I've Contracted a Virus

[Highdro]

I logged on my computer today to see that my CA Anti-virus has been detecting infected files. I thought it stopped and deleted them, but every few hours it keeps detecting more, leading me to believe there is some sort of program running that I am not aware about.

Any help would be appreciated. I have a HJT Log

This is what CA Anti-Virus Found.

3/26/2008 6:16:02 AM File infection: C:\DOCUME~1\Stevo\LOCALS~1\Temp\a18104.exe is Win32/VMalum.CCLF infection. Quarantined
3/26/2008 6:16:02 AM File infection: C:\DOCUME~1\Stevo\LOCALS~1\Temp\a18104.exe is Win32/VMalum.CCLF infection.
3/26/2008 6:16:02 AM File infection: C:\DOCUME~1\Stevo\LOCALS~1\Temp\a18104.exe is Win32/VMalum.CCLF infection.
3/26/2008 6:16:02 AM File infection: C:\DOCUME~1\Stevo\LOCALS~1\Temp\a18104.exe is Win32/VMalum.CCLF infection.
3/26/2008 6:16:02 AM File infection: C:\DOCUME~1\Stevo\LOCALS~1\Temp\a18104.exe is Win32/VMalum.CCLF infection.
3/26/2008 6:16:02 AM File infection: C:\DOCUME~1\Stevo\LOCALS~1\Temp\a18104.exe is Win32/VMalum.CCLF infection.
3/26/2008 6:16:02 AM File infection: C:\DOCUME~1\Stevo\LOCALS~1\Temp\a18104.exe is Win32/VMalum.CCLF infection.
3/26/2008 6:18:43 AM File infection: C:\DOCUME~1\Stevo\LOCALS~1\Temp\a21419.exe is Win32/VMalum.CCLF infection. Quarantined
3/26/2008 6:18:44 AM File infection: C:\DOCUME~1\Stevo\LOCALS~1\Temp\a21419.exe is Win32/VMalum.CCLF infection.
3/26/2008 6:18:44 AM File infection: C:\DOCUME~1\Stevo\LOCALS~1\Temp\a21419.exe is Win32/VMalum.CCLF infection.
3/26/2008 6:18:45 AM File infection: C:\DOCUME~1\Stevo\LOCALS~1\Temp\a21419.exe is Win32/VMalum.CCLF infection.
3/26/2008 6:18:45 AM File infection: C:\DOCUME~1\Stevo\LOCALS~1\Temp\a21419.exe is Win32/VMalum.CCLF infection.
3/26/2008 6:18:45 AM File infection: C:\DOCUME~1\Stevo\LOCALS~1\Temp\a21419.exe is Win32/VMalum.CCLF infection.
3/26/2008 6:18:45 AM File infection: C:\DOCUME~1\Stevo\LOCALS~1\Temp\a21419.exe is Win32/VMalum.CCLF infection.
3/26/2008 6:31:08 AM File infection: C:\Documents and Settings\Stevo\Local Settings\Temporary Internet Files\Content.IE5\DAB9P0KL\css4[1] is Win32/Chisyne.DU trojan. Deleted
3/26/2008 6:31:08 AM File infection: C:\WINDOWS\system32\gebyy.dll is Win32/Chisyne.DU trojan. Deleted
3/26/2008 8:21:15 AM File infection: C:\Documents and Settings\Stevo\Local Settings\Temporary Internet Files\Content.IE5\E58HA85G\css4[1] is Win32/Chisyne.DU trojan. Deleted
3/26/2008 8:21:15 AM File infection: C:\WINDOWS\system32\ssttt.dll is Win32/Chisyne.DU trojan. Deleted
3/26/2008 8:21:15 AM File infection: C:\WINDOWS\system32\ssttt.dll is Win32/Chisyne.DU trojan.
3/26/2008 8:21:16 AM File infection: C:\WINDOWS\system32\ssttt.dll is Win32/Chisyne.DU trojan.
3/26/2008 8:21:16 AM File infection: C:\WINDOWS\system32\ssttt.dll is Win32/Chisyne.DU trojan.
3/26/2008 9:21:11 AM File infection: C:\Documents and Settings\Stevo\Local Settings\Temporary Internet Files\Content.IE5\8V908OJR\css4[1] is Win32/Chisyne.DU trojan. Deleted
3/26/2008 9:21:11 AM File infection: C:\WINDOWS\system32\pmnnl.dll is Win32/Chisyne.DU trojan. Deleted
3/26/2008 9:21:12 AM File infection: C:\WINDOWS\system32\pmnnl.dll is Win32/Chisyne.DU trojan.
3/26/2008 9:21:12 AM File infection: C:\WINDOWS\system32\pmnnl.dll is Win32/Chisyne.DU trojan.
3/26/2008 9:21:12 AM File infection: C:\WINDOWS\system32\pmnnl.dll is Win32/Chisyne.DU trojan.
3/26/2008 9:21:12 AM File infection: C:\WINDOWS\system32\pmnnl.dll is Win32/Chisyne.DU trojan.
3/26/2008 10:21:16 AM File infection: C:\Documents and Settings\Stevo\Local Settings\Temporary Internet Files\Content.IE5\DAB9P0KL\css4[1] is Win32/Chisyne.DU trojan. Deleted
3/26/2008 10:21:17 AM File infection: C:\WINDOWS\system32\pmnli.dll is Win32/Chisyne.DU trojan. Deleted
3/26/2008 10:21:17 AM File infection: C:\WINDOWS\system32\pmnli.dll is Win32/Chisyne.DU trojan.
3/26/2008 10:21:18 AM File infection: C:\WINDOWS\system32\pmnli.dll is Win32/Chisyne.DU trojan.
3/26/2008 10:21:18 AM File infection: C:\WINDOWS\system32\pmnli.dll is Win32/Chisyne.DU trojan.
3/26/2008 10:21:18 AM File infection: C:\WINDOWS\system32\pmnli.dll is Win32/Chisyne.DU trojan.
3/26/2008 11:42:54 AM File infection: C:\Documents and Settings\Stevo\Local Settings\Temporary Internet Files\Content.IE5\F6Q7HPS1\css4[1] is Win32/Chisyne.DU trojan. Deleted
3/26/2008 11:42:55 AM File infection: C:\WINDOWS\system32\jkhfg.dll is Win32/Chisyne.DU trojan. Deleted
3/26/2008 11:42:55 AM File infection: C:\WINDOWS\system32\jkhfg.dll is Win32/Chisyne.DU trojan.
3/26/2008 11:42:55 AM File infection: C:\WINDOWS\system32\jkhfg.dll is Win32/Chisyne.DU trojan.
3/26/2008 11:42:55 AM File infection: C:\WINDOWS\system32\jkhfg.dll is Win32/Chisyne.DU trojan.
3/26/2008 12:42:57 PM File infection: C:\Documents and Settings\Stevo\Local Settings\Temporary Internet Files\Content.IE5\E58HA85G\css4[1] is Win32/Chisyne.DU trojan. Deleted
3/26/2008 12:43:00 PM File infection: C:\WINDOWS\system32\vtsqp.dll is Win32/Chisyne.DU trojan. Deleted
3/26/2008 12:43:00 PM File infection: C:\WINDOWS\system32\vtsqp.dll is Win32/Chisyne.DU trojan.
3/26/2008 12:43:00 PM File infection: C:\WINDOWS\system32\vtsqp.dll is Win32/Chisyne.DU trojan.
3/26/2008 12:43:00 PM File infection: C:\WINDOWS\system32\vtsqp.dll is Win32/Chisyne.DU trojan.
3/26/2008 13:42:55 PM File infection: C:\Documents and Settings\Stevo\Local Settings\Temporary Internet Files\Content.IE5\DAB9P0KL\css4[1] is Win32/Chisyne.DU trojan. Deleted
3/26/2008 13:42:57 PM File infection: C:\WINDOWS\system32\pmkji.dll is Win32/Chisyne.DU trojan. Deleted
3/26/2008 13:42:57 PM File infection: C:\WINDOWS\system32\pmkji.dll is Win32/Chisyne.DU trojan.
3/26/2008 13:42:57 PM File infection: C:\WINDOWS\system32\pmkji.dll is Win32/Chisyne.DU trojan.
3/26/2008 13:42:58 PM File infection: C:\WINDOWS\system32\pmkji.dll is Win32/Chisyne.DU trojan.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:41:13 AM, on 3/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Common Files\Portrait Displays\Shared\dtsrvc.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Gateway\EzTune\DTHtml.exe
C:\Program Files\Rockwell Automation\Rockwell Automation USB CIP Driver Package\UsbCipHelper\UsbCipHelper.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.32\QOELoader.exe
C:\Program Files\Portrait Displays\Pivot Software\floater.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\MSTpscre\Tpscrex.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\WINDOWS\mrofinu1645.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Evidence Eliminator\Ee.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Toolbar\CAGlobal.exe
C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Light\CAGlobalLight.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {E9383002-FC55-4330-B9C9-67E03BC5C840} - C:\WINDOWS\system32\jkkkiii.dll
O2 - BHO: CA Toolbar Helper - {FBF2401B-7447-4727-BE5D-C19B2075CA84} - C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Toolbar\CallingIDIE.dll
O3 - Toolbar: CA Toolbar - {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Toolbar\CallingIDIE.dll
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe"
O4 - HKLM\..\Run: [DT GWY] "C:\Program Files\Common Files\Portrait Displays\Shared\DT_startup.exe" -GWY
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [UsbCipHelper] C:\Program Files\Rockwell Automation\Rockwell Automation USB CIP Driver Package\UsbCipHelper\UsbCipHelper.exe
O4 - HKLM\..\Run: [XboxStat] "c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.32\QOELoader.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Tpscrex] C:\Program Files\MSTpscre\Tpscrex.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1645.exe 61A847B5BBF72813349F3D466188719AB689201522886B092CBD44BD8689220221DD3257
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Evidence Eliminator] C:\Program Files\Evidence Eliminator\ee.exe /m
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) - http://download.gigabyte.com.tw/object/Dldrv.ocx
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/WebfettiInitialSetup1.0.0.15-3.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: jkkkiii - C:\WINDOWS\SYSTEM32\jkkkiii.dll
O23 - Service: 1784-PCIDS DeviceNet - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\PcidsService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: dnWhoDisp - Rockwell Automation, Inc. - C:\Program Files\Rockwell Software\RSLINX\dnwhodisp.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\dtsrvc.exe
O23 - Service: EmuLogix 5868 Slot1 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\\V16\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot10 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot11 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot12 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot13 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot14 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot15 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot16 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot2 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\\V16\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot3 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot4 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot5 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot6 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot7 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot8 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot9 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe
O23 - Service: FactoryTalk Activation Service - Macrovision Corporation - C:\Program Files\Rockwell Software\FactoryTalk Activation\lmgrd.exe
O23 - Service: Harmony - Rockwell Software Inc. - C:\PROGRA~1\ROCKWE~1\RSLINX\RSOBSERV.EXE
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: FactoryTalk Diagnostics Local Reader (RNADiagnosticsService) - Rockwell Automation - C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe
O23 - Service: FactoryTalk Diagnostics CE Receiver (RNADiagReceiver) - Unknown owner - C:\Program Files\Common Files\Rockwell\RNADiagReceiver.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: RSLinx Classic (RSLinx) - Rockwell Automation, Inc. - C:\PROGRA~1\ROCKWE~1\RSLinx\RSLINX.EXE
O23 - Service: 1789-SIM Simulator Module (SimModuleService) - Unknown owner - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\SimModuleService.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 12775 bytes

 

[Highdro]

So I've run a VundoFix and a ComboFix and I have logs for both. Although VundoFix found nothing and ComboFix did delete 4 files, I can't remember them since it overwrote the log file when I ran it a second time. I ran KillBox and deleted all temp files. And I posted a new HJT Log since it did remove O2 - BHO: (no name) - {E9383002-FC55-4330-B9C9-67E03BC5C840} - C:\WINDOWS\system32\jkkkiii.dll


VundoFix V7.0.3

Scan started at 2:24:26 PM 3/26/2008

Listing files found while scanning....

No infected files were found.


Beginning removal...



**********************************************************



ComboFix 08-03-25.4 - Stevo 2008-03-26 14:58:06.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.530 [GMT -4:00]
Running from: C:\Documents and Settings\Stevo\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-02-26 to 2008-03-26 )))))))))))))))))))))))))))))))
.

2008-03-26 14:24 . 2008-03-26 14:24 <DIR> d-------- C:\VundoFix Backups
2008-03-26 11:38 . 2008-03-26 11:38 <DIR> d-------- C:\Documents and Settings\Stevo\Application Data\Turbine
2008-03-26 11:19 . 2007-08-01 16:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-03-26 11:16 . 2008-03-26 11:16 <DIR> d-------- C:\Program Files\Turbine
2008-03-26 11:12 . 2008-03-26 13:52 <DIR> d-------- C:\Documents and Settings\Stevo\Application Data\HouseCall 6.6
2008-03-26 10:41 . 2008-03-26 10:41 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-26 09:14 . 2003-07-19 11:17 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd
2008-03-26 09:14 . 2005-01-03 02:43 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2008-03-26 09:13 . 2008-03-26 09:13 <DIR> d-------- C:\Program Files\Common Files\INCA Shared
2008-03-26 09:11 . 2008-03-26 09:11 <DIR> d-------- C:\Nexon
2008-03-26 08:01 . 2008-03-26 11:15 <DIR> d-------- C:\Documents and Settings\Stevo\Application Data\GetRightToGo
2008-03-26 06:04 . 2008-03-26 06:04 <DIR> d-------- C:\Program Files\ReflexiveArcade
2008-03-24 15:36 . 2008-03-25 01:49 <DIR> d-------- C:\Program Files\Evidence Eliminator
2008-03-24 15:36 . 2000-05-22 01:00 203,976 --a------ C:\WINDOWS\system32\RichTx32.ocx
2008-03-24 15:36 . 1999-05-29 21:33 114,696 --a------ C:\WINDOWS\system32\Fablock6.ocx
2008-03-24 09:20 . 1998-04-24 01:00 368,912 --a------ C:\WINDOWS\system32\vbar332.dll
2008-03-24 09:20 . 2007-07-12 12:52 118,784 --a------ C:\WINDOWS\system32\EEGenFn1.dll
2008-03-24 09:20 . 2007-04-24 16:21 61,440 --a------ C:\WINDOWS\system32\Eeshellx.dll
2008-03-24 09:20 . 2007-04-24 16:20 40,960 --a------ C:\WINDOWS\system32\eetransx.exe
2008-03-24 09:20 . 1996-05-03 23:05 28,672 --a------ C:\WINDOWS\system32\MSGHOO32.OCX
2008-03-21 13:49 . 2008-03-21 13:49 <DIR> d-------- C:\Documents and Settings\Stevo\Application Data\Logitech
2008-03-21 13:47 . 2008-03-21 13:47 <DIR> d-------- C:\Program Files\Common Files\LogiShared
2008-03-21 13:47 . 2008-03-21 13:47 127,034 -r------- C:\WINDOWS\bwUnin-8.1.1.50-8876480SL.exe
2008-03-21 13:45 . 2008-03-21 13:45 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-03-21 13:45 . 2008-03-21 13:45 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-03-21 13:44 . 2008-03-21 13:47 <DIR> d-------- C:\Program Files\Logitech
2008-03-21 13:44 . 2008-03-21 13:44 <DIR> d-------- C:\Program Files\Common Files\Logitech
2008-03-21 13:44 . 2008-03-21 13:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Logitech
2008-03-21 13:44 . 2007-04-11 15:33 1,419,024 --a------ C:\WINDOWS\system32\WdfCoInstaller01005.dll
2008-03-21 13:44 . 2007-04-23 04:00 163,840 --a------ C:\WINDOWS\system32\kemutb.dll
2008-03-21 13:44 . 2007-04-23 04:00 135,168 --a------ C:\WINDOWS\system32\KemUtil.dll
2008-03-21 13:44 . 2007-04-23 04:00 110,592 --a------ C:\WINDOWS\system32\KemWnd.dll
2008-03-21 13:44 . 2007-04-23 04:00 69,632 --a------ C:\WINDOWS\system32\KemXML.dll
2008-03-21 13:44 . 2007-04-11 15:32 56,080 --a------ C:\WINDOWS\KHALMNPR.Exe
2008-03-21 13:44 . 2007-04-11 15:32 36,112 --a------ C:\WINDOWS\system32\drivers\LMouFilt.Sys
2008-03-21 13:44 . 2007-04-11 15:32 34,832 --a------ C:\WINDOWS\system32\drivers\LHidFilt.Sys
2008-03-21 13:43 . 2008-03-21 13:43 <DIR> d-------- C:\Documents and Settings\Stevo\Application Data\InstallShield
2008-03-21 13:43 . 2008-03-21 13:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LogiShrd
2008-03-20 07:02 . 2008-03-20 07:03 <DIR> d-------- C:\Program Files\Westward
2008-03-20 06:14 . 2008-03-20 07:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sandlot Games
2008-03-18 05:09 . 2008-03-18 05:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Macrovision
2008-03-18 01:08 . 2008-03-18 02:27 393 --a------ C:\WINDOWS\WEMU500.INI
2008-03-18 00:39 . 2008-03-18 00:39 <DIR> d-------- C:\Program Files\Common Files\OPC Foundation
2008-03-18 00:39 . 2008-03-18 00:39 <DIR> d-------- C:\Program Files\Common Files\OMRON
2008-03-17 23:42 . 2008-03-17 23:42 <DIR> d-------- C:\RSLogix 5000
2008-03-17 23:36 . 2008-03-17 23:36 <DIR> d-------- C:\Program Files\RSLogix 5000 Module Profiles
2008-03-17 23:33 . 2001-06-21 21:39 73,728 --a------ C:\WINDOWS\system32\drivers\SENTINEL.SYS
2008-03-17 23:33 . 2001-06-21 21:39 49,664 --a------ C:\WINDOWS\system32\SNTI386.DLL
2008-03-17 23:33 . 2001-06-21 21:39 18,432 --a------ C:\WINDOWS\system32\RNBOVDD.DLL
2008-03-17 23:33 . 2001-06-21 21:39 9,949 --------- C:\WINDOWS\system32\SENTINEL.HLP
2008-03-17 23:25 . 2008-03-18 00:39 172 --a------ C:\WINDOWS\Rocksoft.ini
2008-03-17 23:20 . 2008-03-17 23:20 194 --a------ C:\WINDOWS\system32\RBDELDRV.BAT
2008-03-17 04:20 . 2008-03-17 04:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\JollyBear
2008-03-16 09:33 . 2004-08-04 08:00 1,689,088 --a------ C:\WINDOWS\system32\23683848.dll
2008-03-16 09:33 . 2004-08-04 08:00 82,944 --a------ C:\WINDOWS\system32\103b9048.dll
2008-03-13 13:01 . 2004-08-04 08:00 1,689,088 --a------ C:\WINDOWS\system32\1c66f701.dll
2008-03-13 13:01 . 2004-08-04 08:00 1,689,088 --a------ C:\WINDOWS\system32\124f83ee.dll
2008-03-13 13:01 . 2004-08-04 08:00 82,944 --a------ C:\WINDOWS\system32\36193800.dll
2008-03-13 13:01 . 2004-08-04 08:00 82,944 --a------ C:\WINDOWS\system32\28fc67ae.dll
2008-03-13 03:29 . 2004-08-04 08:00 1,689,088 --a------ C:\WINDOWS\system32\1a71a16c.dll
2008-03-13 03:29 . 2004-08-04 08:00 82,944 --a------ C:\WINDOWS\system32\213b8686.dll
2008-03-13 02:37 . 2008-03-13 02:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-03-13 02:32 . 2008-03-13 02:32 <DIR> d-------- C:\Program Files\GALA-NET
2008-03-13 02:32 . 2005-08-11 15:29 73,728 --a------ C:\WINDOWS\system32\ISUSPM.cpl
2008-03-12 05:07 . 2008-03-12 18:02 <DIR> d-------- C:\Program Files\Starcraft
2008-03-12 05:07 . 2008-03-12 05:11 94,208 --a------ C:\WINDOWS\ScUnin.exe
2008-03-12 05:07 . 2008-03-12 05:11 35,382 --a------ C:\WINDOWS\scunin.dat
2008-03-12 05:07 . 2008-03-12 05:11 967 --a------ C:\WINDOWS\ScUnin.pif
2008-03-11 16:48 . 2008-03-11 16:48 <DIR> d-------- C:\Program Files\IrfanView
2008-03-09 08:34 . 2008-03-09 08:35 <DIR> d-------- C:\Program Files\WinPcap
2008-03-04 02:06 . 2008-03-04 02:06 <DIR> d-------- C:\Program Files\QuickSFV
2008-03-02 14:57 . 2008-03-02 14:57 <DIR> d-------- C:\Program Files\MSTpscre
2008-02-29 14:47 . 2008-02-29 14:47 125 --a------ C:\ioSpecial.ini
2008-02-29 08:54 . 2008-02-29 08:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro
2008-02-29 00:03 . 2008-02-29 08:59 <DIR> d-------- C:\Program Files\DAEMON Tools Pro
2008-02-28 17:16 . 2008-02-28 17:22 <DIR> d-------- C:\Documents and Settings\Stevo\Application Data\Azgard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-26 18:56 --------- d-----w C:\Documents and Settings\Stevo\Application Data\CallingID
2008-03-26 14:31 --------- d-----w C:\Documents and Settings\Stevo\Application Data\uTorrent
2008-03-26 10:17 --------- d-----w C:\Documents and Settings\Stevo\Application Data\GameHouse
2008-03-26 07:55 --------- d-----w C:\Program Files\Warcraft III
2008-03-24 14:30 --------- d-----w C:\Program Files\Common Files\Rockwell
2008-03-21 17:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-18 07:51 --------- d-----w C:\Program Files\Rockwell Software
2008-03-18 04:59 2,984 --sh--r C:\EVRSI.SYS
2008-03-18 04:48 --------- d-----w C:\Program Files\Rockwell Automation
2008-03-13 06:32 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-09 12:35 --------- d-----w C:\Program Files\Java
2008-03-07 22:13 --------- d-----w C:\Program Files\PokerStars
2008-02-25 12:55 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-02-24 12:50 409,600 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2008-02-24 12:50 114,688 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2008-02-24 12:50 --------- d-----w C:\Program Files\OpenAL
2008-02-24 10:53 --------- d-----w C:\Program Files\RegCure
2008-02-24 05:28 --------- d-----w C:\Documents and Settings\Stevo\Application Data\Big Fish Games
2008-02-22 10:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Awem
2008-02-21 13:23 --------- d-----w C:\Documents and Settings\Stevo\Application Data\Viewpoint
2008-02-21 07:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Go Go Gourmet
2008-02-20 19:15 --------- d-----w C:\Program Files\QuickTime
2008-02-20 19:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\QuickTime
2008-02-20 19:12 --------- d-----w C:\Program Files\The Rosetta Stone
2008-02-20 19:04 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-17 12:27 --------- d-----w C:\Documents and Settings\Stevo\Application Data\iWin
2008-02-13 08:59 --------- d-----w C:\Documents and Settings\Stevo\Application Data\PlayFirst
2008-02-13 08:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-02-10 03:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\CA
2008-02-10 03:04 99,592 ----a-w C:\WINDOWS\system32\isafeif.dll
2008-02-10 03:04 91,400 ----a-w C:\WINDOWS\system32\isafprod.dll
2008-02-10 03:04 83,256 ----a-w C:\WINDOWS\system32\vetredir.dll
2008-02-10 03:04 32,264 ----a-w C:\WINDOWS\system32\drivers\vetmonnt.sys
2008-02-10 03:04 26,376 ----a-w C:\WINDOWS\system32\drivers\vet-filt.sys
2008-02-10 03:04 21,512 ----a-w C:\WINDOWS\system32\drivers\vetfddnt.sys
2008-02-10 03:04 21,128 ----a-w C:\WINDOWS\system32\drivers\vet-rec.sys
2008-02-10 03:01 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-10 03:01 --------- d-----w C:\Program Files\Common Files\Scanner
2008-02-10 03:01 --------- d-----w C:\Program Files\CA
2008-02-08 05:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trymedia
2008-02-08 05:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grey Alien Games
2008-01-26 07:02 --------- d-----w C:\Program Files\SureThing
2008-01-26 07:02 --------- d-----w C:\Program Files\Common Files\SureThing Shared
2008-01-26 05:02 --------- d-----w C:\Program Files\Common Files\LightScribe
2008-01-08 22:09 98,304 ----a-w C:\WINDOWS\system32CmdLineExt.dll
2008-01-07 03:47 15,600 ----a-w C:\WINDOWS\gdrv.sys
2008-01-07 01:56 62,009 ----a-w C:\WINDOWS\system32\wpfb_ati2dvag.dll
2008-01-07 01:48 139,264 ----a-w C:\WINDOWS\War3Unin.exe
.

((((((((((((((((((((((((((((( [email protected]_14.47.25.81 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-26 18:02:12 71,308 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-03-26 18:49:40 71,308 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-03-26 18:02:12 441,624 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-03-26 18:49:40 441,624 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-10-23 15:18 202024]
"Aim6"="" []
"Evidence Eliminator"="C:\Program Files\Evidence Eliminator\ee.exe" [2007-08-06 12:06 920124]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PivotSoftware"="C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe" [2007-02-09 13:17 694008]
"DT GWY"="C:\Program Files\Common Files\Portrait Displays\Shared\DT_startup.exe" [2007-10-09 18:45 81920]
"SoundMan"="SOUNDMAN.EXE" [2005-05-17 19:48 77824 C:\WINDOWS\SOUNDMAN.EXE]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 09:51 1836328]
"UsbCipHelper"="C:\Program Files\Rockwell Automation\Rockwell Automation USB CIP Driver Package\UsbCipHelper\UsbCipHelper.exe" [2006-09-28 17:25 434176]
"XboxStat"="c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 19:05 734264]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NWEReboot"="" []
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2008-02-09 23:04 181512]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2008-02-09 23:04 234760]
"QOELOADER"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.32\QOELoader.exe" [2008-02-09 23:04 14088]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"Tpscrex"="C:\Program Files\MSTpscre\Tpscrex.exe" [2007-07-30 17:15 258048]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 15:30 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 15:30 81920]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-03-21 13:47:43 67128]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-03-21 13:44:15 692224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{1869181A-9F50-4FCF-8BFF-1B8588ECB85C}"= C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\LinkAdvisor\CIDLinkAdvisor.dll [2007-10-15 22:40 1373624]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Tencent\\QQ Games\\QQGames.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Rockwell Software\\RSLogix 5000\\ENU\\v16\\Bin\\RS5000.Exe"=
"C:\\WINDOWS\\system32\\OpcEnum.exe"=
"C:\\Program Files\\Rockwell Software\\RSLINX\\RSLINX.EXE"=
"C:\\Program Files\\Rockwell Software\\OPCTools\\OPCTest\\opctest.exe"=
"C:\\Program Files\\Rockwell Software\\FactoryTalk Activation\\lmgrd.exe"=
"C:\\Program Files\\Rockwell Software\\FactoryTalk Activation\\flexsvr.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\Program Files\\Turbine\\The Lord of the Rings Online\\lotroclient.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCPort135
"6112:TCP"= 6112:TCP:WarcraftIII1
"6112:UDP"= 6112:UDP:WarcraftIII2

R1 Pivot;Pivot;C:\WINDOWS\system32\drivers\pivot.sys [2007-02-09 13:17]
R1 VirtualBackplane;A-B Virtual Backplane;C:\WINDOWS\system32\Drivers\VirtualBackplane.sys [2007-04-18 10:32]
R2 npkcmsvc;npkcmsvc;C:\Nexon\Mabinogi\npkcmsvc.exe [2007-08-02 12:33]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
R3 PPCtlPriv;PPCtlPriv;"C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe" [2008-02-09 23:04]
S2 FactoryTalk Activation Service;FactoryTalk Activation Service;C:\Program Files\Rockwell Software\FactoryTalk Activation\lmgrd.exe [2003-11-17 18:50]
S3 1784-PCIDS DeviceNet;1784-PCIDS DeviceNet;C:\Program Files\Rockwell Software\RSLogix Emulate 5000\PcidsService.exe [2007-04-18 11:18]
S3 ABKTCX;Rockwell Automation 1784-KTC(X) Driver;C:\WINDOWS\system32\Drivers\ABKTCX.sys [2000-05-31 19:13]
S3 EmuLogix 5868 Slot1;EmuLogix 5868 Slot1;"C:\Program Files\Rockwell Software\RSLogix Emulate 5000\\V16\EmuLogix5868.exe" /1 []
S3 EmuLogix 5868 Slot10;EmuLogix 5868 Slot10;"C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /10 []
S3 EmuLogix 5868 Slot11;EmuLogix 5868 Slot11;"C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /11 []
S3 EmuLogix 5868 Slot12;EmuLogix 5868 Slot12;"C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /12 []
S3 EmuLogix 5868 Slot13;EmuLogix 5868 Slot13;"C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /13 []
S3 EmuLogix 5868 Slot14;EmuLogix 5868 Slot14;"C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /14 []
S3 EmuLogix 5868 Slot15;EmuLogix 5868 Slot15;"C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /15 []
S3 EmuLogix 5868 Slot16;EmuLogix 5868 Slot16;"C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /16 []
S3 EmuLogix 5868 Slot2;EmuLogix 5868 Slot2;"C:\Program Files\Rockwell Software\RSLogix Emulate 5000\\V16\EmuLogix5868.exe" /2 []
S3 EmuLogix 5868 Slot3;EmuLogix 5868 Slot3;"C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /3 []
S3 EmuLogix 5868 Slot4;EmuLogix 5868 Slot4;"C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /4 []
S3 EmuLogix 5868 Slot5;EmuLogix 5868 Slot5;"C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /5 []
S3 EmuLogix 5868 Slot6;EmuLogix 5868 Slot6;"C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /6 []
S3 EmuLogix 5868 Slot7;EmuLogix 5868 Slot7;"C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /7 []
S3 EmuLogix 5868 Slot8;EmuLogix 5868 Slot8;"C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /8 []
S3 EmuLogix 5868 Slot9;EmuLogix 5868 Slot9;"C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /9 []
S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2008-01-06 23:47]
S3 pivotmou;Pivot Mouse/Pointers Filter Driver;C:\WINDOWS\System32\drivers\pivotmou.sys [2007-02-09 13:17]
S3 RS_SS_NT;RSLinx Classic S-S SD/SD2 Device Driver;C:\WINDOWS\system32\RS_SS_NT.SYS [1999-11-10 08:27]
S3 RsiKtControl;RsiKtControl;C:\WINDOWS\system32\RSIKT.SYS [2006-01-18 10:33]
S3 RSSERIAL;RSLinx Classic Serial Driver;C:\WINDOWS\system32\RSSERIAL.SYS [1999-05-11 13:48]
S3 SimModuleService;1789-SIM Simulator Module;C:\Program Files\Rockwell Software\RSLogix Emulate 5000\SimModuleService.exe [2007-04-18 10:44]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-12 04:16:26 C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as Stevo at 10 01 PM.job"
- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-26 15:03:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\Portrait Displays\Pivot Software\winphook.dll
.
Completion time: 2008-03-26 15:04:57
ComboFix-quarantined-files.txt 2008-03-26 19:04:41
ComboFix2.txt 2008-03-26 18:48:04
.
2008-03-12 11:25:35 --- E O F ---

 

[Highdro]

Heres the HJT, it was too long to put into previous post


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:08:55 PM, on 3/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Common Files\Portrait Displays\Shared\dtsrvc.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Rockwell Automation\Rockwell Automation USB CIP Driver Package\UsbCipHelper\UsbCipHelper.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.32\QOELoader.exe
C:\Program Files\MSTpscre\Tpscrex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Portrait Displays\Pivot Software\floater.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\Gateway\EzTune\DTHtml.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Toolbar\CAGlobal.exe
C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Light\CAGlobalLight.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: CA Toolbar Helper - {FBF2401B-7447-4727-BE5D-C19B2075CA84} - C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Toolbar\CallingIDIE.dll
O3 - Toolbar: CA Toolbar - {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Toolbar\CallingIDIE.dll
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe"
O4 - HKLM\..\Run: [DT GWY] "C:\Program Files\Common Files\Portrait Displays\Shared\DT_startup.exe" -GWY
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [UsbCipHelper] C:\Program Files\Rockwell Automation\Rockwell Automation USB CIP Driver Package\UsbCipHelper\UsbCipHelper.exe
O4 - HKLM\..\Run: [XboxStat] "c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.32\QOELoader.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Tpscrex] C:\Program Files\MSTpscre\Tpscrex.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Evidence Eliminator] C:\Program Files\Evidence Eliminator\ee.exe /m
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) - http://download.gigabyte.com.tw/object/Dldrv.ocx
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/WebfettiInitialSetup1.0.0.15-3.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: 1784-PCIDS DeviceNet - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\PcidsService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: dnWhoDisp - Rockwell Automation, Inc. - C:\Program Files\Rockwell Software\RSLINX\dnwhodisp.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\dtsrvc.exe
O23 - Service: EmuLogix 5868 Slot1 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\\V16\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot10 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot11 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot12 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot13 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot14 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot15 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot16 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot2 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\\V16\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot3 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot4 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot5 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot6 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot7 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot8 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe
O23 - Service: EmuLogix 5868 Slot9 - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe
O23 - Service: FactoryTalk Activation Service - Macrovision Corporation - C:\Program Files\Rockwell Software\FactoryTalk Activation\lmgrd.exe
O23 - Service: Harmony - Rockwell Software Inc. - C:\PROGRA~1\ROCKWE~1\RSLINX\RSOBSERV.EXE
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: FactoryTalk Diagnostics Local Reader (RNADiagnosticsService) - Rockwell Automation - C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe
O23 - Service: FactoryTalk Diagnostics CE Receiver (RNADiagReceiver) - Unknown owner - C:\Program Files\Common Files\Rockwell\RNADiagReceiver.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: RSLinx Classic (RSLinx) - Rockwell Automation, Inc. - C:\PROGRA~1\ROCKWE~1\RSLinx\RSLINX.EXE
O23 - Service: 1789-SIM Simulator Module (SimModuleService) - Unknown owner - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\SimModuleService.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 12321 bytes

 

[Highdro]

Almost 24 without hearing about a Virus now two knew ones have shown up from my CA Anti-Virus Scan

3/27/2008 11:11:34 AM File infection: C:\System Volume Information\_restore{4F740C3B-9A96-4B48-AF14-1355530219E9}\RP169\A0021472.exe is Win32/Matcash.CX trojan. Deleted
3/27/2008 11:54:16 AM File infection: C:\System Volume Information\_restore{4F740C3B-9A96-4B48-AF14-1355530219E9}\RP169\A0021473.dll is Win32/Vundo.UP trojan. Deleted