Yet another Virtumonde...
I've ran Vundofix and VirtumundoBegone and I got nothing in return except a wasted 30 minutes and a stain on my couch. Nod32 doesn't see it. Spybot and Adaware (most current versions as of today) found it, but could not get rid of it, but I commend them for the valiant effort. The One Care scan finds it too... but can't get rid of it either-- but it told me to have a nice day at the end of all of this so I'm not commending its effort. Anywho-- here is my HJK log (after renaming the file to Hijt.exe).
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:04:38 PM, on 5/26/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Safe mode with network support
Running processes:
C:\Windows\Explorer.EXE
C:\Windows\system32\Taskmgr.exe
C:\Users\Chad\Desktop\Hijt.exe
C:\Windows\system32\DllHost.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [SVPWUTIL] "C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe" SVPwUTIL
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [TPwrMain] "C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE"
O4 - HKLM\..\Run: [HSON] "C:\Program Files\TOSHIBA\TBS\HSON.exe"
O4 - HKLM\..\Run: [SynTPStart] "C:\Program Files\Synaptics\SynTP\SynTPStart.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [MSServer] "rundll32.exe" C:\Windows\system32\ddcDvwTJ.dll,#1
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Chad\AppData\Local\Temp\xxyyxuVL.dll,c
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Chad\AppData\Local\Temp\tuvVMCSm.dll,#1
O4 - HKCU\..\Run: [e2e78633] "rundll32.exe" "C:\Users\Chad\AppData\Local\Temp\ogkiwowp.dll",b
O4 - HKCU\..\Run: [BMe1d4b5af] Rundll32.exe "C:\Users\Chad\AppData\Local\Temp\jmhwsnuh.dll",s
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/res.../wlscctrl2.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 7022 bytes
Post OTMoveIt2, ATF Cleaner, and Combofix Logs
I ran these in safemode with network support... will that be OK? Thanks a bazillion.
First the HiJack This Log...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:05:21 AM, on 5/27/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Safe mode with network support
Running processes:
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Users\Chad\Desktop\Hijt.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [SVPWUTIL] "C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe" SVPwUTIL
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [TPwrMain] "C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE"
O4 - HKLM\..\Run: [HSON] "C:\Program Files\TOSHIBA\TBS\HSON.exe"
O4 - HKLM\..\Run: [SynTPStart] "C:\Program Files\Synaptics\SynTP\SynTPStart.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [MSServer] "rundll32.exe" C:\Windows\system32\ddcDvwTJ.dll,#1
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKLM\..\RunOnce: [GrpConv] grpconv -o
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/res.../wlscctrl2.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 6327 bytes
Now the Combofix Log
ComboFix 08-05-26.2 - Chad 2008-05-27 9:52:03.1 - NTFSx86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1609 [GMT -6:00]
Running from: C:\Users\Chad\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Windows\system32\x64
.
((((((((((((((((((((((((( Files Created from 2008-04-27 to 2008-05-27 )))))))))))))))))))))))))))))))
.
2008-05-27 09:41 . 2008-05-27 09:41 <DIR> d-------- C:\_OTMoveIt
2008-05-26 22:40 . 2008-05-26 22:40 <DIR> d-------- C:\Windows\System32\Kaspersky Lab
2008-05-26 22:40 . 2008-05-26 22:40 <DIR> d-------- C:\Users\All Users\Kaspersky Lab
2008-05-26 22:40 . 2008-05-26 22:40 <DIR> d-------- C:\PROGRA~2\Kaspersky Lab
2008-05-26 15:11 . 2008-05-26 15:21 <DIR> d-------- C:\Users\All Users\Lavasoft
2008-05-26 15:11 . 2008-05-26 15:11 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-26 15:11 . 2008-05-26 15:21 <DIR> d-------- C:\PROGRA~2\Lavasoft
2008-05-26 15:04 . 2008-05-26 15:04 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-26 11:31 . 2008-05-26 11:31 <DIR> d-------- C:\VundoFix Backups
2008-05-26 10:51 . 2008-05-26 10:51 <DIR> d-------- C:\Users\Chad\AppData\Roaming\Webroot
2008-05-26 10:51 . 2008-05-26 10:51 <DIR> d-------- C:\Users\All Users\Webroot
2008-05-26 10:51 . 2008-05-26 10:51 <DIR> d-------- C:\Program Files\Webroot
2008-05-26 10:51 . 2008-05-26 10:51 <DIR> d-------- C:\PROGRA~2\Webroot
2008-05-26 10:51 . 2008-01-04 20:56 1,526,640 --a------ C:\Windows\WRSetup.dll
2008-05-26 10:51 . 2008-01-04 20:34 163,696 --a------ C:\Windows\System32\drivers\ssidrv.sys
2008-05-26 10:51 . 2008-01-04 20:34 23,920 --a------ C:\Windows\System32\drivers\sskbfd.sys
2008-05-26 10:51 . 2008-01-04 20:34 21,872 --a------ C:\Windows\System32\drivers\sshrmd.sys
2008-05-26 10:51 . 2008-01-04 20:34 20,336 --a------ C:\Windows\System32\drivers\SSFS0BB9.sys
2008-05-26 10:50 . 2008-05-26 10:50 164 --a------ C:\install.dat
2008-05-25 10:37 . 2008-05-26 12:03 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-05-24 23:31 . 2008-05-24 23:58 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-05-24 23:31 . 2008-05-24 23:31 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-24 23:31 . 2008-05-24 23:58 <DIR> d-------- C:\PROGRA~2\Spybot - Search & Destroy
2008-05-24 19:28 . 2008-05-24 19:32 <DIR> d-------- C:\Program Files\iPod Music Liberator
2008-05-24 18:40 . 2008-05-24 19:19 <DIR> d-------- C:\Users\Chad\AppData\Roaming\iPod Copy Expert
2008-05-24 18:40 . 2008-05-24 19:14 <DIR> d-a------ C:\Users\All Users\TEMP
2008-05-24 18:40 . 2008-05-24 19:14 <DIR> d-a------ C:\PROGRA~2\TEMP
2008-05-22 13:09 . 2008-05-22 13:09 <DIR> d-------- C:\Users\Chad\AppData\Roaming\Logitech
2008-05-22 13:09 . 2008-05-22 13:09 <DIR> d-------- C:\Users\All Users\LogiShrd
2008-05-22 13:09 . 2008-05-22 13:09 <DIR> d-------- C:\PROGRA~2\LogiShrd
2008-05-22 13:00 . 2008-05-22 13:00 0 --ah----- C:\Windows\System32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-05-22 12:58 . 2008-05-22 12:58 <DIR> d-------- C:\Users\Chad\AppData\Roaming\InstallShield
2008-05-22 12:58 . 2008-05-22 12:58 <DIR> d-------- C:\Users\All Users\Logitech
2008-05-22 12:58 . 2008-05-22 12:58 <DIR> d-------- C:\Program Files\Logitech
2008-05-22 12:58 . 2008-05-22 12:59 <DIR> d-------- C:\Program Files\Common Files\Logishrd
2008-05-22 12:58 . 2008-05-22 12:58 <DIR> d-------- C:\PROGRA~2\Logitech
2008-05-22 12:58 . 2008-05-02 02:38 301,656 --a------ C:\Windows\System32\BtCoreIf.dll
2008-05-22 12:58 . 2008-05-02 02:39 170,512 --a------ C:\Windows\System32\kemutb.dll
2008-05-22 12:58 . 2008-05-02 02:39 145,936 --a------ C:\Windows\System32\KemUtil.dll
2008-05-22 12:58 . 2008-05-02 02:40 117,264 --a------ C:\Windows\System32\KemWnd.dll
2008-05-22 12:58 . 2008-05-02 02:40 84,496 --a------ C:\Windows\System32\KemXML.dll
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\Windows\System32\lsdelete.exe
2008-05-11 20:02 . 2008-05-11 20:02 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-05-11 19:53 . 2008-05-11 19:53 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2008-04-29 11:20 . 2008-04-29 11:20 15,648 --a------ C:\Windows\System32\drivers\NSDriver.sys
2008-04-29 11:19 . 2008-04-29 11:19 15,648 --a------ C:\Windows\System32\drivers\Awrtrd.sys
2008-04-29 11:19 . 2008-04-29 11:19 12,960 --a------ C:\Windows\System32\drivers\Awrtpd.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-25 01:28 --------- d-----w C:\Users\Chad\AppData\Roaming\Azureus
2008-05-25 01:28 --------- d-----w C:\Program Files\Azureus
2008-05-22 18:58 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-16 02:43 --------- d-----w C:\PROGRA~2\Microsoft Help
2008-05-14 09:05 --------- d-----w C:\Program Files\Windows Mail
2008-05-12 02:06 --------- d-----w C:\Program Files\Microsoft Works
2008-05-12 02:05 --------- d-----w C:\Program Files\MSBuild
2008-04-29 17:11 --------- d-----w C:\Program Files\Apple Software Update
2008-04-23 03:31 --------- d-----w C:\Program Files\Alex Feinman
2008-04-20 17:15 --------- d-----w C:\Program Files\Netflix
2008-04-20 04:34 --------- d-----w C:\PROGRA~2\PopCap
2008-04-20 04:33 --------- d-----w C:\Program Files\PopCap Games
2008-04-18 03:45 --------- d-----w C:\Program Files\ESET
2008-04-18 03:45 --------- d-----w C:\PROGRA~2\ESET
2008-04-12 07:46 --------- d-----w C:\PROGRA~2\Azureus
2008-04-10 14:25 --------- d-----w C:\Program Files\SlySoft
2008-04-02 23:35 --------- d-----w C:\Program Files\Mozilla Firefox 3 Beta 4
2008-03-31 18:25 81,920 ----a-w C:\Users\Chad\AppData\Roaming\ezpinst.exe
2008-03-31 18:25 47,360 ----a-w C:\Windows\system32\drivers\pcouffin.sys
2008-03-31 18:25 47,360 ----a-w C:\Users\Chad\AppData\Roaming\pcouffin.sys
2008-03-31 18:25 --------- d-----w C:\Users\Chad\AppData\Roaming\Vso
2008-03-31 18:25 --------- d-----w C:\Program Files\CloneDVD
2008-03-31 18:25 --------- d-----w C:\PROGRA~2\DVDXStudio
2008-02-29 09:12 76,304 ----a-w C:\Windows\KHALMNPR.Exe
2008-02-29 06:51 19,000 ----a-w C:\Windows\System32\kd1394.dll
2008-02-29 06:39 40,960 ----a-w C:\Windows\System32\srclient.dll
2008-02-29 06:39 371,712 ----a-w C:\Windows\System32\srcore.dll
2008-02-29 06:38 313,856 ----a-w C:\Windows\System32\rstrui.exe
2008-02-29 06:38 16,384 ----a-w C:\Windows\System32\srdelayed.exe
2008-02-29 06:35 6,656 ----a-w C:\Windows\System32\kbd106n.dll
2008-02-29 06:34 7,168 ----a-w C:\Windows\System32\f3ahvoas.dll
2008-02-29 04:16 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2007-08-31 21:23 174 --sha-w C:\Program Files\desktop.ini
2006-12-01 01:07 262,144 ----a-w C:\PROGRA~2\ntuser.dat
2007-09-12 17:19 8,784 ----a-w C:\Program Files\mozilla firefox\plugins\ractrlkeyhook.dll
2007-09-12 17:22 245,408 ----a-w C:\Program Files\mozilla firefox\plugins\unicows.dll
.
------- Sigcheck -------
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-27 06:32 898344]
"SVPWUTIL"="C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe" [2006-01-18 18:06 421888]
"RtHDVCpl"="RtHDVCpl.exe" [2006-11-09 12:57 3784704 C:\Windows\RtHDVCpl.exe]
"TPwrMain"="C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-11-22 19:08 409264]
"HSON"="C:\Program Files\TOSHIBA\TBS\HSON.exe" [2006-11-28 14:19 52912]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-07-27 06:00 204800]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2007-10-18 10:19 141848]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2007-10-18 10:18 166424]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2007-10-18 10:18 133656]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-03-13 16:48 1443072]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 03:12 76304 C:\Windows\KHALMNPR.Exe]
"MSServer"="rundll32.exe" [2006-11-02 03:45 44544 C:\Windows\System32\rundll32.exe]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 20:56 5367664]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"@"="" []
"GrpConv"="grpconv -o" []
C:\PROGRA~2\MICROS~1\Windows\STARTM~1\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-05-22 12:58:38 805392]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{0CF5D165-517E-48B6-B3C7-3054A24F8BF6}"= C:\Windows\system32\ddcDvwTJ.dll [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm
"vidc.yv12"= yv12vfw.dll
"msacm.ac3filter"= ac3filter.acm
[HKLM\~\startupfolder\C:^Users^Chad^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Users\Chad\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\Windows\pss\Adobe Gamma.lnk.Startup
backupExtension=.Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00TCrdMain]
--a------ 2006-11-28 22:05 523952 C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-17 00:11 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HWSetup]
--a------ 2006-11-01 10:06 413696 C:\Program Files\TOSHIBA\Utilities\HWSetup.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-06-01 16:51 257088 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
--a------ 2005-12-16 04:41 188416 C:\Program Files\ltmoh\Ltmoh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NDSTray.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PINGER]
--a------ 2006-07-20 14:45 151552 C:\TOSHIBA\IVP\ISM\pinger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-04-27 09:41 282624 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
--a------ 2006-11-20 14:15 446128 C:\Program Files\Toshiba\SmoothView\SmoothView.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-07-11 15:18 185784 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2004-11-22 10:18 307200 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2007-06-14 03:05 1006264 C:\Program Files\Windows Defender\MSASCui.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{EB08C89B-6DDF-4DCC-97AB-2F7DEF6B3D7F}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{F4C1E496-6C3E-4CCD-BF2C-4C1155AE1F0B}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{8507C833-ADE1-49A1-B668-9CB09C38F36E}C:\\program files\\itunes\\itunes.exe"= UDP:C:\program files\itunes\itunes.exe:iTunes
"UDP Query User{51497E09-6BE6-4612-90C2-587F33FA46DB}C:\\program files\\itunes\\itunes.exe"= TCP:C:\program files\itunes\itunes.exe:iTunes
"{ED341EAF-E6BB-405E-B9B9-AF8D8EEFD061}"= UDP:C:\Users\Chad\Desktop\Age of Empires II\Empires2.exe:Empires2.exe
"{01A34FA5-366C-40CC-96D6-00B4102CAD50}"= TCP:C:\Users\Chad\Desktop\Age of Empires II\Empires2.exe:Empires2.exe
"TCP Query User{C516FDF3-A2D8-4811-B0AB-D9F2026A1FB2}C:\\windows\\system32\\dplaysvr.exe"= UDP:C:\windows\system32\dplaysvr.exe:Microsoft DirectPlay Helper
"UDP Query User{0EDED9A7-D5F0-4151-B126-D9DEB3321199}C:\\windows\\system32\\dplaysvr.exe"= TCP:C:\windows\system32\dplaysvr.exe:Microsoft DirectPlay Helper
"{45DD7AA3-2149-42EA-A658-67C5F9D59745}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{B7FA2406-7877-4C29-B397-26B0C1EA3375}C:\\program files\\java\\jre1.6.0\\bin\\javaw.exe"= UDP:C:\program files\java\jre1.6.0\bin\javaw.exe:Java(TM) Platform SE binary
"UDP Query User{68893993-F0AB-4BB5-96D5-687E9A84744C}C:\\program files\\java\\jre1.6.0\\bin\\javaw.exe"= TCP:C:\program files\java\jre1.6.0\bin\javaw.exe:Java(TM) Platform SE binary
"TCP Query User{766E45DE-AEF7-4233-BB1C-E0C128C72CFE}C:\\program files\\azureus\\azureus.exe"= UDP:C:\program files\azureus\azureus.exe:Azureus
"UDP Query User{6A5F4645-F81D-40FC-A919-F70CFBA98788}C:\\program files\\azureus\\azureus.exe"= TCP:C:\program files\azureus\azureus.exe:Azureus
"TCP Query User{A1FCA78E-00AE-4714-9FFF-40A3EA6285D0}C:\\program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{F22F03FD-57C1-4280-A324-0F85DF13722F}C:\\program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox
"{889B04BC-F622-4072-8DD6-B4A30531B632}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{CB6CE25B-B700-4553-B396-25F8DA4F9DAF}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{85E88D37-7A7F-40E8-94A4-AB1D151BAC65}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{D1DFE8C8-A284-4DBE-A0F1-DE579D41F0E5}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{D52D53B7-51E0-450D-A499-07D994C338AE}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{621FA998-06EC-4173-8A22-3C9FA0DCE3A1}C:\\program files\\microsoft office\\office12\\groove.exe"= UDP:C:\program files\microsoft office\office12\groove.exe:Microsoft Office Groove
"UDP Query User{A8C3C9C1-F654-49BD-840E-EF5ED732779B}C:\\program files\\microsoft office\\office12\\groove.exe"= TCP:C:\program files\microsoft office\office12\groove.exe:Microsoft Office Groove
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= C:\TOSHIBA\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= C:\TOSHIBA\Ivp\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger
R0 LPCFilter;LPC Lower Filter Driver;C:\Windows\system32\DRIVERS\LPCFilter.sys [2006-07-28 18:25]
R1 epfwtdir;epfwtdir;C:\Windows\system32\DRIVERS\epfwtdir.sys [2008-03-13 16:52]
R3 athr;Atheros Extensible Wireless LAN device driver;C:\Windows\system32\DRIVERS\athr.sys [2007-07-14 05:30]
R3 tdcmdpst;TOSHIBA Writing Engine Filter Driver;C:\Windows\system32\DRIVERS\tdcmdpst.sys [2006-10-18 13:50]
S2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 11:43]
S2 TOSHIBA Bluetooth Service;TOSHIBA Bluetooth Service;C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe [2006-11-01 00:40]
S3 igfx;igfx;C:\Windows\system32\DRIVERS\igdkmd32.sys [2007-10-18 10:05]
S3 tosrfec;Bluetooth ACPI;C:\Windows\system32\DRIVERS\tosrfec.sys [2006-10-23 18:32]
S4 KR10I;KR10I;C:\Windows\system32\drivers\kr10i.sys [2006-02-14 12:50]
S4 KR10N;KR10N;C:\Windows\system32\drivers\kr10n.sys [2005-09-27 17:57]
S4 KR3NPXP;KR3NPXP;C:\Windows\system32\drivers\kr3npxp.sys [2006-09-27 21:06]
S4 Steam Client Service;Steam Client Service;C:\Program Files\Common Files\Steam\SteamService.exe [2007-12-17 01:37]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
*Newly Created Service* - CATCHME
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-27 09:54:58
Windows 6.0.6000 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-05-27 9:55:54
ComboFix-quarantined-files.txt 2008-05-27 15:55:39
Pre-Run: 40,307,613,696 bytes free
Post-Run: 40,423,600,128 bytes free
222 --- E O F --- 2008-05-23 19:57:17
Updated Combofix and HiJack this log...
Combofix...
ComboFix 08-05-26.2 - Chad 2008-05-27 12:29:48.1 - NTFSx86
Running from: C:\Users\Chad\Desktop\ComboFix.exe
Command switches used :: C:\Users\Chad\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active
.
((((((((((((((((((((((((( Files Created from 2008-04-27 to 2008-05-27 )))))))))))))))))))))))))))))))
.
2008-05-27 09:41 . 2008-05-27 09:41 <DIR> d-------- C:\_OTMoveIt
2008-05-26 22:40 . 2008-05-26 22:40 <DIR> d-------- C:\Windows\System32\Kaspersky Lab
2008-05-26 22:40 . 2008-05-26 22:40 <DIR> d-------- C:\Users\All Users\Kaspersky Lab
2008-05-26 22:40 . 2008-05-26 22:40 <DIR> d-------- C:\PROGRA~2\Kaspersky Lab
2008-05-26 15:11 . 2008-05-26 15:21 <DIR> d-------- C:\Users\All Users\Lavasoft
2008-05-26 15:11 . 2008-05-26 15:11 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-26 15:11 . 2008-05-26 15:21 <DIR> d-------- C:\PROGRA~2\Lavasoft
2008-05-26 15:04 . 2008-05-26 15:04 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-26 11:31 . 2008-05-26 11:31 <DIR> d-------- C:\VundoFix Backups
2008-05-26 10:51 . 2008-05-26 10:51 <DIR> d-------- C:\Users\Chad\AppData\Roaming\Webroot
2008-05-26 10:51 . 2008-05-26 10:51 <DIR> d-------- C:\Users\All Users\Webroot
2008-05-26 10:51 . 2008-05-26 10:51 <DIR> d-------- C:\Program Files\Webroot
2008-05-26 10:51 . 2008-05-26 10:51 <DIR> d-------- C:\PROGRA~2\Webroot
2008-05-26 10:51 . 2008-01-04 20:56 1,526,640 --a------ C:\Windows\WRSetup.dll
2008-05-26 10:51 . 2008-01-04 20:34 163,696 --a------ C:\Windows\System32\drivers\ssidrv.sys
2008-05-26 10:51 . 2008-01-04 20:34 23,920 --a------ C:\Windows\System32\drivers\sskbfd.sys
2008-05-26 10:51 . 2008-01-04 20:34 21,872 --a------ C:\Windows\System32\drivers\sshrmd.sys
2008-05-26 10:51 . 2008-01-04 20:34 20,336 --a------ C:\Windows\System32\drivers\SSFS0BB9.sys
2008-05-26 10:50 . 2008-05-26 10:50 164 --a------ C:\install.dat
2008-05-25 10:37 . 2008-05-26 12:03 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-05-24 23:31 . 2008-05-24 23:58 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-05-24 23:31 . 2008-05-24 23:31 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-24 23:31 . 2008-05-24 23:58 <DIR> d-------- C:\PROGRA~2\Spybot - Search & Destroy
2008-05-24 19:28 . 2008-05-24 19:32 <DIR> d-------- C:\Program Files\iPod Music Liberator
2008-05-24 18:40 . 2008-05-24 19:19 <DIR> d-------- C:\Users\Chad\AppData\Roaming\iPod Copy Expert
2008-05-24 18:40 . 2008-05-24 19:14 <DIR> d-a------ C:\Users\All Users\TEMP
2008-05-24 18:40 . 2008-05-24 19:14 <DIR> d-a------ C:\PROGRA~2\TEMP
2008-05-22 13:09 . 2008-05-22 13:09 <DIR> d-------- C:\Users\Chad\AppData\Roaming\Logitech
2008-05-22 13:09 . 2008-05-22 13:09 <DIR> d-------- C:\Users\All Users\LogiShrd
2008-05-22 13:09 . 2008-05-22 13:09 <DIR> d-------- C:\PROGRA~2\LogiShrd
2008-05-22 13:00 . 2008-05-22 13:00 0 --ah----- C:\Windows\System32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-05-22 12:58 . 2008-05-22 12:58 <DIR> d-------- C:\Users\Chad\AppData\Roaming\InstallShield
2008-05-22 12:58 . 2008-05-22 12:58 <DIR> d-------- C:\Users\All Users\Logitech
2008-05-22 12:58 . 2008-05-22 12:58 <DIR> d-------- C:\Program Files\Logitech
2008-05-22 12:58 . 2008-05-22 12:59 <DIR> d-------- C:\Program Files\Common Files\Logishrd
2008-05-22 12:58 . 2008-05-22 12:58 <DIR> d-------- C:\PROGRA~2\Logitech
2008-05-22 12:58 . 2008-05-02 02:38 301,656 --a------ C:\Windows\System32\BtCoreIf.dll
2008-05-22 12:58 . 2008-05-02 02:39 170,512 --a------ C:\Windows\System32\kemutb.dll
2008-05-22 12:58 . 2008-05-02 02:39 145,936 --a------ C:\Windows\System32\KemUtil.dll
2008-05-22 12:58 . 2008-05-02 02:40 117,264 --a------ C:\Windows\System32\KemWnd.dll
2008-05-22 12:58 . 2008-05-02 02:40 84,496 --a------ C:\Windows\System32\KemXML.dll
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\Windows\System32\lsdelete.exe
2008-05-11 20:02 . 2008-05-11 20:02 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-05-11 19:53 . 2008-05-11 19:53 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2008-04-29 11:20 . 2008-04-29 11:20 15,648 --a------ C:\Windows\System32\drivers\NSDriver.sys
2008-04-29 11:19 . 2008-04-29 11:19 15,648 --a------ C:\Windows\System32\drivers\Awrtrd.sys
2008-04-29 11:19 . 2008-04-29 11:19 12,960 --a------ C:\Windows\System32\drivers\Awrtpd.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-25 01:28 --------- d-----w C:\Users\Chad\AppData\Roaming\Azureus
2008-05-25 01:28 --------- d-----w C:\Program Files\Azureus
2008-05-22 18:58 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-16 02:43 --------- d-----w C:\PROGRA~2\Microsoft Help
2008-05-14 09:05 --------- d-----w C:\Program Files\Windows Mail
2008-05-12 02:06 --------- d-----w C:\Program Files\Microsoft Works
2008-05-12 02:05 --------- d-----w C:\Program Files\MSBuild
2008-04-29 17:11 --------- d-----w C:\Program Files\Apple Software Update
2008-04-23 03:31 --------- d-----w C:\Program Files\Alex Feinman
2008-04-20 17:15 --------- d-----w C:\Program Files\Netflix
2008-04-20 04:34 --------- d-----w C:\PROGRA~2\PopCap
2008-04-20 04:33 --------- d-----w C:\Program Files\PopCap Games
2008-04-18 03:45 --------- d-----w C:\Program Files\ESET
2008-04-18 03:45 --------- d-----w C:\PROGRA~2\ESET
2008-04-12 07:46 --------- d-----w C:\PROGRA~2\Azureus
2008-04-10 14:25 --------- d-----w C:\Program Files\SlySoft
2008-04-02 23:35 --------- d-----w C:\Program Files\Mozilla Firefox 3 Beta 4
2008-03-31 18:25 81,920 ----a-w C:\Users\Chad\AppData\Roaming\ezpinst.exe
2008-03-31 18:25 47,360 ----a-w C:\Windows\system32\drivers\pcouffin.sys
2008-03-31 18:25 47,360 ----a-w C:\Users\Chad\AppData\Roaming\pcouffin.sys
2008-03-31 18:25 --------- d-----w C:\Users\Chad\AppData\Roaming\Vso
2008-03-31 18:25 --------- d-----w C:\Program Files\CloneDVD
2008-03-31 18:25 --------- d-----w C:\PROGRA~2\DVDXStudio
2008-02-29 09:12 76,304 ----a-w C:\Windows\KHALMNPR.Exe
2008-02-29 06:51 19,000 ----a-w C:\Windows\System32\kd1394.dll
2008-02-29 06:39 40,960 ----a-w C:\Windows\System32\srclient.dll
2008-02-29 06:39 371,712 ----a-w C:\Windows\System32\srcore.dll
2008-02-29 06:38 313,856 ----a-w C:\Windows\System32\rstrui.exe
2008-02-29 06:38 16,384 ----a-w C:\Windows\System32\srdelayed.exe
2008-02-29 06:35 6,656 ----a-w C:\Windows\System32\kbd106n.dll
2008-02-29 06:34 7,168 ----a-w C:\Windows\System32\f3ahvoas.dll
2008-02-29 04:16 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2007-08-31 21:23 174 --sha-w C:\Program Files\desktop.ini
2006-12-01 01:07 262,144 ----a-w C:\PROGRA~2\ntuser.dat
2007-09-12 17:19 8,784 ----a-w C:\Program Files\mozilla firefox\plugins\ractrlkeyhook.dll
2007-09-12 17:22 245,408 ----a-w C:\Program Files\mozilla firefox\plugins\unicows.dll
.
------- Sigcheck -------
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-27 06:32 898344]
"SVPWUTIL"="C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe" [2006-01-18 18:06 421888]
"RtHDVCpl"="RtHDVCpl.exe" [2006-11-09 12:57 3784704 C:\Windows\RtHDVCpl.exe]
"TPwrMain"="C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-11-22 19:08 409264]
"HSON"="C:\Program Files\TOSHIBA\TBS\HSON.exe" [2006-11-28 14:19 52912]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-07-27 06:00 204800]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2007-10-18 10:19 141848]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2007-10-18 10:18 166424]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2007-10-18 10:18 133656]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-03-13 16:48 1443072]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 03:12 76304 C:\Windows\KHALMNPR.Exe]
"MSServer"="rundll32.exe" [2006-11-02 03:45 44544 C:\Windows\System32\rundll32.exe]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 20:56 5367664]
C:\PROGRA~2\MICROS~1\Windows\STARTM~1\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-05-22 12:58:38 805392]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm
"vidc.yv12"= yv12vfw.dll
"msacm.ac3filter"= ac3filter.acm
[HKLM\~\startupfolder\C:^Users^Chad^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Users\Chad\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\Windows\pss\Adobe Gamma.lnk.Startup
backupExtension=.Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00TCrdMain]
--a------ 2006-11-28 22:05 523952 C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-17 00:11 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HWSetup]
--a------ 2006-11-01 10:06 413696 C:\Program Files\TOSHIBA\Utilities\HWSetup.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-06-01 16:51 257088 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
--a------ 2005-12-16 04:41 188416 C:\Program Files\ltmoh\Ltmoh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NDSTray.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PINGER]
--a------ 2006-07-20 14:45 151552 C:\TOSHIBA\IVP\ISM\pinger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-04-27 09:41 282624 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
--a------ 2006-11-20 14:15 446128 C:\Program Files\Toshiba\SmoothView\SmoothView.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-07-11 15:18 185784 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2004-11-22 10:18 307200 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2007-06-14 03:05 1006264 C:\Program Files\Windows Defender\MSASCui.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{EB08C89B-6DDF-4DCC-97AB-2F7DEF6B3D7F}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{F4C1E496-6C3E-4CCD-BF2C-4C1155AE1F0B}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{8507C833-ADE1-49A1-B668-9CB09C38F36E}C:\\program files\\itunes\\itunes.exe"= UDP:C:\program files\itunes\itunes.exe:iTunes
"UDP Query User{51497E09-6BE6-4612-90C2-587F33FA46DB}C:\\program files\\itunes\\itunes.exe"= TCP:C:\program files\itunes\itunes.exe:iTunes
"{ED341EAF-E6BB-405E-B9B9-AF8D8EEFD061}"= UDP:C:\Users\Chad\Desktop\Age of Empires II\Empires2.exe:Empires2.exe
"{01A34FA5-366C-40CC-96D6-00B4102CAD50}"= TCP:C:\Users\Chad\Desktop\Age of Empires II\Empires2.exe:Empires2.exe
"TCP Query User{C516FDF3-A2D8-4811-B0AB-D9F2026A1FB2}C:\\windows\\system32\\dplaysvr.exe"= UDP:C:\windows\system32\dplaysvr.exe:Microsoft DirectPlay Helper
"UDP Query User{0EDED9A7-D5F0-4151-B126-D9DEB3321199}C:\\windows\\system32\\dplaysvr.exe"= TCP:C:\windows\system32\dplaysvr.exe:Microsoft DirectPlay Helper
"{45DD7AA3-2149-42EA-A658-67C5F9D59745}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{B7FA2406-7877-4C29-B397-26B0C1EA3375}C:\\program files\\java\\jre1.6.0\\bin\\javaw.exe"= UDP:C:\program files\java\jre1.6.0\bin\javaw.exe:Java(TM) Platform SE binary
"UDP Query User{68893993-F0AB-4BB5-96D5-687E9A84744C}C:\\program files\\java\\jre1.6.0\\bin\\javaw.exe"= TCP:C:\program files\java\jre1.6.0\bin\javaw.exe:Java(TM) Platform SE binary
"TCP Query User{766E45DE-AEF7-4233-BB1C-E0C128C72CFE}C:\\program files\\azureus\\azureus.exe"= UDP:C:\program files\azureus\azureus.exe:Azureus
"UDP Query User{6A5F4645-F81D-40FC-A919-F70CFBA98788}C:\\program files\\azureus\\azureus.exe"= TCP:C:\program files\azureus\azureus.exe:Azureus
"TCP Query User{A1FCA78E-00AE-4714-9FFF-40A3EA6285D0}C:\\program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{F22F03FD-57C1-4280-A324-0F85DF13722F}C:\\program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox
"{889B04BC-F622-4072-8DD6-B4A30531B632}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{CB6CE25B-B700-4553-B396-25F8DA4F9DAF}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{85E88D37-7A7F-40E8-94A4-AB1D151BAC65}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{D1DFE8C8-A284-4DBE-A0F1-DE579D41F0E5}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{D52D53B7-51E0-450D-A499-07D994C338AE}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{621FA998-06EC-4173-8A22-3C9FA0DCE3A1}C:\\program files\\microsoft office\\office12\\groove.exe"= UDP:C:\program files\microsoft office\office12\groove.exe:Microsoft Office Groove
"UDP Query User{A8C3C9C1-F654-49BD-840E-EF5ED732779B}C:\\program files\\microsoft office\\office12\\groove.exe"= TCP:C:\program files\microsoft office\office12\groove.exe:Microsoft Office Groove
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= C:\TOSHIBA\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= C:\TOSHIBA\Ivp\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger
R0 LPCFilter;LPC Lower Filter Driver;C:\Windows\system32\DRIVERS\LPCFilter.sys [2006-07-28 18:25]
R1 epfwtdir;epfwtdir;C:\Windows\system32\DRIVERS\epfwtdir.sys [2008-03-13 16:52]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 11:43]
R2 TOSHIBA Bluetooth Service;TOSHIBA Bluetooth Service;C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe [2006-11-01 00:40]
R3 athr;Atheros Extensible Wireless LAN device driver;C:\Windows\system32\DRIVERS\athr.sys [2007-07-14 05:30]
R3 igfx;igfx;C:\Windows\system32\DRIVERS\igdkmd32.sys [2007-10-18 10:05]
R3 tdcmdpst;TOSHIBA Writing Engine Filter Driver;C:\Windows\system32\DRIVERS\tdcmdpst.sys [2006-10-18 13:50]
S3 tosrfec;Bluetooth ACPI;C:\Windows\system32\DRIVERS\tosrfec.sys [2006-10-23 18:32]
S4 KR10I;KR10I;C:\Windows\system32\drivers\kr10i.sys [2006-02-14 12:50]
S4 KR10N;KR10N;C:\Windows\system32\drivers\kr10n.sys [2005-09-27 17:57]
S4 KR3NPXP;KR3NPXP;C:\Windows\system32\drivers\kr3npxp.sys [2006-09-27 21:06]
S4 Steam Client Service;Steam Client Service;C:\Program Files\Common Files\Steam\SteamService.exe [2007-12-17 01:37]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-27 12:33:40
Windows 6.0.6000 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\Windows\TEMP\TMP0000005B75860E4D58957113 524288 bytes executable
scan completed successfully
hidden files: 1
**************************************************************************
.
Completion time: 2008-05-27 12:34:47
ComboFix-quarantined-files.txt 2008-05-27 18:34:35
ComboFix2.txt 2008-05-27 15:55:55
Pre-Run: 38,693,961,728 bytes free
Post-Run: 38,663,196,672 bytes free
216 --- E O F --- 2008-05-23 19:57:17
And the HJT log...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:54:08 PM, on 5/27/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\Explorer.exe
C:\Users\Chad\Desktop\Hijt.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [SVPWUTIL] "C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe" SVPwUTIL
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [TPwrMain] "C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE"
O4 - HKLM\..\Run: [HSON] "C:\Program Files\TOSHIBA\TBS\HSON.exe"
O4 - HKLM\..\Run: [SynTPStart] "C:\Program Files\Synaptics\SynTP\SynTPStart.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [MSServer] "rundll32.exe" C:\Windows\system32\ddcDvwTJ.dll,#1
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/res.../wlscctrl2.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 6426 bytes
malware bites log and updated HJT
Malware bytes log...
Malwarebytes' Anti-Malware 1.12
Database version: 791
Scan type: Quick Scan
Objects scanned: 34209
Time elapsed: 4 minute(s), 5 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{0cf5d165-517e-48b6-b3c7-3054a24f8bf6} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSServer (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
HKT log...
ogfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:59:55 PM, on 5/27/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Windows\Explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Chad\Desktop\Hijt.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [SVPWUTIL] "C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe" SVPwUTIL
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [TPwrMain] "C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE"
O4 - HKLM\..\Run: [HSON] "C:\Program Files\TOSHIBA\TBS\HSON.exe"
O4 - HKLM\..\Run: [SynTPStart] "C:\Program Files\Synaptics\SynTP\SynTPStart.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/res.../wlscctrl2.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 6344 bytes
The computer is running much better... but no different than before I ran the malware bytes program. It does seem to be back to normal though. No more pop-ups and my processor stopped consistently running...
OTMoveIt2 won't "clean up"
I tried to hit the clean up button but it said "file access denied."
Everything else worked splendiferously though.
Thanks so much for your help!!! I will definitely donate.