Hijack this help please.

[ceewi1]

I'd say that's a false positive, everything I can find on that program indicates it is legitimate. If you use Digiguide Lite TV Guide, I'd say it's safe to keep it.

 

[mapollo]

I'm still having problems

Thanks in advance for your patience.

Today I'm still having problems. I thought we had sorted it ,
Its a good job its only spyware/ virus and not a matter of life or death

OK. AVG is reporting lots of threats today about a dozen. One example is wavvsnet.exe Trojan Horse SHeur.AHDR. I'm healing these as they show but they come back later.

I also noticed in add remove/programs something called "outerinfo". I try to delete it and it tells me I dont have the right permissions to delete it and then it hides and comes back later.

Latest Hijack this log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:45:52, on 18/12/2007
Platform: Windows XP SP2, v.2135 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2135)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\StickyPad\StickyPad.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ineWc01\ineWc011065.exe
C:\WINDOWS\system32\ineWc01\ineWc011065.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Sticky Pad] C:\Program Files\StickyPad\StickyPad.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: NETGEAR WG311T Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - http://www.eversoft.co.kr/vmpinstal.../ultramobile/web3d/np_q1_v000suk/page_q1.html
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader_uni.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{718E5D2F-9E83-4D5B-A2BE-2E5C47262ED8}: NameServer = 192.168.1.1
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe

--
End of file - 7880 bytes

 

[GameMaster]

Ceewi mentioned sth as he won't come here today anymore, so I'll just try to help.
If that programme you saw in add or remove programmes is a Trojan of course you will not be able to remove it.
But you can do it using CCleaner or other unninstalling software. Possible that all of Trojans are placed there, so my advice is that you get CCleaner
http://www.filehippo.com/download/91d3b585c87e9a61236a9f922b94aadb/download/
and use the Tools-choose a file and unninstall.
Otherwise I don't know did you try with SDFix http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
If no, download and save to desktop, run in safe mode.

 

[ceewi1]

Given that Outerinfo hasn't shown up in any of your logfiles so far, it's likely that the program has been removed, and we can just take out the entry in Add or Remove programs. Let's make sure of that first, though. I can also see that one of the folders we removed has reappeared, so we'll need to take care of that one as well.

Please delete your current version of ComboFix and download the new one: Combofix to your desktop. Double click ComboFix.exe & follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.
Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall

I'd also like to see the results of another online scan.

Please use the Internet Explorer browser (or FireFox with IETab), and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add Or Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.

• Once the files are downloaded click on Next
• Click on Scan Settings and configure as follows:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK and, under select a target to scan, select My Computer

When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply along with the ComboFix log.

 

[mapollo]

So first I took out "outerinfo" entry in add remove/programs using CCleaner. I use that program often but didn't realise it can be used to remove programs. I do now.

Then I ran the new copy of Combofix. Log is below. I lost my internet after the restart but typing netsh winsock reset into the cmd prompt worked. I encounted that LSP problem last week so I knew how to fix it.

Combofix log

ComboFix 07-12-19.3 - David 2007-12-19 8:02:58.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.587 [GMT 0:00]
Running from: C:\Documents and Settings\David\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\system32\pac.txt

.
((((((((((((((((((((((((( Files Created from 2007-11-19 to 2007-12-19 )))))))))))))))))))))))))))))))
.

2007-12-18 23:08 . 2007-12-18 23:08 <DIR> d-------- C:\Documents and Settings\David\Application Data\PrevxCSI
2007-12-18 23:08 . 2007-12-18 23:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-12-18 18:30 . 2007-12-18 18:30 <DIR> d-------- C:\Temp\tpBe12
2007-12-18 18:30 . 2007-12-19 08:05 <DIR> d-------- C:\Temp
2007-12-17 19:22 . 2007-12-18 18:32 <DIR> d-------- C:\WINDOWS\system32\zfd1
2007-12-17 19:22 . 2007-12-18 18:32 <DIR> d-------- C:\WINDOWS\system32\yb2
2007-12-17 19:22 . 2007-12-17 19:22 <DIR> d-------- C:\WINDOWS\system32\qui4
2007-12-17 19:22 . 2007-12-17 19:22 <DIR> d-------- C:\WINDOWS\system32\ineWc01
2007-12-15 19:19 . 2007-12-17 16:29 <DIR> d-------- C:\Documents and Settings\Kids\Application Data\AVG7
2007-12-14 23:15 . 2007-12-14 23:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-14 14:32 . 2007-12-14 14:32 <DIR> d--hs---- C:\SpyGuardPro
2007-12-14 14:32 . 2007-12-14 14:32 <DIR> d-------- C:\Documents and Settings\David\Application Data\SpyGuardPro
2007-12-14 14:32 . 2007-12-14 14:32 <DIR> dr------- C:\Documents and Settings\All Users\Application Data\SalesMon
2007-12-12 22:32 . 2007-12-12 22:32 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-12 22:19 . 2007-12-12 22:19 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-12 22:19 . 2007-12-19 08:01 <DIR> d-------- C:\Documents and Settings\David\Application Data\AVG7
2007-12-12 22:19 . 2007-12-12 22:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-12 22:19 . 2007-12-13 19:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-12-12 21:54 . 2007-12-12 21:54 244 --ah----- C:\sqmnoopt04.sqm
2007-12-12 21:54 . 2007-12-12 21:54 232 --ah----- C:\sqmdata04.sqm
2007-12-06 09:46 . 2007-12-06 09:46 <DIR> d---s---- C:\Documents and Settings\LocalService\UserData
2007-12-01 14:43 . 2007-12-19 07:44 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-01 14:43 . 2007-12-01 14:43 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-01 14:42 . 2007-12-01 14:42 <DIR> d-------- C:\Program Files\QuickTime
2007-12-01 14:42 . 2007-12-01 14:42 <DIR> d-------- C:\Program Files\iPod
2007-11-23 08:27 . 2007-11-23 08:32 <DIR> d-------- C:\Program Files\BoardMod
2007-11-21 15:30 . 2002-12-29 01:14 81,920 --a------ C:\WINDOWS\system32\Startup.cpl
2007-11-20 08:04 . 2007-11-20 10:30 <DIR> d-------- C:\MAVS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-18 21:42 --------- d-----w C:\Documents and Settings\David\Application Data\Canon
2007-12-17 19:59 --------- d-----w C:\Program Files\DigiGuide Lite TV Guide
2007-12-12 08:05 --------- d-----w C:\Program Files\LimeWire
2007-12-10 19:11 --------- d-----w C:\Program Files\MSN Messenger
2007-12-08 21:12 --------- d-----w C:\Program Files\BlackHole
2007-12-08 21:05 --------- d-----w C:\Program Files\Safari
2007-12-08 21:01 --------- d-----w C:\Program Files\Apollo DivX to DVD Creator
2007-12-03 12:49 --------- d-----w C:\Program Files\Azureus
2007-12-03 12:49 --------- d-----w C:\Documents and Settings\David\Application Data\Azureus
2007-12-01 14:42 --------- d-----w C:\Program Files\iTunes
2007-12-01 14:35 --------- d-----w C:\Program Files\Apple Software Update
2007-11-20 20:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-11-19 15:37 --------- d-----w C:\Program Files\Java
2007-11-17 18:59 --------- d-----w C:\Program Files\MP3 Audio Converter
2007-11-16 21:26 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-11-11 23:07 --------- d-----w C:\Program Files\mp3DirectCut
2007-11-04 19:57 --------- d-----w C:\Program Files\Fast Color Codes
2007-11-03 13:49 --------- d-----w C:\Program Files\Winamp
2007-11-02 23:27 --------- d-----w C:\Program Files\NewsReactor
2007-10-17 17:23 10,752 ----a-w C:\WINDOWS\system32\WhoisCL.exe
2007-09-28 07:03 2,750 ----a-w C:\Documents and Settings\David\Passwords.zip
2007-09-11 07:36 2,252 ----a-w C:\Documents and Settings\David\MAVSpasswords11_09_2007.zip
2006-09-22 21:32 9,876 -c--a-w C:\Documents and Settings\David\Application Data\wklnhst.dat
2006-08-28 10:05 44,544 -c--a-w C:\Documents and Settings\David\Application Data\GDIPFONTCACHEV1.DAT
2006-01-01 17:41 40,484 -c--a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2006_01_01_10_48_44_small.dmp.zip
2005-12-10 12:52 114 -c--a-w C:\Documents and Settings\Kids\Application Data\wklnhst.dat
2005-10-18 16:53 28,936 -c--a-w C:\Documents and Settings\Kids\Application Data\GDIPFONTCACHEV1.DAT
2005-09-20 10:05 456,768 ----a-w C:\WINDOWS\inf\WG311T\WG311T13.sys
2005-08-10 06:29 33,743 -c--a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2005_08_09_23_33_11_small.dmp.zip
2005-08-03 16:42 33,084 -c--a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2005_08_03_14_12_51_small.dmp.zip
2004-10-19 18:58 35,232 ----a-w C:\WINDOWS\inf\WG311T\ME_INST.EXE
2004-10-19 18:58 26,112 ----a-w C:\WINDOWS\inf\WG311T\install.exe
.

((((((((((((((((((((((((((((( snapshot@2007-12-13_ 7.50.20.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-05-07 16:38:46 500,120 ----a-w C:\WINDOWS\Downloaded Program Files\daas_s.dll
+ 2007-05-07 16:39:00 192,920 ----a-w C:\WINDOWS\Downloaded Program Files\fsauc.dll
+ 2007-05-07 16:39:24 254,360 ----a-w C:\WINDOWS\Downloaded Program Files\fscax.dll
+ 2004-11-02 13:41:52 516,832 ----a-w C:\WINDOWS\system32\capicom.dll
+ 2007-12-12 11:50:02 32,768 ----a-w C:\WINDOWS\system32\ineWc01\ineWc011065.exe
+ 2007-08-03 01:44:02 169,147 ----a-w C:\WINDOWS\system32\qui4\qopre83122.exe
- 2007-07-22 18:39:27 279,552 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2007-12-13 21:26:50 156,160 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2004-05-18 17:19:08 17,129 ----a-w C:\WINDOWS\system32\tcpdiss.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sticky Pad"="C:\Program Files\StickyPad\StickyPad.exe" [2007-04-23 22:13]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVRaidService"="C:\WINDOWS\system32\nvraidservice.exe" [2004-09-02 07:25]
"NVRTCLK"="C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe" [2003-12-30 09:44]
"NvCplDaemon"="RUNDLL32.exe" [2004-05-18 17:19 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2004-09-30 05:35 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-05-18 17:19 C:\WINDOWS\system32\rundll32.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-08-23 19:41]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-14 23:43]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-12 22:19]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-05-18 17:18]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-12 22:19]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG311T Smart Wizard.lnk - C:\Program Files\NETGEAR\WG311T\wlancfg5.exe [2006-02-22 10:59:32]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"UseDesktopIniCache"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^IDW Logging Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\IDW Logging Tool.lnk
backup=C:\WINDOWS\pss\IDW Logging Tool.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^David^Start Menu^Programs^Startup^Active To-Do List.LNK]
path=C:\Documents and Settings\David\Start Menu\Programs\Startup\Active To-Do List.LNK
backup=C:\WINDOWS\pss\Active To-Do List.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^David^Start Menu^Programs^Startup^³¬¼¶²¥°Ô.lnk]
path=C:\Documents and Settings\David\Start Menu\Programs\Startup\³¬¼¶²¥°Ô.lnk
backup=C:\WINDOWS\pss\³¬¼¶²¥°Ô.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-11-15 13:11 267048 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 15:40 155648 --a------ C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pbmini]
C:\Program Files\pcast\PodcastbarMini\PodcastBarMiniStater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2006-09-09 09:16 196608 --a------ C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-10-31 18:42 32768 --a--c--- C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_8 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Agent]
C:\Program Files\webHancer\Programs\whagent.exe

R3 GVCplDrv;GVCplDrv;C:\WINDOWS\system32\drivers\GVCplDrv.sys [2004-05-02 08:47]
S3 MarkFun_NT;MarkFun_NT;C:\Program Files\Gigabyte\ET5\markfun.w32 [2003-04-15 09:16]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{43564368-4375-8601-4371-458454791235]
C:\WINDOWS\system32\tcpdiss.exe /r
.
Contents of the 'Scheduled Tasks' folder
"2007-12-01 14:35:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-19 08:05:11
Windows 5.1.2600 Service Pack 2, v.2135 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-19 8:05:35

 

[mapollo]

and the Kapersky online scanner log

I'm in London until Thursday afternoon UK time. I'll pick up your reply/advice then.

Heres the Kapersky log

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, December 19, 2007 10:05:26 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2, v.2135 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 19/12/2007
Kaspersky Anti-Virus database records: 487478
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 94306
Number of viruses found: 8
Number of infected objects: 31
Number of suspicious objects: 0
Duration of the scan process: 00:51:05

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\David\Application Data\$_hpcst$.hpc Object is locked skipped
C:\Documents and Settings\David\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_8AA0_EA5_A00E_9839\dfsr.db Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_8AA0_EA5_A00E_9839\fsr.log Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_8AA0_EA5_A00E_9839\fsrtmp.log Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_8AA0_EA5_A00E_9839\tmp.edb Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Windows Live Contacts\[email protected]\real\members.stg Object is locked skipped
C:\Documents and Settings\David\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\David\Local Settings\History\History.IE5\MSHist012007121920071220\index.dat Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temp\WCESLog.log Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temp\~DF1856.tmp Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temp\~DF9580.tmp Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temp\~DF958B.tmp Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\David\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\David\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\David\Shared\[Full] paint picture windows with Bonus\setup.exe/data0009/stream/data0004 Infected: not-a-virus:AdWare.Win32.TrafficSol.o skipped
C:\Documents and Settings\David\Shared\[Full] paint picture windows with Bonus\setup.exe/data0009/stream Infected: not-a-virus:AdWare.Win32.TrafficSol.o skipped
C:\Documents and Settings\David\Shared\[Full] paint picture windows with Bonus\setup.exe/data0009 Infected: not-a-virus:AdWare.Win32.TrafficSol.o skipped
C:\Documents and Settings\David\Shared\[Full] paint picture windows with Bonus\setup.exe NSIS: infected - 3 skipped
C:\Documents and Settings\David\Shared\[Full] paint picture windows with Bonus.zip/setup.exe/data0009/stream/data0004 Infected: not-a-virus:AdWare.Win32.TrafficSol.o skipped
C:\Documents and Settings\David\Shared\[Full] paint picture windows with Bonus.zip/setup.exe/data0009/stream Infected: not-a-virus:AdWare.Win32.TrafficSol.o skipped
C:\Documents and Settings\David\Shared\[Full] paint picture windows with Bonus.zip/setup.exe/data0009 Infected: not-a-virus:AdWare.Win32.TrafficSol.o skipped
C:\Documents and Settings\David\Shared\[Full] paint picture windows with Bonus.zip/setup.exe Infected: not-a-virus:AdWare.Win32.TrafficSol.o skipped
C:\Documents and Settings\David\Shared\[Full] paint picture windows with Bonus.zip ZIP: infected - 4 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\_restore{5DB408FA-B333-411C-A99B-3870D68A5F6E}\RP3\A0001126.exe Infected: Trojan-Downloader.Win32.Agent.gat skipped
C:\System Volume Information\_restore{5DB408FA-B333-411C-A99B-3870D68A5F6E}\RP3\A0001127.exe Infected: Trojan-Downloader.Win32.Agent.gat skipped
C:\System Volume Information\_restore{5DB408FA-B333-411C-A99B-3870D68A5F6E}\RP4\A0001204.exe Infected: Trojan-Downloader.Win32.Agent.gat skipped
C:\System Volume Information\_restore{5DB408FA-B333-411C-A99B-3870D68A5F6E}\RP4\A0001206.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.byj skipped
C:\System Volume Information\_restore{5DB408FA-B333-411C-A99B-3870D68A5F6E}\RP4\A0001208.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.byj skipped
C:\System Volume Information\_restore{5DB408FA-B333-411C-A99B-3870D68A5F6E}\RP4\A0001212.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.byj skipped
C:\System Volume Information\_restore{5DB408FA-B333-411C-A99B-3870D68A5F6E}\RP4\A0001216.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.byj skipped
C:\System Volume Information\_restore{5DB408FA-B333-411C-A99B-3870D68A5F6E}\RP4\A0001218.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.byj skipped
C:\System Volume Information\_restore{5DB408FA-B333-411C-A99B-3870D68A5F6E}\RP4\A0001219.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bxe skipped
C:\System Volume Information\_restore{5DB408FA-B333-411C-A99B-3870D68A5F6E}\RP4\A0001224.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.byj skipped
C:\System Volume Information\_restore{5DB408FA-B333-411C-A99B-3870D68A5F6E}\RP4\A0001318.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{5DB408FA-B333-411C-A99B-3870D68A5F6E}\RP4\A0001318.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{5DB408FA-B333-411C-A99B-3870D68A5F6E}\RP5\A0001473.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{5DB408FA-B333-411C-A99B-3870D68A5F6E}\RP5\A0001474.exe Infected: Trojan-Downloader.Win32.Small.gzs skipped
C:\System Volume Information\_restore{5DB408FA-B333-411C-A99B-3870D68A5F6E}\RP5\A0001475.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{5DB408FA-B333-411C-A99B-3870D68A5F6E}\RP6\A0001485.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{5DB408FA-B333-411C-A99B-3870D68A5F6E}\RP6\A0001485.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{5DB408FA-B333-411C-A99B-3870D68A5F6E}\RP7\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\qui4\qopre83122.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\WINDOWS\system32\qui4\qopre83122.exe NSIS: infected - 1 skipped
C:\WINDOWS\system32\tcpdiss.exe Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\today.exe/csrss.exe Infected: not-a-virus:AdWare.Win32.Dm.ab skipped
C:\WINDOWS\today.exe/RRToday.dll Infected: not-a-virus:AdWare.Win32.Dm.ab skipped
C:\WINDOWS\today.exe ZIP: infected - 2 skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

 

[ceewi1]

OK, no rush on my part

Please download the OTMoveIt by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt.exe to run it.
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  C:\WINDOWS\system32\qui4
  C:\WINDOWS\today.exe
  C:\Documents and Settings\David\Shared\[Full] paint picture windows with Bonus
  C:\Documents and Settings\David\Shared\[Full] paint picture windows with Bonus.zip
  C:\Temp
  C:\WINDOWS\system32\zfd1
  C:\WINDOWS\system32\yb2
  C:\WINDOWS\system32\ineWc01
  
  
• Return to OTMoveIt, right click on the Paste List of Files/Folders to be moved window and choose Paste.
• Click the red Moveit! button.
• Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply along with a new ComboFix log.
• Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

 

[mapollo]

OTMoveIt results...


C:\WINDOWS\system32\qui4 moved successfully.
C:\WINDOWS\today.exe moved successfully.
C:\Documents and Settings\David\Shared\[Full] paint picture windows with Bonus moved successfully.
C:\Documents and Settings\David\Shared\[Full] paint picture windows with Bonus.zip moved successfully.
C:\Temp\tpBe12 moved successfully.
C:\Temp moved successfully.
C:\WINDOWS\system32\zfd1 moved successfully.
C:\WINDOWS\system32\yb2 moved successfully.
C:\WINDOWS\system32\ineWc01 moved successfully.

Created on 12/20/2007 16:13:41

 

[mapollo]

and now the combofix log as requested.

ComboFix 07-12-19.3 - David 2007-12-20 16:51:07.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.622 [GMT 0:00]
Running from: C:\Documents and Settings\David\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-11-20 to 2007-12-20 )))))))))))))))))))))))))))))))
.

2007-12-19 08:18 . 2007-12-19 08:18 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-19 08:18 . 2007-12-19 08:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-18 23:08 . 2007-12-18 23:08 <DIR> d-------- C:\Documents and Settings\David\Application Data\PrevxCSI
2007-12-18 23:08 . 2007-12-18 23:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-12-15 19:19 . 2007-12-17 16:29 <DIR> d-------- C:\Documents and Settings\Kids\Application Data\AVG7
2007-12-14 23:15 . 2007-12-14 23:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-14 14:32 . 2007-12-14 14:32 <DIR> d--hs---- C:\SpyGuardPro
2007-12-14 14:32 . 2007-12-14 14:32 <DIR> d-------- C:\Documents and Settings\David\Application Data\SpyGuardPro
2007-12-14 14:32 . 2007-12-14 14:32 <DIR> dr------- C:\Documents and Settings\All Users\Application Data\SalesMon
2007-12-12 22:32 . 2007-12-12 22:32 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-12 22:19 . 2007-12-12 22:19 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-12 22:19 . 2007-12-19 08:01 <DIR> d-------- C:\Documents and Settings\David\Application Data\AVG7
2007-12-12 22:19 . 2007-12-12 22:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-12 22:19 . 2007-12-13 19:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-12-12 21:54 . 2007-12-12 21:54 244 --ah----- C:\sqmnoopt04.sqm
2007-12-12 21:54 . 2007-12-12 21:54 232 --ah----- C:\sqmdata04.sqm
2007-12-06 09:46 . 2007-12-06 09:46 <DIR> d---s---- C:\Documents and Settings\LocalService\UserData
2007-12-01 14:43 . 2007-12-20 16:32 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-01 14:43 . 2007-12-01 14:43 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-01 14:42 . 2007-12-01 14:42 <DIR> d-------- C:\Program Files\QuickTime
2007-12-01 14:42 . 2007-12-01 14:42 <DIR> d-------- C:\Program Files\iPod
2007-11-23 08:27 . 2007-11-23 08:32 <DIR> d-------- C:\Program Files\BoardMod
2007-11-21 15:30 . 2002-12-29 01:14 81,920 --a------ C:\WINDOWS\system32\Startup.cpl
2007-11-20 08:04 . 2007-11-20 10:30 <DIR> d-------- C:\MAVS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-18 21:42 --------- d-----w C:\Documents and Settings\David\Application Data\Canon
2007-12-17 19:59 --------- d-----w C:\Program Files\DigiGuide Lite TV Guide
2007-12-12 08:05 --------- d-----w C:\Program Files\LimeWire
2007-12-10 19:11 --------- d-----w C:\Program Files\MSN Messenger
2007-12-08 21:12 --------- d-----w C:\Program Files\BlackHole
2007-12-08 21:05 --------- d-----w C:\Program Files\Safari
2007-12-08 21:01 --------- d-----w C:\Program Files\Apollo DivX to DVD Creator
2007-12-03 12:49 --------- d-----w C:\Program Files\Azureus
2007-12-03 12:49 --------- d-----w C:\Documents and Settings\David\Application Data\Azureus
2007-12-01 14:42 --------- d-----w C:\Program Files\iTunes
2007-12-01 14:35 --------- d-----w C:\Program Files\Apple Software Update
2007-11-20 20:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-11-19 15:37 --------- d-----w C:\Program Files\Java
2007-11-17 18:59 --------- d-----w C:\Program Files\MP3 Audio Converter
2007-11-16 21:26 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-11-11 23:07 --------- d-----w C:\Program Files\mp3DirectCut
2007-11-04 19:57 --------- d-----w C:\Program Files\Fast Color Codes
2007-11-03 13:49 --------- d-----w C:\Program Files\Winamp
2007-11-02 23:27 --------- d-----w C:\Program Files\NewsReactor
2007-10-17 17:23 10,752 ----a-w C:\WINDOWS\system32\WhoisCL.exe
2007-09-28 07:03 2,750 ----a-w C:\Documents and Settings\David\Passwords.zip
2007-09-11 07:36 2,252 ----a-w C:\Documents and Settings\David\MAVSpasswords11_09_2007.zip
2006-09-22 21:32 9,876 -c--a-w C:\Documents and Settings\David\Application Data\wklnhst.dat
2006-08-28 10:05 44,544 -c--a-w C:\Documents and Settings\David\Application Data\GDIPFONTCACHEV1.DAT
2006-01-01 17:41 40,484 -c--a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2006_01_01_10_48_44_small.dmp.zip
2005-12-10 12:52 114 -c--a-w C:\Documents and Settings\Kids\Application Data\wklnhst.dat
2005-10-18 16:53 28,936 -c--a-w C:\Documents and Settings\Kids\Application Data\GDIPFONTCACHEV1.DAT
2005-09-20 10:05 456,768 ----a-w C:\WINDOWS\inf\WG311T\WG311T13.sys
2005-08-10 06:29 33,743 -c--a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2005_08_09_23_33_11_small.dmp.zip
2005-08-03 16:42 33,084 -c--a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2005_08_03_14_12_51_small.dmp.zip
2004-10-19 18:58 35,232 ----a-w C:\WINDOWS\inf\WG311T\ME_INST.EXE
2004-10-19 18:58 26,112 ----a-w C:\WINDOWS\inf\WG311T\install.exe
.

((((((((((((((((((((((((((((( snapshot@2007-12-13_ 7.50.20.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-05-07 16:38:46 500,120 ----a-w C:\WINDOWS\Downloaded Program Files\daas_s.dll
+ 2007-05-07 16:39:00 192,920 ----a-w C:\WINDOWS\Downloaded Program Files\fsauc.dll
+ 2007-05-07 16:39:24 254,360 ----a-w C:\WINDOWS\Downloaded Program Files\fscax.dll
+ 2004-11-02 13:41:52 516,832 ----a-w C:\WINDOWS\system32\capicom.dll
+ 2005-05-24 12:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 15:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 15:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2007-07-22 18:39:27 279,552 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2007-12-13 21:26:50 156,160 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2004-05-18 17:19:08 17,129 ----a-w C:\WINDOWS\system32\tcpdiss.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sticky Pad"="C:\Program Files\StickyPad\StickyPad.exe" [2007-04-23 22:13]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVRaidService"="C:\WINDOWS\system32\nvraidservice.exe" [2004-09-02 07:25]
"NVRTCLK"="C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe" [2003-12-30 09:44]
"NvCplDaemon"="RUNDLL32.exe" [2004-05-18 17:19 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2004-09-30 05:35 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-05-18 17:19 C:\WINDOWS\system32\rundll32.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-08-23 19:41]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-14 23:43]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-12 22:19]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-05-18 17:18]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-12 22:19]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG311T Smart Wizard.lnk - C:\Program Files\NETGEAR\WG311T\wlancfg5.exe [2006-02-22 10:59:32]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"UseDesktopIniCache"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^IDW Logging Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\IDW Logging Tool.lnk
backup=C:\WINDOWS\pss\IDW Logging Tool.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^David^Start Menu^Programs^Startup^Active To-Do List.LNK]
path=C:\Documents and Settings\David\Start Menu\Programs\Startup\Active To-Do List.LNK
backup=C:\WINDOWS\pss\Active To-Do List.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^David^Start Menu^Programs^Startup^³¬¼¶²¥°Ô.lnk]
path=C:\Documents and Settings\David\Start Menu\Programs\Startup\³¬¼¶²¥°Ô.lnk
backup=C:\WINDOWS\pss\³¬¼¶²¥°Ô.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-11-15 13:11 267048 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 15:40 155648 --a------ C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pbmini]
C:\Program Files\pcast\PodcastbarMini\PodcastBarMiniStater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2006-09-09 09:16 196608 --a------ C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-10-31 18:42 32768 --a--c--- C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_8 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Agent]
C:\Program Files\webHancer\Programs\whagent.exe

R3 GVCplDrv;GVCplDrv;C:\WINDOWS\system32\drivers\GVCplDrv.sys [2004-05-02 08:47]
S3 MarkFun_NT;MarkFun_NT;C:\Program Files\Gigabyte\ET5\markfun.w32 [2003-04-15 09:16]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{43564368-4375-8601-4371-458454791235]
C:\WINDOWS\system32\tcpdiss.exe /r
.
Contents of the 'Scheduled Tasks' folder
"2007-12-01 14:35:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-20 16:53:01
Windows 5.1.2600 Service Pack 2, v.2135 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-20 16:53:28
C:\ComboFix2.txt ... 2007-12-19 08:05

 

[ceewi1]

• Open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  
  

  File::
  C:\WINDOWS\system32\tcpdiss.exe
  
  Registry::
  [-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{43564368-4375-8601-4371-458454791235]

• Save this as CFScript.txt and change the Save as type to All Files and place it on your desktop.
  
  
  
  
  
  
  
  
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION:
Do NOT mouse-click ComboFix's window while it is running. That may cause it to stall.
Also, please do NOT adjust your time format while ComboFix is running.

How is your system running now?

 

[mapollo]

latest combofix log after running CFScript.txt. I'll post how my machine is running later.

ComboFix 07-12-19.3 - David 2007-12-21 7:57:05.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.604 [GMT 0:00]
Running from: C:\Documents and Settings\David\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\David\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\tcpdiss.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\tcpdiss.exe

.
((((((((((((((((((((((((( Files Created from 2007-11-21 to 2007-12-21 )))))))))))))))))))))))))))))))
.

2007-12-20 17:26 . 2007-12-20 17:26 <DIR> d-------- C:\WINDOWS\system32\ineWc01
2007-12-20 17:26 . 2007-12-20 17:26 <DIR> d-------- C:\Temp\tpBe12
2007-12-20 17:26 . 2007-12-20 17:26 <DIR> d-------- C:\Temp
2007-12-19 08:18 . 2007-12-19 08:18 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-19 08:18 . 2007-12-19 08:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-18 23:08 . 2007-12-18 23:08 <DIR> d-------- C:\Documents and Settings\David\Application Data\PrevxCSI
2007-12-18 23:08 . 2007-12-18 23:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-12-15 19:19 . 2007-12-17 16:29 <DIR> d-------- C:\Documents and Settings\Kids\Application Data\AVG7
2007-12-14 23:15 . 2007-12-14 23:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-14 14:32 . 2007-12-14 14:32 <DIR> d--hs---- C:\SpyGuardPro
2007-12-14 14:32 . 2007-12-14 14:32 <DIR> d-------- C:\Documents and Settings\David\Application Data\SpyGuardPro
2007-12-14 14:32 . 2007-12-14 14:32 <DIR> dr------- C:\Documents and Settings\All Users\Application Data\SalesMon
2007-12-12 22:32 . 2007-12-12 22:32 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-12 22:19 . 2007-12-12 22:19 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-12 22:19 . 2007-12-19 08:01 <DIR> d-------- C:\Documents and Settings\David\Application Data\AVG7
2007-12-12 22:19 . 2007-12-12 22:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-12 22:19 . 2007-12-13 19:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-12-12 21:54 . 2007-12-12 21:54 244 --ah----- C:\sqmnoopt04.sqm
2007-12-12 21:54 . 2007-12-12 21:54 232 --ah----- C:\sqmdata04.sqm
2007-12-06 09:46 . 2007-12-06 09:46 <DIR> d---s---- C:\Documents and Settings\LocalService\UserData
2007-12-01 14:43 . 2007-12-21 07:41 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-01 14:43 . 2007-12-01 14:43 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-01 14:42 . 2007-12-01 14:42 <DIR> d-------- C:\Program Files\QuickTime
2007-12-01 14:42 . 2007-12-01 14:42 <DIR> d-------- C:\Program Files\iPod
2007-11-23 08:27 . 2007-11-23 08:32 <DIR> d-------- C:\Program Files\BoardMod
2007-11-21 15:30 . 2002-12-29 01:14 81,920 --a------ C:\WINDOWS\system32\Startup.cpl

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-18 21:42 --------- d-----w C:\Documents and Settings\David\Application Data\Canon
2007-12-17 19:59 --------- d-----w C:\Program Files\DigiGuide Lite TV Guide
2007-12-12 08:05 --------- d-----w C:\Program Files\LimeWire
2007-12-10 19:11 --------- d-----w C:\Program Files\MSN Messenger
2007-12-08 21:12 --------- d-----w C:\Program Files\BlackHole
2007-12-08 21:05 --------- d-----w C:\Program Files\Safari
2007-12-08 21:01 --------- d-----w C:\Program Files\Apollo DivX to DVD Creator
2007-12-03 12:49 --------- d-----w C:\Program Files\Azureus
2007-12-03 12:49 --------- d-----w C:\Documents and Settings\David\Application Data\Azureus
2007-12-01 14:42 --------- d-----w C:\Program Files\iTunes
2007-12-01 14:35 --------- d-----w C:\Program Files\Apple Software Update
2007-11-20 20:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-11-19 15:37 --------- d-----w C:\Program Files\Java
2007-11-17 18:59 --------- d-----w C:\Program Files\MP3 Audio Converter
2007-11-16 21:26 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-11-11 23:07 --------- d-----w C:\Program Files\mp3DirectCut
2007-11-04 19:57 --------- d-----w C:\Program Files\Fast Color Codes
2007-11-03 13:49 --------- d-----w C:\Program Files\Winamp
2007-11-02 23:27 --------- d-----w C:\Program Files\NewsReactor
2007-10-17 17:23 10,752 ----a-w C:\WINDOWS\system32\WhoisCL.exe
2007-09-28 07:03 2,750 ----a-w C:\Documents and Settings\David\Passwords.zip
2007-09-11 07:36 2,252 ----a-w C:\Documents and Settings\David\MAVSpasswords11_09_2007.zip
2006-09-22 21:32 9,876 -c--a-w C:\Documents and Settings\David\Application Data\wklnhst.dat
2006-08-28 10:05 44,544 -c--a-w C:\Documents and Settings\David\Application Data\GDIPFONTCACHEV1.DAT
2006-01-01 17:41 40,484 -c--a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2006_01_01_10_48_44_small.dmp.zip
2005-12-10 12:52 114 -c--a-w C:\Documents and Settings\Kids\Application Data\wklnhst.dat
2005-10-18 16:53 28,936 -c--a-w C:\Documents and Settings\Kids\Application Data\GDIPFONTCACHEV1.DAT
2005-09-20 10:05 456,768 ----a-w C:\WINDOWS\inf\WG311T\WG311T13.sys
2005-08-10 06:29 33,743 -c--a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2005_08_09_23_33_11_small.dmp.zip
2005-08-03 16:42 33,084 -c--a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2005_08_03_14_12_51_small.dmp.zip
2004-10-19 18:58 35,232 ----a-w C:\WINDOWS\inf\WG311T\ME_INST.EXE
2004-10-19 18:58 26,112 ----a-w C:\WINDOWS\inf\WG311T\install.exe
.

((((((((((((((((((((((((((((( snapshot@2007-12-13_ 7.50.20.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-05-07 16:38:46 500,120 ----a-w C:\WINDOWS\Downloaded Program Files\daas_s.dll
+ 2007-05-07 16:39:00 192,920 ----a-w C:\WINDOWS\Downloaded Program Files\fsauc.dll
+ 2007-05-07 16:39:24 254,360 ----a-w C:\WINDOWS\Downloaded Program Files\fscax.dll
+ 2004-11-02 13:41:52 516,832 ----a-w C:\WINDOWS\system32\capicom.dll
+ 2007-12-12 11:50:02 32,768 ----a-w C:\WINDOWS\system32\ineWc01\ineWc011065.exe
+ 2005-05-24 12:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 15:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 15:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2007-07-22 18:39:27 279,552 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2007-12-13 21:26:50 156,160 ----a-w C:\WINDOWS\system32\swreg.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sticky Pad"="C:\Program Files\StickyPad\StickyPad.exe" [2007-04-23 22:13]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVRaidService"="C:\WINDOWS\system32\nvraidservice.exe" [2004-09-02 07:25]
"NVRTCLK"="C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe" [2003-12-30 09:44]
"NvCplDaemon"="RUNDLL32.exe" [2004-05-18 17:19 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2004-09-30 05:35 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-05-18 17:19 C:\WINDOWS\system32\rundll32.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-08-23 19:41]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-14 23:43]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-12 22:19]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-05-18 17:18]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-12 22:19]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG311T Smart Wizard.lnk - C:\Program Files\NETGEAR\WG311T\wlancfg5.exe [2006-02-22 10:59:32]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"UseDesktopIniCache"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^IDW Logging Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\IDW Logging Tool.lnk
backup=C:\WINDOWS\pss\IDW Logging Tool.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^David^Start Menu^Programs^Startup^Active To-Do List.LNK]
path=C:\Documents and Settings\David\Start Menu\Programs\Startup\Active To-Do List.LNK
backup=C:\WINDOWS\pss\Active To-Do List.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^David^Start Menu^Programs^Startup^³¬¼¶²¥°Ô.lnk]
path=C:\Documents and Settings\David\Start Menu\Programs\Startup\³¬¼¶²¥°Ô.lnk
backup=C:\WINDOWS\pss\³¬¼¶²¥°Ô.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-11-15 13:11 267048 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 15:40 155648 --a------ C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pbmini]
C:\Program Files\pcast\PodcastbarMini\PodcastBarMiniStater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2006-09-09 09:16 196608 --a------ C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-10-31 18:42 32768 --a--c--- C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_8 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Agent]
C:\Program Files\webHancer\Programs\whagent.exe

R3 GVCplDrv;GVCplDrv;C:\WINDOWS\system32\drivers\GVCplDrv.sys [2004-05-02 08:47]
S3 MarkFun_NT;MarkFun_NT;C:\Program Files\Gigabyte\ET5\markfun.w32 [2003-04-15 09:16]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-01 14:35:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-21 07:59:16
Windows 5.1.2600 Service Pack 2, v.2135 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-21 7:59:40
C:\ComboFix2.txt ... 2007-12-20 16:53
C:\ComboFix3.txt ... 2007-12-19 08:05

 

[ceewi1]

Still a few more to get:

• Open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  
  

  File::
  C:\Documents and Settings\David\Application Data\wklnhst.dat
  
  Folder::
  C:\Temp
  C:\SpyGuardPro
  C:\Documents and Settings\David\Application Data\SpyGuardPro
  C:\Documents and Settings\All Users\Application Data\SalesMon
  C:\WINDOWS\system32\ineWc01

• Save this as CFScript.txt and change the Save as type to All Files and place it on your desktop.
  
  
  
  
  
  
  
  
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply, along with a new HijackThis log.

CAUTION:
Do NOT mouse-click ComboFix's window while it is running. That may cause it to stall.
Also, please do NOT adjust your time format while ComboFix is running.

 

[mapollo]

Latest combofix log....

ComboFix 07-12-19.3 - David 2007-12-21 13:54:43.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.613 [GMT 0:00]
Running from: C:\Documents and Settings\David\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\David\Desktop\CFScripts.txt
* Created a new restore point

FILE
C:\Documents and Settings\David\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\SalesMon
C:\Documents and Settings\David\Application Data\SpyGuardPro
C:\Documents and Settings\David\Application Data\SpyGuardPro\Logs\threats.log
C:\Documents and Settings\David\Application Data\wklnhst.dat
C:\SpyGuardPro
C:\Temp
C:\WINDOWS\system32\ineWc01
C:\WINDOWS\system32\ineWc01\ineWc011065.exe

.
((((((((((((((((((((((((( Files Created from 2007-11-21 to 2007-12-21 )))))))))))))))))))))))))))))))
.

2007-12-19 08:18 . 2007-12-19 08:18 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-19 08:18 . 2007-12-19 08:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-18 23:08 . 2007-12-18 23:08 <DIR> d-------- C:\Documents and Settings\David\Application Data\PrevxCSI
2007-12-18 23:08 . 2007-12-18 23:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-12-15 19:19 . 2007-12-17 16:29 <DIR> d-------- C:\Documents and Settings\Kids\Application Data\AVG7
2007-12-14 23:15 . 2007-12-14 23:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-12 22:32 . 2007-12-12 22:32 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-12 22:19 . 2007-12-12 22:19 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-12 22:19 . 2007-12-19 08:01 <DIR> d-------- C:\Documents and Settings\David\Application Data\AVG7
2007-12-12 22:19 . 2007-12-12 22:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-12 22:19 . 2007-12-13 19:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-12-12 21:54 . 2007-12-12 21:54 244 --ah----- C:\sqmnoopt04.sqm
2007-12-12 21:54 . 2007-12-12 21:54 232 --ah----- C:\sqmdata04.sqm
2007-12-06 09:46 . 2007-12-06 09:46 <DIR> d---s---- C:\Documents and Settings\LocalService\UserData
2007-12-01 14:43 . 2007-12-21 11:37 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-01 14:43 . 2007-12-01 14:43 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-01 14:42 . 2007-12-01 14:42 <DIR> d-------- C:\Program Files\QuickTime
2007-12-01 14:42 . 2007-12-01 14:42 <DIR> d-------- C:\Program Files\iPod
2007-11-23 08:27 . 2007-11-23 08:32 <DIR> d-------- C:\Program Files\BoardMod
2007-11-21 15:30 . 2002-12-29 01:14 81,920 --a------ C:\WINDOWS\system32\Startup.cpl

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-18 21:42 --------- d-----w C:\Documents and Settings\David\Application Data\Canon
2007-12-17 19:59 --------- d-----w C:\Program Files\DigiGuide Lite TV Guide
2007-12-12 08:05 --------- d-----w C:\Program Files\LimeWire
2007-12-10 19:11 --------- d-----w C:\Program Files\MSN Messenger
2007-12-08 21:12 --------- d-----w C:\Program Files\BlackHole
2007-12-08 21:05 --------- d-----w C:\Program Files\Safari
2007-12-08 21:01 --------- d-----w C:\Program Files\Apollo DivX to DVD Creator
2007-12-03 12:49 --------- d-----w C:\Program Files\Azureus
2007-12-03 12:49 --------- d-----w C:\Documents and Settings\David\Application Data\Azureus
2007-12-01 14:42 --------- d-----w C:\Program Files\iTunes
2007-12-01 14:35 --------- d-----w C:\Program Files\Apple Software Update
2007-11-20 20:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-11-19 15:37 --------- d-----w C:\Program Files\Java
2007-11-17 18:59 --------- d-----w C:\Program Files\MP3 Audio Converter
2007-11-16 21:26 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-11-11 23:07 --------- d-----w C:\Program Files\mp3DirectCut
2007-11-04 19:57 --------- d-----w C:\Program Files\Fast Color Codes
2007-11-03 13:49 --------- d-----w C:\Program Files\Winamp
2007-11-02 23:27 --------- d-----w C:\Program Files\NewsReactor
2007-10-17 17:23 10,752 ----a-w C:\WINDOWS\system32\WhoisCL.exe
2007-09-28 07:03 2,750 ----a-w C:\Documents and Settings\David\Passwords.zip
2007-09-11 07:36 2,252 ----a-w C:\Documents and Settings\David\MAVSpasswords11_09_2007.zip
2006-08-28 10:05 44,544 -c--a-w C:\Documents and Settings\David\Application Data\GDIPFONTCACHEV1.DAT
2006-01-01 17:41 40,484 -c--a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2006_01_01_10_48_44_small.dmp.zip
2005-12-10 12:52 114 -c--a-w C:\Documents and Settings\Kids\Application Data\wklnhst.dat
2005-10-18 16:53 28,936 -c--a-w C:\Documents and Settings\Kids\Application Data\GDIPFONTCACHEV1.DAT
2005-09-20 10:05 456,768 ----a-w C:\WINDOWS\inf\WG311T\WG311T13.sys
2005-08-10 06:29 33,743 -c--a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2005_08_09_23_33_11_small.dmp.zip
2005-08-03 16:42 33,084 -c--a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2005_08_03_14_12_51_small.dmp.zip
2004-10-19 18:58 35,232 ----a-w C:\WINDOWS\inf\WG311T\ME_INST.EXE
2004-10-19 18:58 26,112 ----a-w C:\WINDOWS\inf\WG311T\install.exe
.

((((((((((((((((((((((((((((( snapshot@2007-12-13_ 7.50.20.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-05-07 16:38:46 500,120 ----a-w C:\WINDOWS\Downloaded Program Files\daas_s.dll
+ 2007-05-07 16:39:00 192,920 ----a-w C:\WINDOWS\Downloaded Program Files\fsauc.dll
+ 2007-05-07 16:39:24 254,360 ----a-w C:\WINDOWS\Downloaded Program Files\fscax.dll
+ 2004-11-02 13:41:52 516,832 ----a-w C:\WINDOWS\system32\capicom.dll
- 2007-12-12 22:19:17 3,968 ----a-w C:\WINDOWS\system32\drivers\avgclean.sys
+ 2007-12-21 11:39:38 10,760 ----a-w C:\WINDOWS\system32\drivers\avgclean.sys
- 2007-12-12 22:19:17 19,904 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
+ 2007-12-21 11:39:34 26,952 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
+ 2005-05-24 12:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 15:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 15:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2007-07-22 18:39:27 279,552 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2007-12-13 21:26:50 156,160 ----a-w C:\WINDOWS\system32\swreg.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sticky Pad"="C:\Program Files\StickyPad\StickyPad.exe" [2007-04-23 22:13]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVRaidService"="C:\WINDOWS\system32\nvraidservice.exe" [2004-09-02 07:25]
"NVRTCLK"="C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe" [2003-12-30 09:44]
"NvCplDaemon"="RUNDLL32.exe" [2004-05-18 17:19 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2004-09-30 05:35 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-05-18 17:19 C:\WINDOWS\system32\rundll32.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-08-23 19:41]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-14 23:43]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 11:39]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-05-18 17:18]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-12 22:19]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG311T Smart Wizard.lnk - C:\Program Files\NETGEAR\WG311T\wlancfg5.exe [2006-02-22 10:59:32]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"UseDesktopIniCache"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^IDW Logging Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\IDW Logging Tool.lnk
backup=C:\WINDOWS\pss\IDW Logging Tool.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^David^Start Menu^Programs^Startup^Active To-Do List.LNK]
path=C:\Documents and Settings\David\Start Menu\Programs\Startup\Active To-Do List.LNK
backup=C:\WINDOWS\pss\Active To-Do List.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^David^Start Menu^Programs^Startup^³¬¼¶²¥°Ô.lnk]
path=C:\Documents and Settings\David\Start Menu\Programs\Startup\³¬¼¶²¥°Ô.lnk
backup=C:\WINDOWS\pss\³¬¼¶²¥°Ô.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-11-15 13:11 267048 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 15:40 155648 --a------ C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pbmini]
C:\Program Files\pcast\PodcastbarMini\PodcastBarMiniStater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2006-09-09 09:16 196608 --a------ C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-10-31 18:42 32768 --a--c--- C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_8 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Agent]
C:\Program Files\webHancer\Programs\whagent.exe

R3 GVCplDrv;GVCplDrv;C:\WINDOWS\system32\drivers\GVCplDrv.sys [2004-05-02 08:47]
S3 MarkFun_NT;MarkFun_NT;C:\Program Files\Gigabyte\ET5\markfun.w32 [2003-04-15 09:16]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-01 14:35:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-21 13:57:00
Windows 5.1.2600 Service Pack 2, v.2135 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-21 13:57:23
C:\ComboFix2.txt ... 2007-12-21 07:59
C:\ComboFix3.txt ... 2007-12-20 16:53

 

[mapollo]

and latest Hijack this log as requested..

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:04:26, on 21/12/2007
Platform: Windows XP SP2, v.2135 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2135)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\StickyPad\StickyPad.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Sticky Pad] C:\Program Files\StickyPad\StickyPad.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: NETGEAR WG311T Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - http://www.eversoft.co.kr/vmpinstal.../ultramobile/web3d/np_q1_v000suk/page_q1.html
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader_uni.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{718E5D2F-9E83-4D5B-A2BE-2E5C47262ED8}: NameServer = 192.168.1.1
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe

--
End of file - 7936 bytes

 

[ceewi1]

There's only one entry in your HijackThis log left that I'd recommend removing.

Please run HijackThis and choose Do a system scan only.

Place a check next to the following entry:

• O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - http://www.eversoft.co.kr/vmpinstall...k/page_q1.html

Please close all open windows except for HijackThis and choose Fix checked

How is your system running now?

 

[mapollo]

How is your system running now?

It seems to have run fine now for the last 36 hours or so. Thanks to you my friend.

I deleted the last entry as suggested.

It took a while and a great deal of patience from you and I thank you (again) for that.

Happy holidays.

 

[ceewi1]

You're most welcome, I'm glad the problem is solved. Merry Christmas and a Happy New Year!

Below I have included some ideas on how to prevent future infections.

Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future.

Please navigate to http://windowsupdate.microsoft.com and download all the Critical Updates for Windows. These will patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly. They usually have security updates every month. You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed. This is a crucial security measuer.

As a minimum, you need at least an antivirus, firewall and some type of anti-spyware program.

Some good free firewalls are ZoneAlarm, Kerio, or Outpost. All of these will provide a far greater level of protection than the firewall built into Windows.
A tutorial on understanding and using firewalls may be found here.

I notice you are running Spybot, which is good. You might also want to consider installing and running some of the following programs; they are either free or have free versions of commercial programs, and will work alongside Spybot to protect you:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for real-time protection against spyware and hijackers may be found here.

If you use Internet Explorer, it is a good idea to use IE-Spyad which provides protections against malicious websites.

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster and IE-Spyad can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure are looking for anti-spyware programs, you can find out if it is a rogue here:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScripts, can make it even more secure. Opera is another good option.
If you are interested, Firefox may be downloaded from here
Opera is available here: http://www.opera.com/download/

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help.