:59:28.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.582 [GMT 0:00]
Running from: C:\Documents and Settings\David\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\David\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\sysoqng.exe
C:\WINDOWS\system32\dcads-remove.exe
C:\WINDOWS\system32\drivers\ecbg feae.sys
C:\WINDOWS\system32\drivers\ecbgfeae.sys
C:\WINDOWS\system32\drivers\ghei hbii.sys
C:\WINDOWS\system32\drivers\gheihbii.sys
C:\WINDOWS\system32\superiorads-uninst.exe
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At49.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At50.job
C:\WINDOWS\Tasks\At51.job
C:\WINDOWS\Tasks\At52.job
C:\WINDOWS\Tasks\At53.job
C:\WINDOWS\Tasks\At54.job
C:\WINDOWS\Tasks\At55.job
C:\WINDOWS\Tasks\At56.job
C:\WINDOWS\Tasks\At57.job
C:\WINDOWS\Tasks\At58.job
C:\WINDOWS\Tasks\At59.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At60.job
C:\WINDOWS\Tasks\At61.job
C:\WINDOWS\Tasks\At62.job
C:\WINDOWS\Tasks\At63.job
C:\WINDOWS\Tasks\At64.job
C:\WINDOWS\Tasks\At65.job
C:\WINDOWS\Tasks\At66.job
C:\WINDOWS\Tasks\At67.job
C:\WINDOWS\Tasks\At68.job
C:\WINDOWS\Tasks\At69.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At70.job
C:\WINDOWS\Tasks\At71.job
C:\WINDOWS\Tasks\At72.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
C:\winrqyc.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\system32\awtst.dll
C:\WINDOWS\system32\awtutsp.dll
C:\WINDOWS\system32\awvts.dll
C:\WINDOWS\system32\byxyyvw.dll
C:\WINDOWS\system32\ddaba.dll
C:\WINDOWS\system32\geedb.dll
C:\WINDOWS\system32\geedd.dll
C:\WINDOWS\system32\hgggebx.dll
C:\WINDOWS\system32\khfdcaa.dll
C:\WINDOWS\system32\mljjg.dll
C:\WINDOWS\system32\mlljj.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pmkhf.dll
C:\WINDOWS\system32\ssqrppo.dll
C:\WINDOWS\system32\ssttt.dll
C:\WINDOWS\system32\tuvspno.dll
C:\WINDOWS\system32\vtsqp.dll
C:\WINDOWS\system32\vturp.dll
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At49.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At50.job
C:\WINDOWS\Tasks\At51.job
C:\WINDOWS\Tasks\At52.job
C:\WINDOWS\Tasks\At53.job
C:\WINDOWS\Tasks\At54.job
C:\WINDOWS\Tasks\At55.job
C:\WINDOWS\Tasks\At56.job
C:\WINDOWS\Tasks\At57.job
C:\WINDOWS\Tasks\At58.job
C:\WINDOWS\Tasks\At59.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At60.job
C:\WINDOWS\Tasks\At61.job
C:\WINDOWS\Tasks\At62.job
C:\WINDOWS\Tasks\At63.job
C:\WINDOWS\Tasks\At64.job
C:\WINDOWS\Tasks\At65.job
C:\WINDOWS\Tasks\At66.job
C:\WINDOWS\Tasks\At67.job
C:\WINDOWS\Tasks\At68.job
C:\WINDOWS\Tasks\At69.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At70.job
C:\WINDOWS\Tasks\At71.job
C:\WINDOWS\Tasks\At72.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\ecbgfeae
-------\gheihbii


((((((((((((((((((((((((( Files Created from 2007-11-15 to 2007-12-15 )))))))))))))))))))))))))))))))
.

2007-12-14 23:15 . 2007-12-14 23:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-14 14:32 . 2007-12-14 14:32 <DIR> d--hs---- C:\SpyGuardPro
2007-12-14 14:32 . 2007-12-14 14:32 <DIR> d-------- C:\Documents and Settings\David\Application Data\SpyGuardPro
2007-12-14 14:32 . 2007-12-14 14:32 <DIR> dr------- C:\Documents and Settings\All Users\Application Data\SalesMon
2007-12-13 19:23 . 2007-12-14 14:37 39,936 --a------ C:\WINDOWS\mrofinu572.exe.tmp
2007-12-13 19:22 . 2007-12-13 19:22 <DIR> d-------- C:\WINDOWS\system32\zfd1
2007-12-13 19:22 . 2007-12-13 19:22 <DIR> d-------- C:\WINDOWS\system32\yb2
2007-12-13 19:22 . 2007-12-13 19:22 <DIR> d-------- C:\WINDOWS\system32\qui4
2007-12-13 19:22 . 2007-12-13 19:22 <DIR> d-------- C:\WINDOWS\system32\ineWc01
2007-12-12 22:32 . 2007-12-12 22:32 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-12 22:19 . 2007-12-12 22:19 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-12 22:19 . 2007-12-14 23:44 <DIR> d-------- C:\Documents and Settings\David\Application Data\AVG7
2007-12-12 22:19 . 2007-12-12 22:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-12 22:19 . 2007-12-13 19:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-12-12 21:54 . 2007-12-12 21:54 244 --ah----- C:\sqmnoopt04.sqm
2007-12-12 21:54 . 2007-12-12 21:54 232 --ah----- C:\sqmdata04.sqm
2007-12-06 09:46 . 2007-12-06 09:46 <DIR> d---s---- C:\Documents and Settings\LocalService\UserData
2007-12-01 14:43 . 2007-12-15 09:04 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-01 14:43 . 2007-12-01 14:43 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-01 14:42 . 2007-12-01 14:42 <DIR> d-------- C:\Program Files\QuickTime
2007-12-01 14:42 . 2007-12-01 14:42 <DIR> d-------- C:\Program Files\iPod
2007-11-23 08:27 . 2007-11-23 08:32 <DIR> d-------- C:\Program Files\BoardMod
2007-11-21 15:30 . 2002-12-29 01:14 81,920 --a------ C:\WINDOWS\system32\Startup.cpl
2007-11-20 08:04 . 2007-11-20 10:30 <DIR> d-------- C:\MAVS
2007-11-16 21:26 . 2005-10-21 01:47 30,592 --------- C:\WINDOWS\system32\drivers\rndismpx.sys
2007-11-16 21:26 . 2004-11-18 10:42 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-11-16 21:26 . 2005-10-21 01:47 12,800 --------- C:\WINDOWS\system32\drivers\usb8023x.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-12 08:05 --------- d-----w C:\Program Files\LimeWire
2007-12-10 19:11 --------- d-----w C:\Program Files\MSN Messenger
2007-12-08 21:12 --------- d-----w C:\Program Files\BlackHole
2007-12-08 21:05 --------- d-----w C:\Program Files\Safari
2007-12-08 21:01 --------- d-----w C:\Program Files\Apollo DivX to DVD Creator
2007-12-03 12:49 --------- d-----w C:\Program Files\Azureus
2007-12-03 12:49 --------- d-----w C:\Documents and Settings\David\Application Data\Azureus
2007-12-01 21:16 --------- d-----w C:\Documents and Settings\David\Application Data\Canon
2007-12-01 14:42 --------- d-----w C:\Program Files\iTunes
2007-12-01 14:35 --------- d-----w C:\Program Files\Apple Software Update
2007-11-20 20:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-11-19 15:37 --------- d-----w C:\Program Files\Java
2007-11-17 18:59 --------- d-----w C:\Program Files\MP3 Audio Converter
2007-11-16 21:26 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-11-11 23:07 --------- d-----w C:\Program Files\mp3DirectCut
2007-11-04 19:57 --------- d-----w C:\Program Files\Fast Color Codes
2007-11-03 13:49 --------- d-----w C:\Program Files\Winamp
2007-11-02 23:27 --------- d-----w C:\Program Files\NewsReactor
2007-10-18 15:34 --------- d-----w C:\Documents and Settings\David\Application Data\ZoomBrowser EX
2007-09-28 07:03 2,750 ----a-w C:\Documents and Settings\David\Passwords.zip
2007-09-11 07:36 2,252 ----a-w C:\Documents and Settings\David\MAVSpasswords11_09_2007.zip
2006-09-22 21:32 9,876 -c--a-w C:\Documents and Settings\David\Application Data\wklnhst.dat
2006-08-28 10:05 44,544 -c--a-w C:\Documents and Settings\David\Application Data\GDIPFONTCACHEV1.DAT
2006-01-01 17:41 40,484 -c--a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2006_01_01_10_48_44_small.dmp.zip
2005-12-10 12:52 114 -c--a-w C:\Documents and Settings\Kids\Application Data\wklnhst.dat
2005-10-18 16:53 28,936 -c--a-w C:\Documents and Settings\Kids\Application Data\GDIPFONTCACHEV1.DAT
2005-09-20 10:05 456,768 ----a-w C:\WINDOWS\inf\WG311T\WG311T13.sys
2005-08-10 06:29 33,743 -c--a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2005_08_09_23_33_11_small.dmp.zip
2005-08-03 16:42 33,084 -c--a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2005_08_03_14_12_51_small.dmp.zip
2004-10-19 18:58 35,232 ----a-w C:\WINDOWS\inf\WG311T\ME_INST.EXE
2004-10-19 18:58 26,112 ----a-w C:\WINDOWS\inf\WG311T\install.exe
.

((((((((((((((((((((((((((((( snapshot@2007-12-13_ 7.50.20.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-11-02 13:41:52 516,832 ----a-w C:\WINDOWS\system32\capicom.dll
+ 2007-12-12 11:50:02 32,768 ----a-w C:\WINDOWS\system32\ineWc01\ineWc011065.exe
+ 2007-08-03 01:44:02 169,147 ----a-w C:\WINDOWS\system32\qui4\qopre83122.exe
+ 2004-05-18 17:19:08 17,129 ----a-w C:\WINDOWS\system32\tcpdiss.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24171E23-9AE7-4D11-B486-888B2D8448F7}]
C:\Program Files\Outlook Express\hokesotC:\WINDOWS\system32\qui4\qopre83122.exe.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sticky Pad"="C:\Program Files\StickyPad\StickyPad.exe" [2007-04-23 22:13]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-05-19 00:29]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVRaidService"="C:\WINDOWS\system32\nvraidservice.exe" [2004-09-02 07:25]
"NVRTCLK"="C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe" [2003-12-30 09:44]
"NvCplDaemon"="RUNDLL32.exe" [2004-05-18 17:19 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2004-09-30 05:35 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-05-18 17:19 C:\WINDOWS\system32\rundll32.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-08-23 19:41]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-14 23:43]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-12 22:19]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-05-18 17:18]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-12 22:19]

C:\Documents and Settings\David\Start Menu\Programs\Startup\
DigiGuide Lite TV Guide.lnk - C:\Program Files\DigiGuide Lite TV Guide\DigiGuideLite.exe [2006-11-15 12:50:31]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG311T Smart Wizard.lnk - C:\Program Files\NETGEAR\WG311T\wlancfg5.exe [2006-02-22 10:59:32]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"UseDesktopIniCache"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^IDW Logging Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\IDW Logging Tool.lnk
backup=C:\WINDOWS\pss\IDW Logging Tool.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^David^Start Menu^Programs^Startup^Active To-Do List.LNK]
path=C:\Documents and Settings\David\Start Menu\Programs\Startup\Active To-Do List.LNK
backup=C:\WINDOWS\pss\Active To-Do List.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^David^Start Menu^Programs^Startup^³¬¼¶²¥°Ô.lnk]
path=C:\Documents and Settings\David\Start Menu\Programs\Startup\³¬¼¶²¥°Ô.lnk
backup=C:\WINDOWS\pss\³¬¼¶²¥°Ô.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-11-15 13:11 267048 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 15:40 155648 --a------ C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pbmini]
C:\Program Files\pcast\PodcastbarMini\PodcastBarMiniStater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2006-09-09 09:16 196608 --a------ C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-10-31 18:42 32768 --a--c--- C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_8 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Agent]
C:\Program Files\webHancer\Programs\whagent.exe

R3 GVCplDrv;GVCplDrv;C:\WINDOWS\system32\drivers\GVCplDrv.sys
S3 MarkFun_NT;MarkFun_NT;\??\C:\Program Files\Gigabyte\ET5\markfun.w32


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{43564368-4375-8601-4371-458454791235]
C:\WINDOWS\system32\tcpdiss.exe /r
.
Contents of the 'Scheduled Tasks' folder
"2007-12-01 14:35:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-15 09:04:38
Windows 5.1.2600 Service Pack 2, v.2135 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-15 9:05:17 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-13 07:50
 
M

mapollo

New Member
Now Hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:07:46, on 15/12/2007
Platform: Windows XP SP2, v.2135 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2135)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\StickyPad\StickyPad.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
C:\Program Files\DigiGuide Lite TV Guide\DigiGuideLite.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {24171E23-9AE7-4D11-B486-888B2D8448F7} - C:\Program Files\Outlook Express\hokesotC:\WINDOWS\system32\qui4\qopre83122.exe.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Sticky Pad] C:\Program Files\StickyPad\StickyPad.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: DigiGuide Lite TV Guide.lnk = C:\Program Files\DigiGuide Lite TV Guide\DigiGuideLite.exe
O4 - Global Startup: NETGEAR WG311T Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - http://www.eversoft.co.kr/vmpinstal.../ultramobile/web3d/np_q1_v000suk/page_q1.html
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader_uni.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{718E5D2F-9E83-4D5B-A2BE-2E5C47262ED8}: NameServer = 192.168.1.1
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe

--
End of file - 8110 bytes
 
ceewi1

ceewi1

VIP Member
I don't see any signs of LOP in your log, I suspect it's been removed by one of your security programs.

Please run HijackThis and choose Do a system scan only.

Place a check next to the following entriy:
  • O2 - BHO: (no name) - {24171E23-9AE7-4D11-B486-888B2D8448F7} - C:\Program Files\Outlook Express\hokesotC:\WINDOWS\system32\qui4\qopre83122 .exe.dll (file missing)
Please close all open windows except for HijackThis and choose Fix checked

Please delete the following file:
C:\WINDOWS\mrofinu572.exe.tmp

Please delete the following folders:
C:\WINDOWS\system32\zfd1
C:\WINDOWS\system32\yb2
C:\WINDOWS\system32\qui4
C:\WINDOWS\system32\ineWc01

Please reboot and post a new HijackThis log.

I'd also like to see the results of an online scan. Please run a complete scan at http://support.f-secure.com/enu/home/ols.shtml and post the results.
 
Last edited:
M

mapollo

New Member
New hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:56:44, on 16/12/2007
Platform: Windows XP SP2, v.2135 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2135)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\StickyPad\StickyPad.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
C:\Program Files\DigiGuide Lite TV Guide\DigiGuideLite.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Sticky Pad] C:\Program Files\StickyPad\StickyPad.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: DigiGuide Lite TV Guide.lnk = C:\Program Files\DigiGuide Lite TV Guide\DigiGuideLite.exe
O4 - Global Startup: NETGEAR WG311T Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - http://www.eversoft.co.kr/vmpinstal.../ultramobile/web3d/np_q1_v000suk/page_q1.html
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader_uni.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{718E5D2F-9E83-4D5B-A2BE-2E5C47262ED8}: NameServer = 192.168.1.1
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe

--
End of file - 7947 bytes
 
M

mapollo

New Member
Scanning Report
Sunday, December 16, 2007 10:04:14 - 10:45:30
Computer name: HOMEPC
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\ E:\


--------------------------------------------------------------------------------

Result: 21 malware found
DLoader.EGIN (virus)
C:\RECYCLER\S-1-5-21-1644491937-220523388-725345543-1003\DC4\QOPRE83122.EXE (Submitted)
HTML/Exploit!IFrame.G (virus)
C:\DOCUMENTS AND SETTINGS\DAVID\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\DW9AGI0E\B9[2].HTM (Submitted)
C:\DOCUMENTS AND SETTINGS\DAVID\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\8XY7CLY7\A[1].HTM (Submitted)
HTML/IFrame (virus)
C:\DOCUMENTS AND SETTINGS\DAVID\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\8XY7CLY7\A1[1].HTM (Submitted)
Tracking Cookie (spyware)
System (Disinfected)
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
W32/Malware (virus)
C:\PROGRAM FILES\DIGIGUIDE LITE TV GUIDE\DIGIGUIDELITEUPGRADER.EXE (Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 39818
System: 4793
Not scanned: 3
Actions:
Disinfected: 1
Renamed: 0
Deleted: 0
None: 20
Submitted: 5
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\TCPDISS.EXE
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
 
M

mapollo

New Member
I did a reboot and then did another virus scan. It didn't get everything. New report from 2nd virus scan is below

Scanning Report
Sunday, December 16, 2007 11:13:25 - 11:54:41
Computer name: HOMEPC
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\ E:\


--------------------------------------------------------------------------------

Result: 9 malware found
DLoader.EGIN (virus)
C:\RECYCLER\S-1-5-21-1644491937-220523388-725345543-1003\DC4\QOPRE83122.EXE (Submitted)
HTML/Exploit!IFrame.G (virus)
C:\DOCUMENTS AND SETTINGS\DAVID\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\DW9AGI0E\B9[2].HTM (Submitted)
C:\DOCUMENTS AND SETTINGS\DAVID\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\CMWO7QLP\A[2].HTM (Submitted)
HTML/IFrame (virus)
C:\DOCUMENTS AND SETTINGS\DAVID\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\8XY7CLY7\A1[1].HTM (Submitted)
JS/IFrame (virus)
C:\DOCUMENTS AND SETTINGS\DAVID\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\83C7MB63\ADCPM1[1].HTM (Submitted)
Tracking Cookie (spyware)
System (Disinfected)
System
System
W32/Malware (virus)
C:\PROGRAM FILES\DIGIGUIDE LITE TV GUIDE\DIGIGUIDELITEUPGRADER.EXE (Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 40007
System: 4794
Not scanned: 3
Actions:
Disinfected: 1
Renamed: 0
Deleted: 0
None: 8
Submitted: 6
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\TCPDISS.EXE
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure Libra: 2.4.2, 2007-12-14
F-Secure AVP: 7.0.171, 2007-12-14
F-Secure Orion: 1.2.37, 2007-12-14
F-Secure Blacklight: 1.0.64
F-Secure Draco: 1.0.35, 2007-11-28
F-Secure Pegasus: 1.19.0, 2007-11-10
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX
Use Advanced heuristics
 
ceewi1

ceewi1

VIP Member
That's not actually too bad, most of those files are temporary files, and I'd like more information about that last one before doing anything with it. Let's remove the temporary files, and check that last one more thoroughly.

Please download ATF Cleaner by Atribune.

You may wish to print these instructions, or copy them to a Notepad document, as you will be unable to access the Internet while in Safe Mode to read from this site.

Please reboot into Safe Mode (tap F8 just before Windows starts to load and select Safe Mode from the list).

Please run ATF Cleaner:
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Please reboot into normal Windows.

Please go to http://virusscan.jotti.org , click on Browse, and upload the following file for analysis:

C:\PROGRAM FILES\DIGIGUIDE LITE TV GUIDE\DIGIGUIDELITEUPGRADER.EXE

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.

If that scanner is busy, please use this one: http://www.virustotal.com/
 
M

mapollo

New Member
I can't get into safe mode by tapping F8. It looks like my USB keyboard doesn't get power until Windows is loaded.

Would this work. If I go into msconfig and on the BOOT/INI tab check SAFEBOOT / minimal. Then reboot.

I'm guessing I would have access to msconfig in safemode to change it back.

Please advise....
 
ceewi1

ceewi1

VIP Member
Yes, that will work to get into Safe Mode, and yes, you are correct that you will need to change it back to get back to Normal Mode.
 
M

mapollo

New Member
Thanks for your help.

Temporary Internet files deleted by using ATF cleaner.

DIGIGUIDELITEUPGRADER.EXE file uploaded to http://virusscan.jotti.org

Results as follows...

Scan taken on 17 Dec 2007 12:04:01 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found Sandbox: W32/Malware; [ General information ]

* Display message box (DigiGuide Lite) : Unable to restart program because: (0) ??, ??, .
* File length: 241664 bytes.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\DigiGuideLiteUpgrade.log.
* Deletes file lowcase.eml.
* Deletes file TEST.EML.
* Deletes file TEST.HTM.
* Deletes file lowcase.htm.
* Deletes file VBRULES.TXT.
* Deletes file GUNNAR.EXE.
* Deletes existing software modules.
* Deletes file WRITE.EXE.
* Deletes file RUNDLL32.EXE.
* Deletes file TEST.RAR.
* Deletes file WIN.INI.
* Deletes file WIN.COM.
* Deletes file SYSTEM.DAT.
* Deletes file USER.DAT.
* Deletes file CLASSES.DAT.
* Deletes file HOSTS.
* Deletes file EXPLORER.EXE.
* Deletes file NTOSKRNL.EXE.
* Deletes file ICMP.DLL.
* Deletes file DIGIGU~1.LOG.
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
 
M

mapollo

New Member
The following file below showed up as a virus in an earlier scan.

W32/Malware (virus)
C:\PROGRAM FILES\DIGIGUIDE LITE TV GUIDE\DIGIGUIDELITEUPGRADER.EXE (Submitted)

ceewi1 wanted to know more about that file before doing anything with it. Hence the http://virusscan.jotti.org scan. I just uploaded the DIGIGUIDELITEUPGRADER.EXE file to the jotti site and scanned it. The results are as above. It looks like just one Anti-Virus prog had a problem with it.
 
jimkonow

jimkonow

New Member
hmm...do you use a program relevant to that, or have a TV tuner hooked up to the PC? if not, i know a certain file thats gonna be deleted :)
 
You must log in or register to reply here.
Top