Probably unknown NewHeur_PE virus

**spandau** · 2009-05-18, 22:08

Hello Shaba.

Below, the log after rerun.
Incredible, no malicious... but, the message keeps going.
I have bad luck.

Malwarebytes' Anti-Malware 1.36
Database version: 2148
Windows 5.1.2600 Service Pack 3

5/18/2009 10:59:45 PM
mbam-log-2009-05-18 (22-59-45).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 111807
Time elapsed: 8 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Originally Posted by Shaba

Please rerun and post back a fresh rsit log afterwards

**Shaba** · 2009-05-19, 06:12

You posted now mbam log.

Please post a fresh rsit log

**spandau** · 2009-05-19, 17:52

Hi Shaba.

Below, a fresh rsit log.
I hope this is what you have requested.

Logfile of random's system information tool 1.06 (written by random/random)
Run by a at 2009-05-19 18:47:49
Microsoft Windows XP Professional Service Pack 3
System drive C: has 36 GB (59%) free of 61 GB
Total RAM: 2047 MB (79% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:47:52 PM, on 5/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\WinFast\WFDTV\DTVSchdl.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\FixCamera.exe
C:\WINDOWS\vsnp2uvc.exe
C:\WINDOWS\tsnp2uvc.exe
C:\Program Files\EXPERTool\TBPanel.exe
C:\Program Files\WinFast\WFDTV\WFWIZ.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\hh.exe
C:\Documents and Settings\a\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\a.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Reader 8.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinFastDTV] C:\Program Files\WinFast\WFDTV\DTVSchdl.exe
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [FixCamera] C:\WINDOWS\FixCamera.exe
O4 - HKLM\..\Run: [snp2uvc] C:\WINDOWS\vsnp2uvc.exe
O4 - HKLM\..\Run: [tsnp2uvc] C:\WINDOWS\tsnp2uvc.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [GAINWARD] C:\Program Files\EXPERTool\TBPanel.exe /A
O4 - HKCU\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFDTV\WFWIZ.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport în Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Cercetare - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A624575-728D-4813-8B0B-92C1A1FA8AB4}: NameServer = 213.154.124.1 193.231.252.1
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Net Logon NetlogonSCardSvr (NetlogonSCardSvr) - Unknown owner - C:\WINDOWS\system32\admparsek.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 4414 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Reader 8.0\ActiveX\AcroIEHelper.dll [2006-08-10 71296]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2007-03-21 16126464]
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2005-05-03 69632]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2009-02-19 13680640]
"nwiz"=nwiz.exe /install []
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2009-02-19 86016]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]
"WinFastDTV"=C:\Program Files\WinFast\WFDTV\DTVSchdl.exe [2009-01-16 90112]
"ArcSoft Connection Service"=C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [2009-04-29 188728]
"egui"=C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [2008-07-01 1447168]
"FixCamera"=C:\WINDOWS\FixCamera.exe [2007-07-11 20480]
"snp2uvc"=C:\WINDOWS\vsnp2uvc.exe [2007-07-11 569344]
"tsnp2uvc"=C:\WINDOWS\tsnp2uvc.exe [2008-01-22 320512]
"WinampAgent"=C:\Program Files\Winamp\winampa.exe []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"GAINWARD"=C:\Program Files\EXPERTool\TBPanel.exe [2009-02-03 2181672]
"WinFast Schedule"=C:\Program Files\WinFast\WFDTV\WFWIZ.exe [2009-01-12 2908160]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digiwet.dll

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 1 months======

2009-05-18 21:56:32 ----D---- C:\Documents and Settings\a\Application Data\Malwarebytes
2009-05-18 21:56:28 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-05-18 21:56:27 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-05-18 20:42:18 ----D---- C:\rsit
2009-05-15 03:18:44 ----D---- C:\Program Files\Trend Micro
2009-04-25 01:51:53 ----A---- C:\WINDOWS\NeroDigital.ini

======List of files/folders modified in the last 1 months======

2009-05-19 18:47:51 ----D---- C:\WINDOWS\Temp
2009-05-19 18:44:57 ----D---- C:\WINDOWS\Prefetch
2009-05-19 00:26:47 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-05-19 00:26:31 ----A---- C:\WINDOWS\system32\Dvbpws.dll
2009-05-18 21:56:31 ----D---- C:\WINDOWS\system32\drivers
2009-05-18 21:56:27 ----RD---- C:\Program Files
2009-05-15 01:16:30 ----D---- C:\Program Files\Outlook Express
2009-05-06 20:25:05 ----SHD---- C:\WINDOWS\Installer
2009-05-06 19:18:49 ----HD---- C:\Program Files\InstallShield Installation Information
2009-05-04 09:56:04 ----D---- C:\WINDOWS\system32
2009-04-28 22:26:13 ----D---- C:\WINDOWS\system32\CatRoot2
2009-04-25 02:13:31 ----D---- C:\Program Files\Mv2Player
2009-04-25 01:51:53 ----D---- C:\WINDOWS

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 easdrv;easdrv; C:\WINDOWS\system32\DRIVERS\easdrv.sys [2008-07-01 53256]
R1 epfwtdi;epfwtdi; C:\WINDOWS\system32\DRIVERS\epfwtdi.sys [2008-07-01 54280]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 36352]
R2 eamon;EAMON; C:\WINDOWS\system32\DRIVERS\eamon.sys [2008-07-01 39944]
R2 epfw;epfw; C:\WINDOWS\system32\DRIVERS\epfw.sys [2008-07-01 71688]
R2 TBPanel;TBPanel; C:\WINDOWS\system32\drivers\TBPanel.sys [2007-03-16 12256]
R2 WFPVRENC;WinFast PVR2000 MPEG Encoder; C:\WINDOWS\system32\drivers\wfpvrenc.sys [2006-11-28 299392]
R2 WFPVRTUNER;WinFast PVR2000 WDM Tuner; C:\WINDOWS\system32\drivers\wfpvrtun.sys [2006-11-28 33408]
R2 WFPVRVIDEO;WinFast PVR2000 WDM Video Capture; C:\WINDOWS\system32\drivers\wfpvrcap.sys [2006-11-28 162688]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller; C:\WINDOWS\system32\DRIVERS\atl01_xp.sys [2007-03-15 38656]
R3 Epfwndis;Eset Personal Firewall; C:\WINDOWS\system32\DRIVERS\Epfwndis.sys [2008-07-01 30728]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-14 144384]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2007-03-26 4395008]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2008-04-14 12160]
R3 MTsensor;ATK0110 ACPI UTILITY; C:\WINDOWS\system32\DRIVERS\ASACPI.sys [2004-08-13 5810]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2009-02-19 6307328]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608]
R3 WFPVRBAR;WinFast PVR2000 WDM Crossbar; C:\WINDOWS\system32\drivers\WFPVRBAR.sys [2006-11-28 9728]
S3 Cardex;Cardex; \??\C:\WINDOWS\system32\drivers\TBPANEL.SYS []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-14 17024]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-14 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-14 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-14 10880]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-14 11136]
S3 SNP2UVC;USB2.0 PC Camera (SNP2UVC); C:\WINDOWS\system32\DRIVERS\snp2uvc.sys [2008-01-30 3499776]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-14 15232]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-14 60032]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128]
S3 usbvideo;USB Video Device (WDM); C:\WINDOWS\System32\Drivers\usbvideo.sys [2008-04-14 121984]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-14 19200]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ACDaemon;ArcSoft Connect Daemon; C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [2009-02-06 109056]
R2 ekrn;Eset Service; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [2007-12-21 468224]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2009-02-19 163908]
R2 UleadBurningHelper;Ulead Burning Helper; C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe [2004-12-13 49152]
S2 NetlogonSCardSvr;Net Logon NetlogonSCardSvr; C:\WINDOWS\system32\admparsek.exe [2009-04-14 54272]
S3 EhttpSrv;Eset HTTP Server; C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe [2008-07-01 19200]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]

-----------------EOF-----------------

Originally Posted by Shaba

You posted now mbam log.

Please post a fresh rsit log

**Shaba** · 2009-05-19, 19:14

Please tell me if you can find this file using windows search function:

digiwet.dll

**spandau** · 2009-05-19, 20:27

Hi Shaba.

No, windows search function has not found the file digiwet.dll.

Originally Posted by Shaba

Please tell me if you can find this file using windows search function:

digiwet.dll

**Shaba** · 2009-05-19, 20:29

Let's doublecheck that anyway.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
Code:
```
:filefind
digiwet.dll
```
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

**spandau** · 2009-05-19, 20:48

Hi Shaba.

Below, the result with SystemLook.

SystemLook v1.0 by jpshortstuff (18.05.09)
Log created at 21:44 on 19/05/2009 by a (Administrator - Elevation successful)

========== filefind ==========

Searching for "digiwet.dll"
No files found.

-=End Of File=-

Originally Posted by Shaba

Let's doublecheck that anyway.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
Code:
```
:filefind
digiwet.dll
```
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

**Shaba** · 2009-05-19, 21:03

OK, so that is really gone.

We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

http://www.bleepingcomputer.com/comb...o-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

**spandau** · 2009-05-19, 21:56

OK, Shaba, I understand, I will try to make a good job.
Before that, I have 2 questions, please:
1. When I will disable the antivirus and antispyware protection from ESET NOD32, must I disable also gmer, mbam and Malwarebytes Anti-Malware?
2. Must I disable also the firewall from ESET NOD32?

Originally Posted by Shaba

OK, so that is really gone.

We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

http://www.bleepingcomputer.com/comb...o-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

**Shaba** · 2009-05-20, 06:07

1. No need.

2. Please leave it enabled.

Thread: Probably unknown NewHeur_PE virus

Thread Tools

Display