I've Contracted a Virus

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Highdro

Thread Starter
Joined
Apr 11, 2005
Messages
145
I logged on my computer today to see that my CA Anti-virus has been detecting infected files. I thought it stopped and deleted them, but every few hours it keeps detecting more, leading me to believe there is some sort of program running that I am not aware about.

Any help would be appreciated. I have a HJT Log

This is what CA Anti-Virus Found.

3/26/2008 6:16:02 AM File infection: C:\DOCUME~1\Stevo\LOCALS~1\Temp\a18104.exe is Win32/VMalum.CCLF infection. Quarantined
3/26/2008 6:16:02 AM File infection: C:\DOCUME~1\Stevo\LOCALS~1\Temp\a18104.exe is Win32/VMalum.CCLF infection.
3/26/2008 6:16:02 AM File infection: C:\DOCUME~1\Stevo\LOCALS~1\Temp\a18104.exe is Win32/VMalum.CCLF infection.
3/26/2008 6:16:02 AM File infection: C:\DOCUME~1\Stevo\LOCALS~1\Temp\a18104.exe is Win32/VMalum.CCLF infection.
3/26/2008 6:16:02 AM File infection: C:\DOCUME~1\Stevo\LOCALS~1\Temp\a18104.exe is Win32/VMalum.CCLF infection.
3/26/2008 6:16:02 AM File infection: C:\DOCUME~1\Stevo\LOCALS~1\Temp\a18104.exe is Win32/VMalum.CCLF infection.
3/26/2008 6:16:02 AM File infection: C:\DOCUME~1\Stevo\LOCALS~1\Temp\a18104.exe is Win32/VMalum.CCLF infection.
3/26/2008 6:18:43 AM File infection: C:\DOCUME~1\Stevo\LOCALS~1\Temp\a21419.exe is Win32/VMalum.CCLF infection. Quarantined
3/26/2008 6:18:44 AM File infection: C:\DOCUME~1\Stevo\LOCALS~1\Temp\a21419.exe is Win32/VMalum.CCLF infection.
3/26/2008 6:18:44 AM File infection: C:\DOCUME~1\Stevo\LOCALS~1\Temp\a21419.exe is Win32/VMalum.CCLF infection.
3/26/2008 6:18:45 AM File infection: C:\DOCUME~1\Stevo\LOCALS~1\Temp\a21419.exe is Win32/VMalum.CCLF infection.
3/26/2008 6:18:45 AM File infection: C:\DOCUME~1\Stevo\LOCALS~1\Temp\a21419.exe is Win32/VMalum.CCLF infection.
3/26/2008 6:18:45 AM File infection: C:\DOCUME~1\Stevo\LOCALS~1\Temp\a21419.exe is Win32/VMalum.CCLF infection.
3/26/2008 6:18:45 AM File infection: C:\DOCUME~1\Stevo\LOCALS~1\Temp\a21419.exe is Win32/VMalum.CCLF infection.
3/26/2008 6:31:08 AM File infection: C:\Documents and Settings\Stevo\Local Settings\Temporary Internet Files\Content.IE5\DAB9P0KL\css4[1] is Win32/Chisyne.DU trojan. Deleted
3/26/2008 6:31:08 AM File infection: C:\WINDOWS\system32\gebyy.dll is Win32/Chisyne.DU trojan. Deleted
3/26/2008 8:21:15 AM File infection: C:\Documents and Settings\Stevo\Local Settings\Temporary Internet Files\Content.IE5\E58HA85G\css4[1] is Win32/Chisyne.DU trojan. Deleted
3/26/2008 8:21:15 AM File infection: C:\WINDOWS\system32\ssttt.dll is Win32/Chisyne.DU trojan. Deleted
3/26/2008 8:21:15 AM File infection: C:\WINDOWS\system32\ssttt.dll is Win32/Chisyne.DU trojan.
3/26/2008 8:21:16 AM File infection: C:\WINDOWS\system32\ssttt.dll is Win32/Chisyne.DU trojan.
3/26/2008 8:21:16 AM File infection: C:\WINDOWS\system32\ssttt.dll is Win32/Chisyne.DU trojan.
3/26/2008 9:21:11 AM File infection: C:\Documents and Settings\Stevo\Local Settings\Temporary Internet Files\Content.IE5\8V908OJR\css4[1] is Win32/Chisyne.DU trojan. Deleted
3/26/2008 9:21:11 AM File infection: C:\WINDOWS\system32\pmnnl.dll is Win32/Chisyne.DU trojan. Deleted
3/26/2008 9:21:12 AM File infection: C:\WINDOWS\system32\pmnnl.dll is Win32/Chisyne.DU trojan.
3/26/2008 9:21:12 AM File infection: C:\WINDOWS\system32\pmnnl.dll is Win32/Chisyne.DU trojan.
3/26/2008 9:21:12 AM File infection: C:\WINDOWS\system32\pmnnl.dll is Win32/Chisyne.DU trojan.
3/26/2008 9:21:12 AM File infection: C:\WINDOWS\system32\pmnnl.dll is Win32/Chisyne.DU trojan.
3/26/2008 10:21:16 AM File infection: C:\Documents and Settings\Stevo\Local Settings\Temporary Internet Files\Content.IE5\DAB9P0KL\css4[1] is Win32/Chisyne.DU trojan. Deleted
3/26/2008 10:21:17 AM File infection: C:\WINDOWS\system32\pmnli.dll is Win32/Chisyne.DU trojan. Deleted
3/26/2008 10:21:17 AM File infection: C:\WINDOWS\system32\pmnli.dll is Win32/Chisyne.DU trojan.
3/26/2008 10:21:18 AM File infection: C:\WINDOWS\system32\pmnli.dll is Win32/Chisyne.DU trojan.
3/26/2008 10:21:18 AM File infection: C:\WINDOWS\system32\pmnli.dll is Win32/Chisyne.DU trojan.
3/26/2008 10:21:18 AM File infection: C:\WINDOWS\system32\pmnli.dll is Win32/Chisyne.DU trojan.
3/26/2008 11:42:54 AM File infection: C:\Documents and Settings\Stevo\Local Settings\Temporary Internet Files\Content.IE5\F6Q7HPS1\css4[1] is Win32/Chisyne.DU trojan. Deleted
3/26/2008 11:42:55 AM File infection: C:\WINDOWS\system32\jkhfg.dll is Win32/Chisyne.DU trojan. Deleted
3/26/2008 11:42:55 AM File infection: C:\WINDOWS\system32\jkhfg.dll is Win32/Chisyne.DU trojan.
3/26/2008 11:42:55 AM File infection: C:\WINDOWS\system32\jkhfg.dll is Win32/Chisyne.DU trojan.
3/26/2008 11:42:55 AM File infection: C:\WINDOWS\system32\jkhfg.dll is Win32/Chisyne.DU trojan.
3/26/2008 12:42:57 PM File infection: C:\Documents and Settings\Stevo\Local Settings\Temporary Internet Files\Content.IE5\E58HA85G\css4[1] is Win32/Chisyne.DU trojan. Deleted
3/26/2008 12:43:00 PM File infection: C:\WINDOWS\system32\vtsqp.dll is Win32/Chisyne.DU trojan. Deleted
3/26/2008 12:43:00 PM File infection: C:\WINDOWS\system32\vtsqp.dll is Win32/Chisyne.DU trojan.
3/26/2008 12:43:00 PM File infection: C:\WINDOWS\system32\vtsqp.dll is Win32/Chisyne.DU trojan.
3/26/2008 12:43:00 PM File infection: C:\WINDOWS\system32\vtsqp.dll is Win32/Chisyne.DU trojan.
3/26/2008 13:42:55 PM File infection: C:\Documents and Settings\Stevo\Local Settings\Temporary Internet Files\Content.IE5\DAB9P0KL\css4[1] is Win32/Chisyne.DU trojan. Deleted
3/26/2008 13:42:57 PM File infection: C:\WINDOWS\system32\pmkji.dll is Win32/Chisyne.DU trojan. Deleted
3/26/2008 13:42:57 PM File infection: C:\WINDOWS\system32\pmkji.dll is Win32/Chisyne.DU trojan.
3/26/2008 13:42:57 PM File infection: C:\WINDOWS\system32\pmkji.dll is Win32/Chisyne.DU trojan.
3/26/2008 13:42:58 PM File infection: C:\WINDOWS\system32\pmkji.dll is Win32/Chisyne.DU trojan.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:41:13 AM, on 3/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Common Files\Portrait Displays\Shared\dtsrvc.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Gateway\EzTune\DTHtml.exe
C:\Program Files\Rockwell Automation\Rockwell Automation USB CIP Driver Package\UsbCipHelper\UsbCipHelper.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.32\QOELoader.exe
C:\Program Files\Portrait Displays\Pivot Software\floater.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\MSTpscre\Tpscrex.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\WINDOWS\mrofinu1645.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Evidence Eliminator\Ee.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Toolbar\CAGlobal.exe
C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Light\CAGlobalLight.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {E9383002-FC55-4330-B9C9-67E03BC5C840} - C:\WINDOWS\system32\jkkkiii.dll
O2 - BHO: CA Toolbar Helper - {FBF2401B-7447-4727-BE5D-C19B2075CA84} - C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Toolbar\CallingIDIE.dll
O3 - Toolbar: CA Toolbar - {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Toolbar\CallingIDIE.dll
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe"
O4 - HKLM\..\Run: [DT GWY] "C:\Program Files\Common Files\Portrait Displays\Shared\DT_startup.exe" -GWY
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [UsbCipHelper] C:\Program Files\Rockwell Automation\Rockwell Automation USB CIP Driver Package\UsbCipHelper\UsbCipHelper.exe
O4 - HKLM\..\Run: [XboxStat] "c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.32\QOELoader.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Tpscrex] C:\Program Files\MSTpscre\Tpscrex.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1645.exe 61A847B5BBF72813349F3D466188719AB689201522886B092CBD44BD8689220221DD3257
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Evidence Eliminator] C:\Program Files\Evidence Eliminator\ee.exe /m
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) - http://download.gigabyte.com.tw/object/Dldrv.ocx
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/WebfettiInitialSetup1.0.0.15-3.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: jkkkiii - C:\WINDOWS\SYSTEM32\jkkkiii.dll
O23 - Service: 1784-PCIDS DeviceNet - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\PcidsService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: dnWhoDisp - Rockwell Automation, Inc. - C:\Program Files\Rockwell Software\RSLINX\dnwhodisp.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\dtsrvc.exe
O23 - Service: EmuLogix 5868 Slot1 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\\V16\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot10 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot11 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot12 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot13 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot14 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot15 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot16 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot2 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\\V16\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot3 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot4 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot5 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot6 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot7 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot8 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot9 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe
O23 - Service: FactoryTalk Activation Service - Macrovision Corporation - C:\Program Files\Rockwell Software\FactoryTalk Activation\lmgrd.exe
O23 - Service: Harmony - Rockwell Software Inc. - C:\PROGRA~1\ROCKWE~1\RSLINX\RSOBSERV.EXE
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: FactoryTalk Diagnostics Local Reader (RNADiagnosticsService) - Rockwell Automation - C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe
O23 - Service: FactoryTalk Diagnostics CE Receiver (RNADiagReceiver) - Unknown owner - C:\Program Files\Common Files\Rockwell\RNADiagReceiver.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: RSLinx Classic (RSLinx) - Rockwell Automation, Inc. - C:\PROGRA~1\ROCKWE~1\RSLinx\RSLINX.EXE
O23 - Service: 1789-SIM Simulator Module (SimModuleService) - Unknown owner - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\SimModuleService.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 12775 bytes
 

Highdro

Thread Starter
Joined
Apr 11, 2005
Messages
145
So I've run a VundoFix and a ComboFix and I have logs for both. Although VundoFix found nothing and ComboFix did delete 4 files, I can't remember them since it overwrote the log file when I ran it a second time. I ran KillBox and deleted all temp files. And I posted a new HJT Log since it did remove O2 - BHO: (no name) - {E9383002-FC55-4330-B9C9-67E03BC5C840} - C:\WINDOWS\system32\jkkkiii.dll


VundoFix V7.0.3

Scan started at 2:24:26 PM 3/26/2008

Listing files found while scanning....

No infected files were found.


Beginning removal...



**********************************************************



ComboFix 08-03-25.4 - Stevo 2008-03-26 14:58:06.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.530 [GMT -4:00]
Running from: C:\Documents and Settings\Stevo\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-02-26 to 2008-03-26 )))))))))))))))))))))))))))))))
.

2008-03-26 14:24 . 2008-03-26 14:24 <DIR> d-------- C:\VundoFix Backups
2008-03-26 11:38 . 2008-03-26 11:38 <DIR> d-------- C:\Documents and Settings\Stevo\Application Data\Turbine
2008-03-26 11:19 . 2007-08-01 16:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-03-26 11:16 . 2008-03-26 11:16 <DIR> d-------- C:\Program Files\Turbine
2008-03-26 11:12 . 2008-03-26 13:52 <DIR> d-------- C:\Documents and Settings\Stevo\Application Data\HouseCall 6.6
2008-03-26 10:41 . 2008-03-26 10:41 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-26 09:14 . 2003-07-19 11:17 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd
2008-03-26 09:14 . 2005-01-03 02:43 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2008-03-26 09:13 . 2008-03-26 09:13 <DIR> d-------- C:\Program Files\Common Files\INCA Shared
2008-03-26 09:11 . 2008-03-26 09:11 <DIR> d-------- C:\Nexon
2008-03-26 08:01 . 2008-03-26 11:15 <DIR> d-------- C:\Documents and Settings\Stevo\Application Data\GetRightToGo
2008-03-26 06:04 . 2008-03-26 06:04 <DIR> d-------- C:\Program Files\ReflexiveArcade
2008-03-24 15:36 . 2008-03-25 01:49 <DIR> d-------- C:\Program Files\Evidence Eliminator
2008-03-24 15:36 . 2000-05-22 01:00 203,976 --a------ C:\WINDOWS\system32\RichTx32.ocx
2008-03-24 15:36 . 1999-05-29 21:33 114,696 --a------ C:\WINDOWS\system32\Fablock6.ocx
2008-03-24 09:20 . 1998-04-24 01:00 368,912 --a------ C:\WINDOWS\system32\vbar332.dll
2008-03-24 09:20 . 2007-07-12 12:52 118,784 --a------ C:\WINDOWS\system32\EEGenFn1.dll
2008-03-24 09:20 . 2007-04-24 16:21 61,440 --a------ C:\WINDOWS\system32\Eeshellx.dll
2008-03-24 09:20 . 2007-04-24 16:20 40,960 --a------ C:\WINDOWS\system32\eetransx.exe
2008-03-24 09:20 . 1996-05-03 23:05 28,672 --a------ C:\WINDOWS\system32\MSGHOO32.OCX
2008-03-21 13:49 . 2008-03-21 13:49 <DIR> d-------- C:\Documents and Settings\Stevo\Application Data\Logitech
2008-03-21 13:47 . 2008-03-21 13:47 <DIR> d-------- C:\Program Files\Common Files\LogiShared
2008-03-21 13:47 . 2008-03-21 13:47 127,034 -r------- C:\WINDOWS\bwUnin-8.1.1.50-8876480SL.exe
2008-03-21 13:45 . 2008-03-21 13:45 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-03-21 13:45 . 2008-03-21 13:45 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-03-21 13:44 . 2008-03-21 13:47 <DIR> d-------- C:\Program Files\Logitech
2008-03-21 13:44 . 2008-03-21 13:44 <DIR> d-------- C:\Program Files\Common Files\Logitech
2008-03-21 13:44 . 2008-03-21 13:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Logitech
2008-03-21 13:44 . 2007-04-11 15:33 1,419,024 --a------ C:\WINDOWS\system32\WdfCoInstaller01005.dll
2008-03-21 13:44 . 2007-04-23 04:00 163,840 --a------ C:\WINDOWS\system32\kemutb.dll
2008-03-21 13:44 . 2007-04-23 04:00 135,168 --a------ C:\WINDOWS\system32\KemUtil.dll
2008-03-21 13:44 . 2007-04-23 04:00 110,592 --a------ C:\WINDOWS\system32\KemWnd.dll
2008-03-21 13:44 . 2007-04-23 04:00 69,632 --a------ C:\WINDOWS\system32\KemXML.dll
2008-03-21 13:44 . 2007-04-11 15:32 56,080 --a------ C:\WINDOWS\KHALMNPR.Exe
2008-03-21 13:44 . 2007-04-11 15:32 36,112 --a------ C:\WINDOWS\system32\drivers\LMouFilt.Sys
2008-03-21 13:44 . 2007-04-11 15:32 34,832 --a------ C:\WINDOWS\system32\drivers\LHidFilt.Sys
2008-03-21 13:43 . 2008-03-21 13:43 <DIR> d-------- C:\Documents and Settings\Stevo\Application Data\InstallShield
2008-03-21 13:43 . 2008-03-21 13:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LogiShrd
2008-03-20 07:02 . 2008-03-20 07:03 <DIR> d-------- C:\Program Files\Westward
2008-03-20 06:14 . 2008-03-20 07:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sandlot Games
2008-03-18 05:09 . 2008-03-18 05:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Macrovision
2008-03-18 01:08 . 2008-03-18 02:27 393 --a------ C:\WINDOWS\WEMU500.INI
2008-03-18 00:39 . 2008-03-18 00:39 <DIR> d-------- C:\Program Files\Common Files\OPC Foundation
2008-03-18 00:39 . 2008-03-18 00:39 <DIR> d-------- C:\Program Files\Common Files\OMRON
2008-03-17 23:42 . 2008-03-17 23:42 <DIR> d-------- C:\RSLogix 5000
2008-03-17 23:36 . 2008-03-17 23:36 <DIR> d-------- C:\Program Files\RSLogix 5000 Module Profiles
2008-03-17 23:33 . 2001-06-21 21:39 73,728 --a------ C:\WINDOWS\system32\drivers\SENTINEL.SYS
2008-03-17 23:33 . 2001-06-21 21:39 49,664 --a------ C:\WINDOWS\system32\SNTI386.DLL
2008-03-17 23:33 . 2001-06-21 21:39 18,432 --a------ C:\WINDOWS\system32\RNBOVDD.DLL
2008-03-17 23:33 . 2001-06-21 21:39 9,949 --------- C:\WINDOWS\system32\SENTINEL.HLP
2008-03-17 23:25 . 2008-03-18 00:39 172 --a------ C:\WINDOWS\Rocksoft.ini
2008-03-17 23:20 . 2008-03-17 23:20 194 --a------ C:\WINDOWS\system32\RBDELDRV.BAT
2008-03-17 04:20 . 2008-03-17 04:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\JollyBear
2008-03-16 09:33 . 2004-08-04 08:00 1,689,088 --a------ C:\WINDOWS\system32\23683848.dll
2008-03-16 09:33 . 2004-08-04 08:00 82,944 --a------ C:\WINDOWS\system32\103b9048.dll
2008-03-13 13:01 . 2004-08-04 08:00 1,689,088 --a------ C:\WINDOWS\system32\1c66f701.dll
2008-03-13 13:01 . 2004-08-04 08:00 1,689,088 --a------ C:\WINDOWS\system32\124f83ee.dll
2008-03-13 13:01 . 2004-08-04 08:00 82,944 --a------ C:\WINDOWS\system32\36193800.dll
2008-03-13 13:01 . 2004-08-04 08:00 82,944 --a------ C:\WINDOWS\system32\28fc67ae.dll
2008-03-13 03:29 . 2004-08-04 08:00 1,689,088 --a------ C:\WINDOWS\system32\1a71a16c.dll
2008-03-13 03:29 . 2004-08-04 08:00 82,944 --a------ C:\WINDOWS\system32\213b8686.dll
2008-03-13 02:37 . 2008-03-13 02:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-03-13 02:32 . 2008-03-13 02:32 <DIR> d-------- C:\Program Files\GALA-NET
2008-03-13 02:32 . 2005-08-11 15:29 73,728 --a------ C:\WINDOWS\system32\ISUSPM.cpl
2008-03-12 05:07 . 2008-03-12 18:02 <DIR> d-------- C:\Program Files\Starcraft
2008-03-12 05:07 . 2008-03-12 05:11 94,208 --a------ C:\WINDOWS\ScUnin.exe
2008-03-12 05:07 . 2008-03-12 05:11 35,382 --a------ C:\WINDOWS\scunin.dat
2008-03-12 05:07 . 2008-03-12 05:11 967 --a------ C:\WINDOWS\ScUnin.pif
2008-03-11 16:48 . 2008-03-11 16:48 <DIR> d-------- C:\Program Files\IrfanView
2008-03-09 08:34 . 2008-03-09 08:35 <DIR> d-------- C:\Program Files\WinPcap
2008-03-04 02:06 . 2008-03-04 02:06 <DIR> d-------- C:\Program Files\QuickSFV
2008-03-02 14:57 . 2008-03-02 14:57 <DIR> d-------- C:\Program Files\MSTpscre
2008-02-29 14:47 . 2008-02-29 14:47 125 --a------ C:\ioSpecial.ini
2008-02-29 08:54 . 2008-02-29 08:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro
2008-02-29 00:03 . 2008-02-29 08:59 <DIR> d-------- C:\Program Files\DAEMON Tools Pro
2008-02-28 17:16 . 2008-02-28 17:22 <DIR> d-------- C:\Documents and Settings\Stevo\Application Data\Azgard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-26 18:56 --------- d-----w C:\Documents and Settings\Stevo\Application Data\CallingID
2008-03-26 14:31 --------- d-----w C:\Documents and Settings\Stevo\Application Data\uTorrent
2008-03-26 10:17 --------- d-----w C:\Documents and Settings\Stevo\Application Data\GameHouse
2008-03-26 07:55 --------- d-----w C:\Program Files\Warcraft III
2008-03-24 14:30 --------- d-----w C:\Program Files\Common Files\Rockwell
2008-03-21 17:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-18 07:51 --------- d-----w C:\Program Files\Rockwell Software
2008-03-18 04:59 2,984 --sh--r C:\EVRSI.SYS
2008-03-18 04:48 --------- d-----w C:\Program Files\Rockwell Automation
2008-03-13 06:32 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-09 12:35 --------- d-----w C:\Program Files\Java
2008-03-07 22:13 --------- d-----w C:\Program Files\PokerStars
2008-02-25 12:55 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-02-24 12:50 409,600 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2008-02-24 12:50 114,688 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2008-02-24 12:50 --------- d-----w C:\Program Files\OpenAL
2008-02-24 10:53 --------- d-----w C:\Program Files\RegCure
2008-02-24 05:28 --------- d-----w C:\Documents and Settings\Stevo\Application Data\Big Fish Games
2008-02-22 10:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Awem
2008-02-21 13:23 --------- d-----w C:\Documents and Settings\Stevo\Application Data\Viewpoint
2008-02-21 07:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Go Go Gourmet
2008-02-20 19:15 --------- d-----w C:\Program Files\QuickTime
2008-02-20 19:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\QuickTime
2008-02-20 19:12 --------- d-----w C:\Program Files\The Rosetta Stone
2008-02-20 19:04 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-17 12:27 --------- d-----w C:\Documents and Settings\Stevo\Application Data\iWin
2008-02-13 08:59 --------- d-----w C:\Documents and Settings\Stevo\Application Data\PlayFirst
2008-02-13 08:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-02-10 03:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\CA
2008-02-10 03:04 99,592 ----a-w C:\WINDOWS\system32\isafeif.dll
2008-02-10 03:04 91,400 ----a-w C:\WINDOWS\system32\isafprod.dll
2008-02-10 03:04 83,256 ----a-w C:\WINDOWS\system32\vetredir.dll
2008-02-10 03:04 32,264 ----a-w C:\WINDOWS\system32\drivers\vetmonnt.sys
2008-02-10 03:04 26,376 ----a-w C:\WINDOWS\system32\drivers\vet-filt.sys
2008-02-10 03:04 21,512 ----a-w C:\WINDOWS\system32\drivers\vetfddnt.sys
2008-02-10 03:04 21,128 ----a-w C:\WINDOWS\system32\drivers\vet-rec.sys
2008-02-10 03:01 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-10 03:01 --------- d-----w C:\Program Files\Common Files\Scanner
2008-02-10 03:01 --------- d-----w C:\Program Files\CA
2008-02-08 05:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trymedia
2008-02-08 05:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grey Alien Games
2008-01-26 07:02 --------- d-----w C:\Program Files\SureThing
2008-01-26 07:02 --------- d-----w C:\Program Files\Common Files\SureThing Shared
2008-01-26 05:02 --------- d-----w C:\Program Files\Common Files\LightScribe
2008-01-08 22:09 98,304 ----a-w C:\WINDOWS\system32CmdLineExt.dll
2008-01-07 03:47 15,600 ----a-w C:\WINDOWS\gdrv.sys
2008-01-07 01:56 62,009 ----a-w C:\WINDOWS\system32\wpfb_ati2dvag.dll
2008-01-07 01:48 139,264 ----a-w C:\WINDOWS\War3Unin.exe
.

((((((((((((((((((((((((((((( [email protected]_14.47.25.81 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-26 18:02:12 71,308 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-03-26 18:49:40 71,308 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-03-26 18:02:12 441,624 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-03-26 18:49:40 441,624 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-10-23 15:18 202024]
"Aim6"="" []
"Evidence Eliminator"="C:\Program Files\Evidence Eliminator\ee.exe" [2007-08-06 12:06 920124]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PivotSoftware"="C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe" [2007-02-09 13:17 694008]
"DT GWY"="C:\Program Files\Common Files\Portrait Displays\Shared\DT_startup.exe" [2007-10-09 18:45 81920]
"SoundMan"="SOUNDMAN.EXE" [2005-05-17 19:48 77824 C:\WINDOWS\SOUNDMAN.EXE]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 09:51 1836328]
"UsbCipHelper"="C:\Program Files\Rockwell Automation\Rockwell Automation USB CIP Driver Package\UsbCipHelper\UsbCipHelper.exe" [2006-09-28 17:25 434176]
"XboxStat"="c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 19:05 734264]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NWEReboot"="" []
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2008-02-09 23:04 181512]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2008-02-09 23:04 234760]
"QOELOADER"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.32\QOELoader.exe" [2008-02-09 23:04 14088]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"Tpscrex"="C:\Program Files\MSTpscre\Tpscrex.exe" [2007-07-30 17:15 258048]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 15:30 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 15:30 81920]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-03-21 13:47:43 67128]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-03-21 13:44:15 692224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{1869181A-9F50-4FCF-8BFF-1B8588ECB85C}"= C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\LinkAdvisor\CIDLinkAdvisor.dll [2007-10-15 22:40 1373624]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Tencent\\QQ Games\\QQGames.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Rockwell Software\\RSLogix 5000\\ENU\\v16\\Bin\\RS5000.Exe"=
"C:\\WINDOWS\\system32\\OpcEnum.exe"=
"C:\\Program Files\\Rockwell Software\\RSLINX\\RSLINX.EXE"=
"C:\\Program Files\\Rockwell Software\\OPCTools\\OPCTest\\opctest.exe"=
"C:\\Program Files\\Rockwell Software\\FactoryTalk Activation\\lmgrd.exe"=
"C:\\Program Files\\Rockwell Software\\FactoryTalk Activation\\flexsvr.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\Program Files\\Turbine\\The Lord of the Rings Online\\lotroclient.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:port135
"6112:TCP"= 6112:TCP:WarcraftIII1
"6112:UDP"= 6112:UDP:WarcraftIII2

R1 Pivot;Pivot;C:\WINDOWS\system32\drivers\pivot.sys [2007-02-09 13:17]
R1 VirtualBackplane;A-B Virtual Backplane;C:\WINDOWS\system32\Drivers\VirtualBackplane.sys [2007-04-18 10:32]
R2 npkcmsvc;npkcmsvc;C:\Nexon\Mabinogi\npkcmsvc.exe [2007-08-02 12:33]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
R3 PPCtlPriv;PPCtlPriv;"C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe" [2008-02-09 23:04]
S2 FactoryTalk Activation Service;FactoryTalk Activation Service;C:\Program Files\Rockwell Software\FactoryTalk Activation\lmgrd.exe [2003-11-17 18:50]
S3 1784-PCIDS DeviceNet;1784-PCIDS DeviceNet;C:\Program Files\Rockwell Software\RSLogix Emulate 5000\PcidsService.exe [2007-04-18 11:18]
S3 ABKTCX;Rockwell Automation 1784-KTC(X) Driver;C:\WINDOWS\system32\Drivers\ABKTCX.sys [2000-05-31 19:13]
S3 EmuLogix 5868 Slot1;EmuLogix 5868 Slot1;"C:\Program Files\Rockwell Software\RSLogix Emulate 5000\\V16\EmuLogix5868.exe" /1 []
S3 EmuLogix 5868 Slot10;EmuLogix 5868 Slot10;"C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /10 []
S3 EmuLogix 5868 Slot11;EmuLogix 5868 Slot11;"C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /11 []
S3 EmuLogix 5868 Slot12;EmuLogix 5868 Slot12;"C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /12 []
S3 EmuLogix 5868 Slot13;EmuLogix 5868 Slot13;"C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /13 []
S3 EmuLogix 5868 Slot14;EmuLogix 5868 Slot14;"C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /14 []
S3 EmuLogix 5868 Slot15;EmuLogix 5868 Slot15;"C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /15 []
S3 EmuLogix 5868 Slot16;EmuLogix 5868 Slot16;"C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /16 []
S3 EmuLogix 5868 Slot2;EmuLogix 5868 Slot2;"C:\Program Files\Rockwell Software\RSLogix Emulate 5000\\V16\EmuLogix5868.exe" /2 []
S3 EmuLogix 5868 Slot3;EmuLogix 5868 Slot3;"C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /3 []
S3 EmuLogix 5868 Slot4;EmuLogix 5868 Slot4;"C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /4 []
S3 EmuLogix 5868 Slot5;EmuLogix 5868 Slot5;"C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /5 []
S3 EmuLogix 5868 Slot6;EmuLogix 5868 Slot6;"C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /6 []
S3 EmuLogix 5868 Slot7;EmuLogix 5868 Slot7;"C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /7 []
S3 EmuLogix 5868 Slot8;EmuLogix 5868 Slot8;"C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /8 []
S3 EmuLogix 5868 Slot9;EmuLogix 5868 Slot9;"C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /9 []
S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2008-01-06 23:47]
S3 pivotmou;Pivot Mouse/Pointers Filter Driver;C:\WINDOWS\System32\drivers\pivotmou.sys [2007-02-09 13:17]
S3 RS_SS_NT;RSLinx Classic S-S SD/SD2 Device Driver;C:\WINDOWS\system32\RS_SS_NT.SYS [1999-11-10 08:27]
S3 RsiKtControl;RsiKtControl;C:\WINDOWS\system32\RSIKT.SYS [2006-01-18 10:33]
S3 RSSERIAL;RSLinx Classic Serial Driver;C:\WINDOWS\system32\RSSERIAL.SYS [1999-05-11 13:48]
S3 SimModuleService;1789-SIM Simulator Module;C:\Program Files\Rockwell Software\RSLogix Emulate 5000\SimModuleService.exe [2007-04-18 10:44]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-12 04:16:26 C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as Stevo at 10 01 PM.job"
- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-26 15:03:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\Portrait Displays\Pivot Software\winphook.dll
.
Completion time: 2008-03-26 15:04:57
ComboFix-quarantined-files.txt 2008-03-26 19:04:41
ComboFix2.txt 2008-03-26 18:48:04
.
2008-03-12 11:25:35 --- E O F ---
 

Highdro

Thread Starter
Joined
Apr 11, 2005
Messages
145
Heres the HJT, it was too long to put into previous post


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:08:55 PM, on 3/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Common Files\Portrait Displays\Shared\dtsrvc.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Rockwell Automation\Rockwell Automation USB CIP Driver Package\UsbCipHelper\UsbCipHelper.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.32\QOELoader.exe
C:\Program Files\MSTpscre\Tpscrex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Portrait Displays\Pivot Software\floater.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\Gateway\EzTune\DTHtml.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Toolbar\CAGlobal.exe
C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Light\CAGlobalLight.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: CA Toolbar Helper - {FBF2401B-7447-4727-BE5D-C19B2075CA84} - C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Toolbar\CallingIDIE.dll
O3 - Toolbar: CA Toolbar - {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Toolbar\CallingIDIE.dll
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe"
O4 - HKLM\..\Run: [DT GWY] "C:\Program Files\Common Files\Portrait Displays\Shared\DT_startup.exe" -GWY
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [UsbCipHelper] C:\Program Files\Rockwell Automation\Rockwell Automation USB CIP Driver Package\UsbCipHelper\UsbCipHelper.exe
O4 - HKLM\..\Run: [XboxStat] "c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.32\QOELoader.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Tpscrex] C:\Program Files\MSTpscre\Tpscrex.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Evidence Eliminator] C:\Program Files\Evidence Eliminator\ee.exe /m
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) - http://download.gigabyte.com.tw/object/Dldrv.ocx
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/WebfettiInitialSetup1.0.0.15-3.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: 1784-PCIDS DeviceNet - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\PcidsService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: dnWhoDisp - Rockwell Automation, Inc. - C:\Program Files\Rockwell Software\RSLINX\dnwhodisp.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\dtsrvc.exe
O23 - Service: EmuLogix 5868 Slot1 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\\V16\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot10 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot11 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot12 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot13 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot14 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot15 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot16 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot2 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\\V16\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot3 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot4 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot5 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot6 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot7 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot8 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot9 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe
O23 - Service: FactoryTalk Activation Service - Macrovision Corporation - C:\Program Files\Rockwell Software\FactoryTalk Activation\lmgrd.exe
O23 - Service: Harmony - Rockwell Software Inc. - C:\PROGRA~1\ROCKWE~1\RSLINX\RSOBSERV.EXE
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: FactoryTalk Diagnostics Local Reader (RNADiagnosticsService) - Rockwell Automation - C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe
O23 - Service: FactoryTalk Diagnostics CE Receiver (RNADiagReceiver) - Unknown owner - C:\Program Files\Common Files\Rockwell\RNADiagReceiver.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: RSLinx Classic (RSLinx) - Rockwell Automation, Inc. - C:\PROGRA~1\ROCKWE~1\RSLinx\RSLINX.EXE
O23 - Service: 1789-SIM Simulator Module (SimModuleService) - Unknown owner - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\SimModuleService.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 12321 bytes
 

Highdro

Thread Starter
Joined
Apr 11, 2005
Messages
145
Almost 24 without hearing about a Virus now two knew ones have shown up from my CA Anti-Virus Scan

3/27/2008 11:11:34 AM File infection: C:\System Volume Information\_restore{4F740C3B-9A96-4B48-AF14-1355530219E9}\RP169\A0021472.exe is Win32/Matcash.CX trojan. Deleted
3/27/2008 11:54:16 AM File infection: C:\System Volume Information\_restore{4F740C3B-9A96-4B48-AF14-1355530219E9}\RP169\A0021473.dll is Win32/Vundo.UP trojan. Deleted
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top