unknown 04 start up ?

[heyup]

Good morning all.

Please would someone tell me what this 04 entry / process is? I have tried google/castlecops and can not find any info on it.

Many thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:13:42, on 23/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\WINDOWS\system32\cvisvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Comodo Firewall] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [Volume Shadow Installer] cvisvc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1156165100000
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1156165090984
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - http://messenger.zone.msn.com/binary...t.cab31267.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe

--
End of file - 4946 bytes

[tetonbob]

Please go to: VirusTotal

• On the page you'll find a "Browse" button.
  
• Next to the browse button you'll see a box to enter text.
• Please copy/paste the following in BOLD:
  
  C:\WINDOWS\system32\cvisvc.exe
  
  
• Then click the "Send File " button just below.
• This will scan the file. Please be patient.
• Once scanned, copy and paste the results in your next reply.

Please also do this:

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
5. Please attach extra.txt to your post.

To attach a file to a new post, simply

1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
2. copy and paste the following into the "Upload File from your Computer" box:

   C:\Deckard\System Scanner\extra.txt
   

3. Click Upload.

What DSS will do:

• create a new System Restore point in Windows XP and Vista.
• clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
• check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

---------------------------------------------------------------------------------------------

[heyup]

Thanks tetonbob.

I do not like the look of that virus total scan !!
I work all day, so i am sorry for any delay in getting back to you, i hope i have attached the extra text ok?

Cheers and thanks for your help.


Virus total results :-

Antivirus Version Last Update Result
AhnLab-V3 2007.10.24.0 2007.10.23 Win32/IRCBot.worm.10752.B
AntiVir 7.6.0.27 2007.10.23 TR/Crypt.ULPM.Gen
Authentium 4.93.8 2007.10.23 Possibly a new variant of W32/Threat-HLLSI-based!Maximus
Avast 4.7.1051.0 2007.10.22 -
AVG 7.5.0.488 2007.10.23 -
BitDefender 7.2 2007.10.23 Trojan.Peed.Gen
CAT-QuickHeal 9.00 2007.10.23 -
ClamAV 0.91.2 2007.10.23 -
DrWeb 4.44.0.09170 2007.10.23 BackDoor.IRC.Tiny
eSafe 7.0.15.0 2007.10.22 suspicious Trojan/Worm
eTrust-Vet 31.2.5233 2007.10.23 Win32/Slenfbot!generic
Ewido 4.0 2007.10.23 -
FileAdvisor 1 2007.10.23 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.3.2.48 2007.10.22 W32/Threat-HLLSI-based!Maximus
F-Secure 6.70.13030.0 2007.10.23 Backdoor.Win32.IRCBot.alr
Ikarus T3.1.1.12 2007.10.23 Trojan.Peed
Kaspersky 7.0.0.125 2007.10.23 Backdoor.Win32.IRCBot.alr
Microsoft 1.2908 2007.10.23 -
NOD32v2 2610 2007.10.23 -
Norman 5.80.02 2007.10.23 W32/Ircbot.YDZ
Panda 9.0.0.4 2007.10.23 Suspicious file
Prevx1 V2 2007.10.23 Heuristic: Suspicious File With Bad Parent Associations
Rising 19.46.12.00 2007.10.23 Backdoor.Win32.IRCbot.vic
Sophos 4.22.0 2007.10.23 Mal/HckPk-A
Sunbelt 2.2.907.0 2007.10.23 Trojan.Peed.Gen
Symantec 10 2007.10.23 -
TheHacker 6.2.9.105 2007.10.23 Backdoor/IRCBot.alr
VBA32 3.12.2.4 2007.10.22 -
VirusBuster 4.3.26:9 2007.10.23 -
Additional information
File size: 10752 bytes
MD5: ebe5960cbe52d20b78e433fbbd5998bc
SHA1: 74ef9e8aca3c0daee252ed3a08fb914df64221da
Prevx info: http://fileinfo.prevx.com/fileinfo.a...444D0084C089C8




Deckard's System Scanner v20071014.68
Run by shaun wade on 2007-10-23 18:28:21
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
129: 2007-10-23 17:28:26 UTC - RP178 - Deckard's System Scanner Restore Point
128: 2007-10-23 16:25:12 UTC - RP177 - System Checkpoint
127: 2007-10-21 20:53:35 UTC - RP176 - System Checkpoint
126: 2007-10-20 03:44:09 UTC - RP175 - System Checkpoint
125: 2007-10-18 16:32:06 UTC - RP174 - System Checkpoint


-- First Restore Point --
1: 2007-07-25 04:20:47 UTC - RP50 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as shaun wade.exe) -----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:29:34, on 23/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\WINDOWS\system32\cvisvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\MSNMES~2\msnmsgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Documents and Settings\shaun wade\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\shaun wade.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Comodo Firewall] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [Volume Shadow Installer] cvisvc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1156165100000
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1156165090984
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - http://messenger.zone.msn.com/binary...t.cab31267.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe

--
End of file - 5069 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20071012-032928-753 O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
backup-20071012-032928-920 O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
backup-20071012-164734-871 O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
backup-20071012-171838-621 O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
backup-20071012-171838-704 O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
backup-20071013-070252-365 O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
backup-20071013-130324-487 O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
backup-20071014-113102-516 O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
backup-20071014-113117-243 O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
backup-20071018-062702-401 O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
backup-20071018-062702-579 O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
backup-20071018-062702-621 O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
backup-20071018-070023-860 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
backup-20071022-053947-246 O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 hwinterface - c:\windows\system32\drivers\hwinterface.sys <Not Verified; Logix4u; hwinterface Driver Version 1.1>
R3 scrcap - c:\windows\system32\drivers\scrcap.sys <Not Verified; ZD Soft; ZD Soft Screen Capture Series>

S2 npkcrypt - c:\nexon\maplestory\npkcrypt.sys (file missing)
S3 ENTECH - c:\windows\system32\drivers\entech.sys <Not Verified; EnTech Taiwan; PowerStrip>
S3 MEMSWEEP2 - c:\windows\system32\53.tmp (file missing)
S3 nocashio - c:\windows\system32\drivers\nocashio.sys
S3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S4 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
S4 NMIndexingService - "c:\program files\common files\ahead\lib\nmindexingservice.exe" (file missing)
S4 SC - c:\docume~1\shaunw~1\locals~1\temp\sc.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-10-21 13:03:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2007-09-23 and 2007-10-23 -----------------------------

2007-10-22 19:09:37 10752 -r-hs---- C:\WINDOWS\system32\cvisvc.exe
2007-10-22 16:30:52 0 dr-h----- C:\Documents and Settings\shaun wade\Recent
2007-10-20 19:59:41 0 dr-h----- C:\Documents and Settings\kieran wade\Recent
2007-10-13 13:01:22 0 d-------- C:\Program Files\Common Files\Java
2007-10-12 22:31:13 0 d-------- C:\Program Files\THQ
2007-10-08 20:39:30 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll <Not Verified; Sony DADC Austria AG.; >
2007-10-07 20:36:30 0 d-------- C:\Program Files\Immortals Online
2007-10-07 00:07:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Last.fm
2007-10-02 22:45:37 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire
2007-10-02 21:21:48 0 d-------- C:\Documents and Settings\kieran wade\048298C9A4D3490B9FF9AB023A9238F3.TMP
2007-10-01 17:10:42 0 d-------- C:\Toolbars
2007-10-01 17:10:42 0 d-------- C:\Plugins
2007-10-01 17:10:42 0 d-------- C:\Languages
2007-10-01 17:10:42 0 d-------- C:\Html
2007-09-30 21:34:00 0 d-------- C:\Program Files\Microsoft Games
2007-09-25 21:31:49 0 d--h----- C:\Documents and Settings\kieran wade\Application Data\ijjigame
2007-09-25 21:25:35 0 d-------- C:\Documents and Settings\All Users\Application Data\IJJIGame
2007-09-25 20:52:19 0 d-------- C:\ijji
2007-09-24 22:35:31 0 d-------- C:\Program Files\Wolfenstein - Enemy Territory
2007-09-24 18:31:05 0 d-------- C:\Documents and Settings\kieran wade\Application Data\Xfire
2007-09-24 18:29:17 0 d-------- C:\Documents and Settings\shaun wade\Application Data\Xfire
2007-09-24 18:29:15 0 d-------- C:\Program Files\Xfire


-- Find3M Report ---------------------------------------------------------------

2007-10-23 11:30:30 19110 --a------ C:\Documents and Settings\shaun wade\Application Data\wklnhst.dat
2007-10-23 06:37:21 0 d-------- C:\Documents and Settings\shaun wade\Application Data\AVG7
2007-10-19 06:08:48 0 d-------- C:\Program Files\SpywareBlaster
2007-10-17 17:31:02 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-10-17 17:08:45 0 d-------- C:\Program Files\id Software
2007-10-17 06:12:39 0 d-------- C:\Program Files\SpywareGuard
2007-10-13 13:01:49 0 d-------- C:\Program Files\Java
2007-10-13 13:01:22 0 d-------- C:\Program Files\Common Files
2007-10-12 22:29:43 0 d-------- C:\Program Files\Common Files\InstallShield
2007-10-12 16:40:39 0 d-------- C:\Program Files\CyberLink
2007-10-12 0550 0 d-------- C:\Documents and Settings\shaun wade\Application Data\SiteAdvisor
2007-10-11 21:49:23 0 d-------- C:\Program Files\Last.fm
2007-10-01 05:40:17 0 d-------- C:\Program Files\Lavalys
2007-09-23 16:19:16 0 d-------- C:\Program Files\blueMSX
2007-09-22 17:05:04 0 d-------- C:\Documents and Settings\shaun wade\Application Data\Uniblue
2007-09-15 07:43:47 0 d-------- C:\Documents and Settings\shaun wade\Application Data\OfficeUpdate12
2007-09-15 00:50:11 684 --a------ C:\WINDOWS\mozver.dat
2007-09-15 00:50:08 0 d-------- C:\Program Files\DivX
2007-09-09 07:09:35 0 d-------- C:\Program Files\SiteAdvisor
2007-09-08 17:44:53 0 d-------- C:\Program Files\Lavasoft
2007-09-08 17:44:06 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-08 17:32:01 0 d-------- C:\Documents and Settings\shaun wade\Application Data\Lavasoft
2007-09-08 16:41:40 0 d-------- C:\Program Files\Trend Micro
2007-09-01 16:05:07 0 d-------- C:\Documents and Settings\shaun wade\Application Data\CyberLink
2007-09-01 15:54:24 0 d-------- C:\Program Files\Autodesk
2007-08-30 06:29:35 0 d-------- C:\Documents and Settings\shaun wade\Application Data\Creative
2007-08-15 16:20:06 335 --a----c- C:\WINDOWS\nsreg.dat
2007-08-09 21:31:01 216064 --a------ C:\WINDOWS\iun3405.exe <Not Verified; Indigo Rose Corporation; Indigo Rose Corporation unin32>
2007-07-25 12:49:34 356352 --a------ C:\WINDOWS\eSellerateEngine.dll <Not Verified; eSellerate Inc.; eSellerateEngine>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [23/10/2007 17:17]
"Comodo Firewall"="C:\Program Files\Comodo\Firewall\CPF.exe" [19/02/2007 06:17]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [30/03/2007 16:42]
"Volume Shadow Installer"="cvisvc.exe" [22/10/2007 07:36 C:\WINDOWS\system32\cvisvc.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [10/08/2004 20:00]

C:\Documents and Settings\shaun wade\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [29/08/2003 20:05:35]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime




-- End of Deckard's System Scanner: finished at 2007-10-23 18:30:11 ------------

[tetonbob]

Good work.

Seems this is a well detected, but poorly reported, ircbot variant. Toward that end, I'd like to use a tool which will both kill it and help us grab a sample.

Download combofix.exe to your desktop.

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

http://www.techsupportforum.com/security-center/hijackthis-log-help/189937-unknown-04-start-up.html

Killall::

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Volume Shadow Installer"=-

Collect::
C:\WINDOWS\system32\cvisvc.exe

Save this as CFScript.txt




Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file.

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

[heyup]

Good morning tetonbob.

Finnished your instuctions :

ComboFix 07-10-23.1 - shaun wade 2007-10-24 3:27:00.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.601 [GMT 1:00]
Running from: C:\Documents and Settings\shaun wade\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\shaun wade\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\cvisvc.exe

.
((((((((((((((((((((((((( Files Created from 2007-09-24 to 2007-10-24 )))))))))))))))))))))))))))))))
.

2007-10-23 18:28 <DIR> d-------- C:\Deckard
2007-10-13 13:01 <DIR> d-------- C:\Program Files\Common Files\Java
2007-10-12 22:31 <DIR> d-------- C:\Program Files\THQ
2007-10-08 20:39 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-10-07 20:36 <DIR> d-------- C:\Program Files\Immortals Online
2007-10-02 22:45 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire
2007-10-02 21:21 <DIR> d-------- C:\Documents and Settings\kieran wade\048298C9A4D3490B9FF9AB023A9238F3.TMP
2007-10-01 17:10 <DIR> d-------- C:\Toolbars
2007-10-01 17:10 <DIR> d-------- C:\Plugins
2007-10-01 17:10 <DIR> d-------- C:\Languages
2007-10-01 17:10 <DIR> d-------- C:\Html
2007-09-30 21:34 <DIR> d-------- C:\Program Files\Microsoft Games
2007-09-25 21:31 <DIR> d--h----- C:\Documents and Settings\kieran wade\Application Data\ijjigame
2007-09-25 20:52 <DIR> d-------- C:\ijji
2007-09-24 22:35 <DIR> d-------- C:\Program Files\Wolfenstein - Enemy Territory
2007-09-24 18:31 <DIR> d-------- C:\Documents and Settings\kieran wade\Application Data\Xfire
2007-09-24 18:29 <DIR> d-------- C:\Program Files\Xfire
2007-09-24 18:29 <DIR> d-------- C:\Documents and Settings\shaun wade\Application Data\Xfire

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-23 10:30 19,110 ----a-w C:\Documents and Settings\shaun wade\Application Data\wklnhst.dat
2007-10-23 05:37 --------- d-----w C:\Documents and Settings\shaun wade\Application Data\AVG7
2007-10-19 05:08 --------- d-----w C:\Program Files\SpywareBlaster
2007-10-17 16:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-17 16:08 --------- d-----w C:\Program Files\id Software
2007-10-17 05:12 --------- d-----w C:\Program Files\SpywareGuard
2007-10-13 21:22 --------- d-----w C:\Documents and Settings\kieran wade\Application Data\AVG7
2007-10-13 12:01 --------- d-----w C:\Program Files\Java
2007-10-12 21:29 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-10-12 15:46 --------- d-----w C:\Documents and Settings\kieran wade\Application Data\CyberLink
2007-10-12 15:40 --------- d-----w C:\Program Files\CyberLink
2007-10-12 04:06 --------- d-----w C:\Documents and Settings\shaun wade\Application Data\SiteAdvisor
2007-10-11 20:49 --------- d-----w C:\Program Files\Last.fm
2007-10-10 03:25 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-10-01 04:40 --------- d-----w C:\Program Files\Lavalys
2007-09-28 23:40 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-09-28 23:40 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-09-24 17:46 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2007-09-23 21:19 22,328 ----a-w C:\Documents and Settings\shaun wade\Application Data\PnkBstrK.sys
2007-09-23 15:19 --------- d-----w C:\Program Files\blueMSX
2007-09-23 14:35 2,838 ----a-w C:\Documents and Settings\kieran wade\Application Data\wklnhst.dat
2007-09-23 07:49 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2007-09-22 16:05 --------- d-----w C:\Documents and Settings\shaun wade\Application Data\Uniblue
2007-09-15 06:43 --------- d-----w C:\Documents and Settings\shaun wade\Application Data\OfficeUpdate12
2007-09-14 23:50 --------- d-----w C:\Program Files\DivX
2007-09-09 06:09 --------- d-----w C:\Program Files\SiteAdvisor
2007-09-08 16:44 --------- d-----w C:\Program Files\Lavasoft
2007-09-08 16:44 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-09-08 16:32 --------- d-----w C:\Documents and Settings\shaun wade\Application Data\Lavasoft
2007-09-08 15:41 --------- d-----w C:\Program Files\Trend Micro
2007-09-01 15:08 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\CyberLink
2007-09-01 15:05 --------- d-----w C:\Documents and Settings\shaun wade\Application Data\CyberLink
2007-09-01 15:04 --------- d-----w C:\Documents and Settings\Administrator\Application Data\CyberLink
2007-09-01 14:54 --------- d-----w C:\Program Files\Autodesk
2007-08-30 05:29 --------- d-----w C:\Documents and Settings\shaun wade\Application Data\Creative
2007-08-09 20:31 216,064 ----a-w C:\WINDOWS\iun3405.exe
2007-07-30 18:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 18:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 18:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 18:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 18:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 18:19 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-07-30 18:19 207,736 ----a-w C:\WINDOWS\system32\muweb.dll
2007-07-30 18:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 18:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 18:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-25 11:49 356,352 ----a-w C:\WINDOWS\eSellerateEngine.dll
2007-05-15 05:25 5,517 ---ha-w C:\Documents and Settings\kieran wade\hpothb07.dat
2007-05-15 05:25 164 ---ha-w C:\Documents and Settings\All Users\hpothb07.dat
2007-04-28 22:44 364 ----a-w C:\Documents and Settings\kieran wade\rockconfig.dat
2007-03-03 12:42 87,608 ----a-w C:\Documents and Settings\kieran wade\Application Data\ezpinst.exe
2007-03-03 12:42 47,360 ----a-w C:\Documents and Settings\kieran wade\Application Data\pcouffin.sys
2007-01-20 13:09 40 ----a-w C:\Documents and Settings\kieran wade\language.dat
2002-04-08 08:41 4,173 ----a-w C:\Program Files\MGS2.theme
2002-04-08 08:33 2,387 ----a-w C:\Program Files\Readme.txt
2007-01-15 12:22:27 0 -csha-w C:\WINDOWS\SMINST\HPCD.sys
2007-07-16 20:29:56 56 --sh--r C:\WINDOWS\system32\F717CDCD42.sys
2007-07-16 20:32:16 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-10-23 17:17]
"Comodo Firewall"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-02-19 06:17]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2007-03-30 16:42]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 20:00]

C:\Documents and Settings\shaun wade\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 20:05:35]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime

R1 hwinterface;hwinterface;C:\WINDOWS\system32\Drivers\hwinterface.sys
R3 scrcap;scrcap;C:\WINDOWS\system32\DRIVERS\scrcap.sys
R3 V0090VID;Creative WebCam Vista Plus;C:\WINDOWS\system32\DRIVERS\V0090Vid.sys
S3 MEMSWEEP2;MEMSWEEP2;\??\C:\WINDOWS\system32\53.tmp
S3 nocashio;nocashio;C:\WINDOWS\system32\drivers\nocashio.sys
S4 SC;SC;C:\DOCUME~1\SHAUNW~1\LOCALS~1\Temp\SC.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-10-21 12:03:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-24 03:29:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-24 3:29:30
.
--- E O F ---


hjt log :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:37:40, on 24/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Comodo Firewall] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1156165100000
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1156165090984
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe

--
End of file - 5189 bytes


THANKS for your help.

[tetonbob]

Hi heyup, can you post this log, please?

C:\Qoobox\ComboFix-quarantined-files.txt

[heyup]

I thought you had gone off line mate, its 4am here.

Here you go:-

Code:

2007-10-22 07:36      10752    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\cvisvc.exe.vir


Folder PATH listing
Volume serial number is C0CF-7E4F
C:\QOOBOX\QUARANTINE
+---C
|   \---WINDOWS
|       \---system32
|               cvisvc.exe.vir
|               
\---Registry_backups

THANKS.

[tetonbob]

Wow, you're either an early riser, or night owl. 11PM here.

You're welcome for the help.

I wonder...did Comodo Firewall attempt to block the zip file you uploaded? It's empty. I'm just curious. The file has been neutralised.

Can you do this next, please?

Upload this file to the next site:

C:\Qoobox\Quarantine\C\WINDOWS\system32\cvisvc.exe.vir

http://www.bleepingcomputer.com/subm....php?channel=4

On this page will be a browse button. Next to that is a box. Copy/paste the above file path into that box. Copy/paste the url of this thread:

http://www.techsupportforum.com/security-center/hijackthis-log-help/189937-unknown-04-start-up-post1136594.html#post1136594

into the box which says "Link to topic where this file was requested:" and click on Send File.

Once you've done that, do this next:

Please run this online scan to help look for remnants.

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the licence, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

---------------------------------------------------------------------------------------------

[heyup]

Early riser mate, only time i get any peace from the kids.

Yes comodo did block the file.

Im going to get on with your instructions now before i go to work.

Thanks and cheers.

Sent file :
Your file was successfully submitted. Please let the user helping you know that you have submitted the file

[tetonbob]

Please tell Comodo to allow it.

The online scan will take some time.