Help, please...

Question

tj3333 0 Newbie Poster

16 Years Ago

OK - I keep getting the dreaded explorer buffer overrun message and Internet explorer periodically opens up new windows for me to all kinds of interesting sites, so it's pretty obvious I've managed to get my PC infected. I've updated definitions and run Spybot, Windows Defender and Norton, attempted to run AdAware but it keeps failing on me, same with the Karspary online tool.

I downloaded the most recent (I hope) version of HiJackThis and the results are below - any help would be greatly appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 5:03:41 PM, on 1/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TPSMain.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\program files\internet explorer\iexplore.exe
C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Tim\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [b4bda793] rundll32.exe "C:\WINDOWS\system32\yddgxwuw.dll",b
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O15 - Trusted Zone: http://www.pandasoftware.com
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5219/mcfscan.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

windows-virus

2 Contributors
15 Replies
120 Views
3 Days Discussion Span
Latest Post 16 Years Ago Latest Post by gerbil

All 15 Replies

gerbil 216 Industrious Poster

16 Years Ago

It is difficult to believe that this lil baby is the source of all your troubles..:
O4 - HKLM\..\Run: [b4bda793] rundll32.exe "C:\WINDOWS\system32\yddgxwuw.dll",b
Let's ignore it for the moment and run this first:
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
Oh, and in cae I forget, when next I ask for a hijackthis log would you please delete your copy of the exe and download the latest version from here:
http://www.majorgeeks.com/download5554.html

gerbil 216 Industrious Poster

16 Years Ago

==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

!!! Check the Vundofix log for any found files that were not deleted - if present rerun Vundofix !!!
Post the contents of C:\vundofix.txt plus a new HijackThis log run in normal mode.

gerbil 216 Industrious Poster

16 Years Ago

That's okay re Vundofix; I asked you to run it because there was a reference to a file in combofix that did not show in the Deleted files list - just making sure.
==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as CFScript.txt to where you saved Combofix -that is, to a folder or your desktop.
__________________________________________________________
File::
C:\WINDOWS\system32\cyulyndk.ini
C:\WINDOWS\system32\drivers\efkbbwhbyvsl.sys

Service::
MSControlService

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{386F90DB-AEF3-46F5-8DB6-185773BDC279}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A5425A5-B020-49ED-AADF-9AE1D350D1E4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A6DCCA6-E38C-4D93-9F38-5F9E13F75121}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6A01B65F-727B-486B-A5C2-2B45A2D12C6B}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7735687A-6247-4249-8018-1AE893E8CD8E}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98663E21-9CCE-4CF6-863C-911A9523A66F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DA04B9DC-6566-488F-96DE-E3133B167D5B}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E4226652-BE0E-48B2-9C12-C59B94D5AFF9}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{BA52B914-B692-46C4-B683-905236F6F655}=-
{2318C2B1-4965-11D4-9B18-009027A5CD4F}=-
{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}=-
[-HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bglgvhyl]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddccbxu]

__________________________________________________________

Good. Now drag CFScript.txt onto Combofix [drag the icon if on your desktop, or the filename if in a folder]. Combofix will start, let it run, if your firewall prompts then allow all; post the log plus a fresh hijackthis log.
Say how things are after a restart.

gerbil 216 Industrious Poster

16 Years Ago

Hang a mo... I'm checking; that should not have happened.
Okay, would you try doing the same procedure in Safe mode, please? One other point, do you have ONLY ONE copy of Combofix on your sys? Delete any older copies, then it may run correctly in normal mode.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

tj3333 0 Newbie Poster · Answer 1 · 2008-02-02T00:23:36+00:00

Thanks for the help, Gerbil - I downloaded the new version of HiJack this, so I should be up to date when you ask for the log from it. Here's the results of ComboFix (and thanks for the tip on the keyboard / mouse - probably a 90% chance I would have screwed that up without the warning):

ComboFix 08-02.01.6 - Tim 2008-02-01  9:51:20.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.867 [GMT -8:00]
Running from: C:\Documents and Settings\Tim\Desktop\ComboFix.exe
* Created a new restore point


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.


C:\WINDOWS\system32\ddccbxu.dll
C:\WINDOWS\system32\mljgf.dll
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\system32\bglgvhyl.dllbox
C:\WINDOWS\system32\ddccbxu.dll
C:\WINDOWS\system32\dfonkpht.dll
C:\WINDOWS\system32\fgjlm.ini
C:\WINDOWS\system32\fgjlm.ini2
C:\WINDOWS\system32\mljgf.dll
C:\WINDOWS\system32\thpknofd.ini
C:\WINDOWS\system32\vuefcooe.dll
C:\WINDOWS\system32\wuwxgddy.ini
C:\WINDOWS\system32\xbadd.ini
C:\WINDOWS\system32\xbadd.ini2
C:\WINDOWS\system32\yddgxwuw.dll


----- BITS: Possible infected sites -----


hxxp://www.download.windowsupdate.com
hxxp://au.download.windowsupdate.com
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))


.
-------\LEGACY_DOMAINSERVICE



(((((((((((((((((((((((((   Files Created from 2008-01-01 to 2008-02-01  )))))))))))))))))))))))))))))))
.


2008-01-31 20:56 . 2008-01-31 20:57 <DIR>    d--------   C:\Program Files\Remington Shoot!
2008-01-31 14:34 . 2008-01-31 14:34 <DIR>    d--------   C:\Program Files\Windows Defender
2008-01-30 23:55 . 2008-01-30 23:55 <DIR>    d--------   C:\Program Files\Lavasoft
2008-01-30 23:55 . 2008-01-30 23:56 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-30 23:11 . 2008-01-30 23:11 <DIR>    d--------   C:\Documents and Settings\Tim\Application Data\TrojanHunter
2008-01-30 22:57 . 2008-02-01 09:14 <DIR>    d--------   C:\Program Files\TrojanHunter 5.0
2008-01-30 21:42 . 2008-01-30 21:42 <DIR>    d--------   C:\WINDOWS\McAfee.com
2008-01-30 14:08 . 2008-01-30 14:08 153 --a------   C:\DelUS.bat
2008-01-30 12:24 . 2008-01-30 12:24 552 --a------   C:\WINDOWS\system32\d3d8caps.dat
2008-01-30 12:08 . 2008-01-12 18:32 23,904  --a------   C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-01-30 12:08 . 2008-01-15 09:54 10,537  --a------   C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-01-30 12:08 . 2008-01-15 05:28 706 --a------   C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-01-30 10:55 . 2008-01-30 10:55 16  --a------   C:\WINDOWS\system32\coh.cache
2008-01-30 10:25 . 2008-01-30 10:47 123,952 --a------   C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-01-30 10:25 . 2008-01-30 10:47 60,800  --a------   C:\WINDOWS\system32\S32EVNT1.DLL
2008-01-30 10:25 . 2008-01-30 10:47 10,740  --a------   C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-01-30 10:25 . 2008-01-30 10:47 805 --a------   C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-01-29 22:38 . 2008-01-29 22:38 332,288 --a------   C:\WINDOWS\system32\ACF.tmp
2008-01-29 22:22 . 2008-01-29 22:34 8,627   --a------   C:\WINDOWS\system32\PAV_FOG.OPC
2008-01-29 21:42 . 2008-01-29 21:42 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\sentinel
2008-01-29 21:31 . 2008-01-29 21:31 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Backup
2008-01-29 21:30 . 2008-01-29 21:30 <DIR>    d--------   C:\Program Files\Panda Security
2008-01-29 21:25 . 2008-01-30 10:12 <DIR>    d--------   C:\Program Files\Common Files\Panda Software
2008-01-29 21:21 . 2008-01-30 21:32 998 --ahs----   C:\WINDOWS\system32\cyulyndk.ini
2008-01-29 20:16 . 2007-06-08 09:44 8,576   --a------   C:\WINDOWS\system32\drivers\efkbbwhbyvsl.sys
2008-01-29 20:00 . 2008-01-29 20:00 2,550   --a------   C:\WINDOWS\system32\Uninstall.ico
2008-01-29 20:00 . 2008-01-29 20:00 1,406   --a------   C:\WINDOWS\system32\Help.ico
2008-01-29 18:23 . 2008-01-29 18:23 <DIR>    d--------   C:\KAV
2008-01-29 14:59 . 2008-01-29 14:59 58  --a------   C:\WINDOWS\mchguid.ini
2008-01-29 10:26 . 2008-01-30 14:06 <DIR>    d--------   C:\Program Files\DNA
2008-01-29 10:26 . 2008-01-29 11:51 <DIR>    d--------   C:\Documents and Settings\Tim\Application Data\BitTorrent
2008-01-29 09:11 . 2008-01-29 09:11 <DIR>    d--h-----   C:\WINDOWS\PIF
2008-01-28 23:54 . 2008-01-30 12:11 <DIR>    d--------   C:\Program Files\Windows Desktop Search
2008-01-28 23:52 . 2006-09-15 04:36 192,000 -----c---   C:\WINDOWS\system32\dllcache\offfilt.dll
2008-01-28 23:52 . 2006-09-15 04:36 98,304  -----c---   C:\WINDOWS\system32\dllcache\nlhtml.dll
2008-01-28 23:52 . 2006-09-15 04:36 29,696  -----c---   C:\WINDOWS\system32\dllcache\mimefilt.dll
2008-01-28 17:04 . 2008-01-28 17:04 <DIR>    d----c---   C:\WINDOWS\system32\DRVSTORE
2008-01-28 17:04 . 2008-01-28 17:04 <DIR>    d--------   C:\Program Files\SentrilockCardUtility
2008-01-28 17:04 . 2008-01-28 17:04 <DIR>    d--------   C:\Program Files\DIFX
2008-01-28 17:04 . 2006-11-07 05:35 47,488  --a------   C:\WINDOWS\system32\drivers\SCR3XX2K.sys
2008-01-28 17:03 . 2008-01-30 23:54 <DIR>    d--------   C:\Program Files\Common Files\Wise Installation Wizard
2008-01-28 17:03 . 2008-01-28 17:03 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\SentriLock
2008-01-28 16:25 . 2008-01-28 16:45 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-28 15:40 . 2008-01-28 15:40 <DIR>    d--------   C:\Program Files\Microsoft WSE
2008-01-28 15:39 . 2007-07-11 12:04 1,064,960   --a------   C:\WINDOWS\system32\cdintf300.dll
2008-01-28 15:39 . 2007-07-11 12:04 1,064,960   --a------   C:\WINDOWS\system32\acXMLParser.dll
2008-01-28 15:37 . 2008-01-28 15:41 <DIR>    d--------   C:\WINPOINT
2008-01-28 15:37 . 2008-01-30 16:32 674 --a------   C:\WINDOWS\winpoint.ini
2008-01-28 11:53 . 2001-08-17 13:53 6,784   --a------   C:\WINDOWS\system32\drivers\serscan.sys
2008-01-28 11:53 . 2001-08-17 13:53 6,784   --a--c---   C:\WINDOWS\system32\dllcache\serscan.sys
2008-01-28 11:53 . 2008-01-31 16:22 1,222   --a------   C:\WINDOWS\Brpfx04a.ini
2008-01-28 11:53 . 2008-01-28 11:53 410 --a------   C:\WINDOWS\BRWMARK.INI
2008-01-28 11:53 . 2008-01-29 16:45 153 --a------   C:\WINDOWS\brpcfx.ini
2008-01-28 11:53 . 2008-01-28 11:53 65  --a------   C:\WINDOWS\system32\BD8660DN.DAT
2008-01-28 11:52 . 2008-01-28 11:52 <DIR>    d--------   C:\Program Files\Brother
2008-01-28 11:48 . 2008-01-28 11:48 <DIR>    d--------   C:\Program Files\ScanSoft
2008-01-28 11:48 . 2008-01-28 11:48 <DIR>    d--------   C:\Program Files\Common Files\ScanSoft Shared
2008-01-28 11:48 . 2008-01-28 11:48 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\ScanSoft
2008-01-28 11:48 . 2008-01-28 11:48 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\InstallShield
2008-01-28 11:48 . 2003-09-24 11:36 27,019  --a------   C:\WINDOWS\maxlink.ini
2008-01-28 11:46 . 2008-01-28 11:46 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Brother
2008-01-28 11:36 . 2008-01-31 23:31 54,156  --ah-----   C:\WINDOWS\QTFont.qfn
2008-01-28 11:36 . 2008-01-28 11:36 1,409   --a------   C:\WINDOWS\QTFont.for
2008-01-28 11:09 . 2008-01-28 11:09 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\LogiShrd
2008-01-28 11:08 . 2008-01-28 11:08 <DIR>    d--------   C:\Documents and Settings\Tim\Application Data\Logitech
2008-01-28 11:07 . 2008-01-28 11:07 0   --ah-----   C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-01-28 11:06 . 2008-01-28 11:06 0   --ah-----   C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-01-28 11:06 . 2008-01-28 11:06 0   --ah-----   C:\WINDOWS\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf
2008-01-28 11:06 . 2008-01-28 11:06 0   --ah-----   C:\WINDOWS\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2008-01-28 11:05 . 2007-11-15 10:06 301,656 --a------   C:\WINDOWS\system32\BtCoreIf.dll
2008-01-28 11:05 . 2007-11-15 10:07 170,512 --a------   C:\WINDOWS\system32\kemutb.dll
2008-01-28 11:05 . 2007-11-15 10:07 141,840 --a------   C:\WINDOWS\system32\KemUtil.dll
2008-01-28 11:05 . 2007-11-15 10:07 117,264 --a------   C:\WINDOWS\system32\KemWnd.dll
2008-01-28 11:05 . 2007-11-15 10:07 76,304  --a------   C:\WINDOWS\system32\KemXML.dll
2008-01-28 11:04 . 2008-01-28 11:04 <DIR>    d--------   C:\Program Files\Logitech
2008-01-28 11:04 . 2008-01-28 11:05 <DIR>    d--------   C:\Program Files\Common Files\Logishrd
2008-01-28 11:04 . 2008-01-28 11:04 <DIR>    d--------   C:\Documents and Settings\Tim\Application Data\InstallShield
2008-01-28 11:04 . 2008-01-28 11:04 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Logitech
2008-01-28 10:34 . 2008-01-30 12:08 <DIR>    d--------   C:\Program Files\Norton AntiVirus
2008-01-28 10:32 . 2008-01-30 10:47 <DIR>    d--------   C:\Program Files\Symantec
2008-01-28 10:32 . 2008-01-31 23:17 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-28 09:18 . 2004-08-03 23:08 31,616  --a------   C:\WINDOWS\system32\drivers\usbccgp.sys
2008-01-28 09:18 . 2004-08-03 23:08 31,616  --a--c---   C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-01-28 09:18 . 2004-08-04 00:56 21,504  --a------   C:\WINDOWS\system32\hidserv.dll
2008-01-28 09:18 . 2004-08-04 00:56 21,504  --a--c---   C:\WINDOWS\system32\dllcache\hidserv.dll
2008-01-28 09:18 . 2004-08-03 22:58 14,848  --a------   C:\WINDOWS\system32\drivers\kbdhid.sys
2008-01-28 09:18 . 2004-08-03 22:58 14,848  --a--c---   C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-01-28 09:18 . 2001-08-17 13:48 12,160  --a------   C:\WINDOWS\system32\drivers\mouhid.sys
2008-01-28 09:18 . 2001-08-17 13:48 12,160  --a--c---   C:\WINDOWS\system32\dllcache\mouhid.sys
2008-01-28 09:18 . 2001-08-17 14:02 9,600   --a------   C:\WINDOWS\system32\drivers\hidusb.sys
2008-01-28 09:18 . 2001-08-17 14:02 9,600   --a--c---   C:\WINDOWS\system32\dllcache\hidusb.sys
2008-01-28 00:09 . 2008-01-28 00:09 <DIR>    d--------   C:\WINDOWS\Sun
2008-01-28 00:06 . 2008-01-28 00:06 <DIR>    d--------   C:\Program Files\Macromedia
2008-01-28 00:06 . 2008-01-28 00:06 <DIR>    d--------   C:\Program Files\Common Files\Macromedia Shared
2008-01-27 23:45 . 2008-01-27 23:45 <DIR>    d--------   C:\Program Files\Common Files\supportsoft
2008-01-27 23:44 . 2006-04-12 10:11 1,933,312   --a------   C:\WINDOWS\system32\cdintf251.dll
2008-01-27 23:39 . 2008-01-27 23:45 <DIR>    d--------   C:\Program Files\Intuit
2008-01-27 23:39 . 2008-01-27 23:39 <DIR>    d--------   C:\Program Files\Common Files\AnswerWorks 4.0
2008-01-27 23:37 . 2008-01-27 23:37 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\COMMON FILES
2008-01-27 23:36 . 2008-01-27 23:36 <DIR>    d--------   C:\Program Files\MSXML 4.0


.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-01 18:10    1,562,112   ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-01-30 18:12    ---------   d--h--w C:\Program Files\InstallShield Installation Information
2008-01-30 04:15    ---------   d-----w C:\Program Files\QuickTime
2008-01-30 04:14    ---------   d-----w C:\Program Files\Google
2008-01-29 22:02    ---------   d-----w C:\Program Files\Common Files\Adobe
2008-01-28 19:52    ---------   d-----w C:\Program Files\Common Files\InstallShield
2008-01-28 17:13    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Intuit
2008-01-28 07:41    ---------   d-----w C:\Program Files\Common Files\Intuit
2008-01-27 21:36    ---------   d-----w C:\Program Files\Napster
2008-01-27 21:36    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Napster
2008-01-27 21:35    ---------   d-----w C:\Program Files\TOSHIBA
2008-01-27 21:26    ---------   d-----w C:\Program Files\Common Files\aolshare
2008-01-27 21:26    ---------   d-----w C:\Program Files\Common Files\AOL
2008-01-27 21:26    ---------   d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-01-27 21:20    15,890  ----a-w C:\WINDOWS\system32\drivers\mdc8021x.sys
2008-01-27 21:15    ---------   d-----w C:\Program Files\Sonic
2007-12-01 07:57    43,696  ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-12-01 07:57    317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-12-01 07:57    279,088 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-12-01 07:57    10,549  ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-12-01 07:57    10,549  ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-12-01 07:57    10,545  ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-12-01 07:57    1,430   ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-12-01 07:57    1,421   ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-12-01 07:57    1,415   ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-11-15 00:05    75,248  ----a-w C:\WINDOWS\zllsputility.exe
.


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{386F90DB-AEF3-46F5-8DB6-185773BDC279}]


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A5425A5-B020-49ED-AADF-9AE1D350D1E4}]


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A6DCCA6-E38C-4D93-9F38-5F9E13F75121}]


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6A01B65F-727B-486B-A5C2-2B45A2D12C6B}]
C:\WINDOWS\system32\ddabx.dll


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7735687A-6247-4249-8018-1AE893E8CD8E}]


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98663E21-9CCE-4CF6-863C-911A9523A66F}]


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DA04B9DC-6566-488F-96DE-E3133B167D5B}]


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E4226652-BE0E-48B2-9C12-C59B94D5AFF9}]


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-01-27 23:30    262144  --a------   C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{BA52B914-B692-46C4-B683-905236F6F655}
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}


[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-01-27 23:30 262144]


[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-29 23:32 65536]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-01-27 16:19 171448]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2005-04-25 08:15 339968]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-12 15:17 88358 C:\WINDOWS\agrsmmsg.exe]
"NDSTray.exe"="NDSTray.exe" []
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2005-04-05 15:25 73728]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-11 09:00 339968]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-01-14 01:05 122939]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-14 14:28 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-14 14:26 688218]
"TPSMain"="TPSMain.exe" [2004-12-28 15:02 270336 C:\WINDOWS\system32\TPSMain.exe]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 15:37 151552]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 03:10 55824 C:\WINDOWS\KHALMNPR.Exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-04-20 14:12 98304]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 10:22 155648]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 14:25 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 14:45 40960]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2005-11-11 18:30 995328]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59 115816]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-01-13 23:11 771704]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]


C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-01-29 14:02:21 113664]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-01-28 11:05:24 784912]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2006-11-29 11:09:20 968224]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2005-04-20 13:34:50 155648]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bglgvhyl]
bglgvhyl.dll


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddccbxu]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll 2007-11-15 10:10 72208 c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll


R3 SCR3xx USB Smart Card Reader;SCR3xx USB Smart Card Reader;C:\WINDOWS\system32\DRIVERS\SCR3XX2K.sys [2006-11-07 05:35]
S3 MSControlService;Microsoft cache control;C:\WINDOWS\system32\windows []


.
Contents of the 'Scheduled Tasks' folder
"2008-02-01 18:14:16 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-01-30 18:40:29 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Tim.job"
- C:\Program Files\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************


catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-01 10:12:52
Windows 5.1.2600 Service Pack 2 NTFS


scanning hidden processes ...


scanning hidden autostart entries ...


scanning hidden files ...


scan completed successfully
hidden files: 0


**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\ACS.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TPSMain.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
.
**************************************************************************
.
Completion time: 2008-02-01 10:17:43 - machine was rebooted
ComboFix-quarantined-files.txt  2008-02-01 18:17:37
.
2008-01-29 00:06:24 --- E O F ---

tj3333 0 Newbie Poster · Answer 2 · 2008-02-03T03:17:54+00:00

VundoFix didn't find any infections - weird. My system also seems to be doing much better - I have not gotten the buffer overrun error in a couple of days, and (knock on wood) it's been a while since explorer opened up a random page in a new window. It's still slow on boot, but much better.

Thanks again for your help, Gerbil - I really appreciate it. Log files are below:

VundoFix V6.7.7

Checking Java version...

Scan started at 11:11:08 AM 2/2/2008

Listing files found while scanning....

No infected files were found.

Beginning removal...

Here's the new HiJack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:36:05 PM, on 2/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TPSMain.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Documents and Settings\Tim\Desktop\HiJackThis.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6A01B65F-727B-486B-A5C2-2B45A2D12C6B} - C:\WINDOWS\system32\ddabx.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O15 - Trusted Zone: http://www.pandasoftware.com
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5219/mcfscan.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: bglgvhyl - bglgvhyl.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 11888 bytes

tj3333 0 Newbie Poster · Answer 3 · 2008-02-03T09:30:18+00:00

I copied that into notepad and saved it to my desktop as CFScript.txt, dragged it onto the ComboFix icon, said run and got an error that says:

"You cannot rename ComboFix as ComboFix

Please use another name"

Did I do something wrong?

tj3333 0 Newbie Poster · Answer 4 · 2008-02-03T10:46:32+00:00

OK - ComboFix worked in Safe Mode (seems like I should have thought of that). I'm pretty confident I only have one copy of ComboFix downloaded (I don't recall downloading multiple versions, and there is only one copy of it on the desktop and no copies at c:\ - and I can't see myself saving it anywhere else. I didn't want to wait for a windows search.

Here's the ComboFix log:

ComboFix 08-02.01.6 - Tim 2008-02-02 20:29:04.2 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.1188 [GMT -8:00]
Running from: C:\Documents and Settings\Tim\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Tim\Desktop\CFScript.txt


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!


FILE
C:\WINDOWS\system32\cyulyndk.ini
C:\WINDOWS\system32\drivers\efkbbwhbyvsl.sys
.


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.


C:\WINDOWS\system32\cyulyndk.ini
C:\WINDOWS\system32\drivers\efkbbwhbyvsl.sys


.
(((((((((((((((((((((((((   Files Created from 2008-01-03 to 2008-02-03  )))))))))))))))))))))))))))))))
.


2008-02-02 11:11 . 2008-02-02 11:11 <DIR>    d--------   C:\VundoFix Backups
2008-02-01 22:59 . 2008-02-02 19:40 <DIR>    d--------   C:\Program Files\PokerStars.NET
2008-01-31 20:56 . 2008-01-31 20:57 <DIR>    d--------   C:\Program Files\Remington Shoot!
2008-01-31 14:34 . 2008-01-31 14:34 <DIR>    d--------   C:\Program Files\Windows Defender
2008-01-30 23:55 . 2008-01-30 23:55 <DIR>    d--------   C:\Program Files\Lavasoft
2008-01-30 23:55 . 2008-01-30 23:56 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-30 23:11 . 2008-01-30 23:11 <DIR>    d--------   C:\Documents and Settings\Tim\Application Data\TrojanHunter
2008-01-30 22:57 . 2008-02-01 09:14 <DIR>    d--------   C:\Program Files\TrojanHunter 5.0
2008-01-30 21:42 . 2008-01-30 21:42 <DIR>    d--------   C:\WINDOWS\McAfee.com
2008-01-30 14:08 . 2008-01-30 14:08 153 --a------   C:\DelUS.bat
2008-01-30 12:24 . 2008-01-30 12:24 552 --a------   C:\WINDOWS\system32\d3d8caps.dat
2008-01-30 12:08 . 2008-01-12 18:32 23,904  --a------   C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-01-30 12:08 . 2008-01-15 09:54 10,537  --a------   C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-01-30 12:08 . 2008-01-15 05:28 706 --a------   C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-01-30 10:55 . 2008-01-30 10:55 16  --a------   C:\WINDOWS\system32\coh.cache
2008-01-30 10:25 . 2008-01-30 10:47 123,952 --a------   C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-01-30 10:25 . 2008-01-30 10:47 60,800  --a------   C:\WINDOWS\system32\S32EVNT1.DLL
2008-01-30 10:25 . 2008-01-30 10:47 10,740  --a------   C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-01-30 10:25 . 2008-01-30 10:47 805 --a------   C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-01-29 22:38 . 2008-01-29 22:38 332,288 --a------   C:\WINDOWS\system32\ACF.tmp
2008-01-29 22:22 . 2008-01-29 22:34 8,627   --a------   C:\WINDOWS\system32\PAV_FOG.OPC
2008-01-29 21:42 . 2008-01-29 21:42 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\sentinel
2008-01-29 21:31 . 2008-01-29 21:31 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Backup
2008-01-29 21:30 . 2008-01-29 21:30 <DIR>    d--------   C:\Program Files\Panda Security
2008-01-29 21:25 . 2008-01-30 10:12 <DIR>    d--------   C:\Program Files\Common Files\Panda Software
2008-01-29 20:00 . 2008-01-29 20:00 2,550   --a------   C:\WINDOWS\system32\Uninstall.ico
2008-01-29 20:00 . 2008-01-29 20:00 1,406   --a------   C:\WINDOWS\system32\Help.ico
2008-01-29 18:23 . 2008-01-29 18:23 <DIR>    d--------   C:\KAV
2008-01-29 14:59 . 2008-01-29 14:59 58  --a------   C:\WINDOWS\mchguid.ini
2008-01-29 10:26 . 2008-01-30 14:06 <DIR>    d--------   C:\Program Files\DNA
2008-01-29 10:26 . 2008-01-29 11:51 <DIR>    d--------   C:\Documents and Settings\Tim\Application Data\BitTorrent
2008-01-29 09:11 . 2008-01-29 09:11 <DIR>    d--h-----   C:\WINDOWS\PIF
2008-01-28 23:54 . 2008-01-30 12:11 <DIR>    d--------   C:\Program Files\Windows Desktop Search
2008-01-28 23:52 . 2006-09-15 04:36 192,000 -----c---   C:\WINDOWS\system32\dllcache\offfilt.dll
2008-01-28 23:52 . 2006-09-15 04:36 98,304  -----c---   C:\WINDOWS\system32\dllcache\nlhtml.dll
2008-01-28 23:52 . 2006-09-15 04:36 29,696  -----c---   C:\WINDOWS\system32\dllcache\mimefilt.dll
2008-01-28 17:04 . 2008-01-28 17:04 <DIR>    d----c---   C:\WINDOWS\system32\DRVSTORE
2008-01-28 17:04 . 2008-01-28 17:04 <DIR>    d--------   C:\Program Files\SentrilockCardUtility
2008-01-28 17:04 . 2008-01-28 17:04 <DIR>    d--------   C:\Program Files\DIFX
2008-01-28 17:04 . 2006-11-07 05:35 47,488  --a------   C:\WINDOWS\system32\drivers\SCR3XX2K.sys
2008-01-28 17:03 . 2008-01-30 23:54 <DIR>    d--------   C:\Program Files\Common Files\Wise Installation Wizard
2008-01-28 17:03 . 2008-01-28 17:03 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\SentriLock
2008-01-28 16:25 . 2008-01-28 16:45 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-28 15:40 . 2008-01-28 15:40 <DIR>    d--------   C:\Program Files\Microsoft WSE
2008-01-28 15:39 . 2007-07-11 12:04 1,064,960   --a------   C:\WINDOWS\system32\cdintf300.dll
2008-01-28 15:39 . 2007-07-11 12:04 1,064,960   --a------   C:\WINDOWS\system32\acXMLParser.dll
2008-01-28 15:37 . 2008-01-28 15:41 <DIR>    d--------   C:\WINPOINT
2008-01-28 15:37 . 2008-01-30 16:32 674 --a------   C:\WINDOWS\winpoint.ini
2008-01-28 11:53 . 2001-08-17 13:53 6,784   --a------   C:\WINDOWS\system32\drivers\serscan.sys
2008-01-28 11:53 . 2001-08-17 13:53 6,784   --a--c---   C:\WINDOWS\system32\dllcache\serscan.sys
2008-01-28 11:53 . 2008-01-31 16:22 1,222   --a------   C:\WINDOWS\Brpfx04a.ini
2008-01-28 11:53 . 2008-01-28 11:53 410 --a------   C:\WINDOWS\BRWMARK.INI
2008-01-28 11:53 . 2008-01-29 16:45 153 --a------   C:\WINDOWS\brpcfx.ini
2008-01-28 11:53 . 2008-01-28 11:53 65  --a------   C:\WINDOWS\system32\BD8660DN.DAT
2008-01-28 11:52 . 2008-01-28 11:52 <DIR>    d--------   C:\Program Files\Brother
2008-01-28 11:48 . 2008-01-28 11:48 <DIR>    d--------   C:\Program Files\ScanSoft
2008-01-28 11:48 . 2008-01-28 11:48 <DIR>    d--------   C:\Program Files\Common Files\ScanSoft Shared
2008-01-28 11:48 . 2008-01-28 11:48 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\ScanSoft
2008-01-28 11:48 . 2008-01-28 11:48 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\InstallShield
2008-01-28 11:48 . 2003-09-24 11:36 27,019  --a------   C:\WINDOWS\maxlink.ini
2008-01-28 11:46 . 2008-01-28 11:46 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Brother
2008-01-28 11:36 . 2008-01-31 23:31 54,156  --ah-----   C:\WINDOWS\QTFont.qfn
2008-01-28 11:36 . 2008-01-28 11:36 1,409   --a------   C:\WINDOWS\QTFont.for
2008-01-28 11:09 . 2008-01-28 11:09 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\LogiShrd
2008-01-28 11:08 . 2008-01-28 11:08 <DIR>    d--------   C:\Documents and Settings\Tim\Application Data\Logitech
2008-01-28 11:07 . 2008-01-28 11:07 0   --ah-----   C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-01-28 11:06 . 2008-01-28 11:06 0   --ah-----   C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-01-28 11:06 . 2008-01-28 11:06 0   --ah-----   C:\WINDOWS\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf
2008-01-28 11:06 . 2008-01-28 11:06 0   --ah-----   C:\WINDOWS\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2008-01-28 11:05 . 2007-11-15 10:06 301,656 --a------   C:\WINDOWS\system32\BtCoreIf.dll
2008-01-28 11:05 . 2007-11-15 10:07 170,512 --a------   C:\WINDOWS\system32\kemutb.dll
2008-01-28 11:05 . 2007-11-15 10:07 141,840 --a------   C:\WINDOWS\system32\KemUtil.dll
2008-01-28 11:05 . 2007-11-15 10:07 117,264 --a------   C:\WINDOWS\system32\KemWnd.dll
2008-01-28 11:05 . 2007-11-15 10:07 76,304  --a------   C:\WINDOWS\system32\KemXML.dll
2008-01-28 11:04 . 2008-01-28 11:04 <DIR>    d--------   C:\Program Files\Logitech
2008-01-28 11:04 . 2008-01-28 11:05 <DIR>    d--------   C:\Program Files\Common Files\Logishrd
2008-01-28 11:04 . 2008-01-28 11:04 <DIR>    d--------   C:\Documents and Settings\Tim\Application Data\InstallShield
2008-01-28 11:04 . 2008-01-28 11:04 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Logitech
2008-01-28 10:34 . 2008-01-30 12:08 <DIR>    d--------   C:\Program Files\Norton AntiVirus
2008-01-28 10:32 . 2008-01-30 10:47 <DIR>    d--------   C:\Program Files\Symantec
2008-01-28 10:32 . 2008-01-31 23:17 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-28 09:18 . 2004-08-03 23:08 31,616  --a------   C:\WINDOWS\system32\drivers\usbccgp.sys
2008-01-28 09:18 . 2004-08-03 23:08 31,616  --a--c---   C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-01-28 09:18 . 2004-08-04 00:56 21,504  --a------   C:\WINDOWS\system32\hidserv.dll
2008-01-28 09:18 . 2004-08-04 00:56 21,504  --a--c---   C:\WINDOWS\system32\dllcache\hidserv.dll
2008-01-28 09:18 . 2004-08-03 22:58 14,848  --a------   C:\WINDOWS\system32\drivers\kbdhid.sys
2008-01-28 09:18 . 2004-08-03 22:58 14,848  --a--c---   C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-01-28 09:18 . 2001-08-17 13:48 12,160  --a------   C:\WINDOWS\system32\drivers\mouhid.sys
2008-01-28 09:18 . 2001-08-17 13:48 12,160  --a--c---   C:\WINDOWS\system32\dllcache\mouhid.sys
2008-01-28 09:18 . 2001-08-17 14:02 9,600   --a------   C:\WINDOWS\system32\drivers\hidusb.sys
2008-01-28 09:18 . 2001-08-17 14:02 9,600   --a--c---   C:\WINDOWS\system32\dllcache\hidusb.sys
2008-01-28 00:09 . 2008-01-28 00:09 <DIR>    d--------   C:\WINDOWS\Sun
2008-01-28 00:06 . 2008-01-28 00:06 <DIR>    d--------   C:\Program Files\Macromedia
2008-01-28 00:06 . 2008-01-28 00:06 <DIR>    d--------   C:\Program Files\Common Files\Macromedia Shared
2008-01-27 23:45 . 2008-01-27 23:45 <DIR>    d--------   C:\Program Files\Common Files\supportsoft
2008-01-27 23:44 . 2006-04-12 10:11 1,933,312   --a------   C:\WINDOWS\system32\cdintf251.dll
2008-01-27 23:39 . 2008-01-27 23:45 <DIR>    d--------   C:\Program Files\Intuit
2008-01-27 23:39 . 2008-01-27 23:39 <DIR>    d--------   C:\Program Files\Common Files\AnswerWorks 4.0
2008-01-27 23:37 . 2008-01-27 23:37 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\COMMON FILES
2008-01-27 23:36 . 2008-01-27 23:36 <DIR>    d--------   C:\Program Files\MSXML 4.0


.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-01 18:10    1,562,112   ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-01-30 18:12    ---------   d--h--w C:\Program Files\InstallShield Installation Information
2008-01-30 04:15    ---------   d-----w C:\Program Files\QuickTime
2008-01-30 04:14    ---------   d-----w C:\Program Files\Google
2008-01-29 22:02    ---------   d-----w C:\Program Files\Common Files\Adobe
2008-01-28 19:52    ---------   d-----w C:\Program Files\Common Files\InstallShield
2008-01-28 17:13    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Intuit
2008-01-28 07:41    ---------   d-----w C:\Program Files\Common Files\Intuit
2008-01-27 21:36    ---------   d-----w C:\Program Files\Napster
2008-01-27 21:36    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Napster
2008-01-27 21:35    ---------   d-----w C:\Program Files\TOSHIBA
2008-01-27 21:26    ---------   d-----w C:\Program Files\Common Files\aolshare
2008-01-27 21:26    ---------   d-----w C:\Program Files\Common Files\AOL
2008-01-27 21:26    ---------   d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-01-27 21:20    15,890  ----a-w C:\WINDOWS\system32\drivers\mdc8021x.sys
2008-01-27 21:15    ---------   d-----w C:\Program Files\Sonic
2007-12-14 19:32    12,632  ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-11-15 00:05    75,248  ----a-w C:\WINDOWS\zllsputility.exe
2007-11-15 00:05    1,086,952   ----a-w C:\WINDOWS\system32\zpeng24.dll
2007-11-07 09:26    721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
.


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6A01B65F-727B-486B-A5C2-2B45A2D12C6B}]
C:\WINDOWS\system32\ddabx.dll


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-01-27 23:30    262144  --a------   C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-29 23:32 65536]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-01-27 16:19 171448]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2005-04-25 08:15 339968]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-12 15:17 88358 C:\WINDOWS\agrsmmsg.exe]
"NDSTray.exe"="NDSTray.exe" []
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2005-04-05 15:25 73728]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-11 09:00 339968]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-01-14 01:05 122939]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-14 14:28 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-14 14:26 688218]
"TPSMain"="TPSMain.exe" [2004-12-28 15:02 270336 C:\WINDOWS\system32\TPSMain.exe]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 15:37 151552]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 03:10 55824 C:\WINDOWS\KHALMNPR.Exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-04-20 14:12 98304]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 10:22 155648]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 14:25 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 14:45 40960]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2005-11-11 18:30 995328]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59 115816]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-01-13 23:11 771704]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]


C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-01-29 14:02:21 113664]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-01-28 11:05:24 784912]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2006-11-29 11:09:20 968224]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2005-04-20 13:34:50 155648]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll 2007-11-15 10:10 72208 c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll


S3 MSControlService;Microsoft cache control;C:\WINDOWS\system32\windows []
S3 SCR3xx USB Smart Card Reader;SCR3xx USB Smart Card Reader;C:\WINDOWS\system32\DRIVERS\SCR3XX2K.sys [2006-11-07 05:35]


.
Contents of the 'Scheduled Tasks' folder
"2008-02-03 04:29:06 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-01-30 18:40:29 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Tim.job"
- C:\Program Files\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************


catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-02 20:33:57
Windows 5.1.2600 Service Pack 2 NTFS


scanning hidden processes ...


scanning hidden autostart entries ...


scanning hidden files ...


scan completed successfully
hidden files: 0


**************************************************************************
.
Completion time: 2008-02-02 20:35:21
ComboFix-quarantined-files.txt  2008-02-03 04:34:42
ComboFix2.txt  2008-02-01 18:17:44
.
2008-01-29 00:06:24 --- E O F ---



Here's the (new) HiJackThis log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:43:31 PM, on 2/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Tim\Desktop\HiJackThis.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6A01B65F-727B-486B-A5C2-2B45A2D12C6B} - C:\WINDOWS\system32\ddabx.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - (no file)
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O15 - Trusted Zone: http://www.pandasoftware.com
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5219/mcfscan.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: bglgvhyl - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) -   - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


--
End of file - 11808 bytes

gerbil 216 Industrious Poster · Answer 5 · 2008-02-03T11:29:12+00:00

Tim, sorry, but I missed something. You have Spybot's Teatimer running and that prevented some of the registry fixes in that last script from being made... could you please turn off teatimer, delete your old CFScript.txt [it is renamed] and then save and run this reworked one [remember, just the text between the lines, not the lines themselves]:
[try it in normal mode first...]
___________________________________________________________________________
Service::
MSControlService

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{386F90DB-AEF3-46F5-8DB6-185773BDC279}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A5425A5-B020-49ED-AADF-9AE1D350D1E4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A6DCCA6-E38C-4D93-9F38-5F9E13F75121}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6A01B65F-727B-486B-A5C2-2B45A2D12C6B}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7735687A-6247-4249-8018-1AE893E8CD8E}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98663E21-9CCE-4CF6-863C-911A9523A66F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DA04B9DC-6566-488F-96DE-E3133B167D5B}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E4226652-BE0E-48B2-9C12-C59B94D5AFF9}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{BA52B914-B692-46C4-B683-905236F6F655}=-
{2318C2B1-4965-11D4-9B18-009027A5CD4F}=-
{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}=-
[-HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bglgvhyl]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddccbxu]
____________________________________________________________________________

tj3333 0 Newbie Poster · Answer 6 · 2008-02-03T11:45:58+00:00

Shut down SpyBot and it worked in normal mode - here's the ComboFix log after running that script (though I just got a spybot message while writing this post - I shut it down and then opened up task manager to make sure TeaTimer was not running prior to running ComboFix):

ComboFix 08-02.01.6 - Tim 2008-02-02 21:37:51.3 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.927 [GMT -8:00]
Running from: C:\Documents and Settings\Tim\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Tim\Desktop\CFScript.txt
* Created a new restore point


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.


(((((((((((((((((((((((((   Files Created from 2008-01-03 to 2008-02-03  )))))))))))))))))))))))))))))))
.


2008-02-02 11:11 . 2008-02-02 11:11 <DIR>    d--------   C:\VundoFix Backups
2008-02-01 22:59 . 2008-02-02 19:40 <DIR>    d--------   C:\Program Files\PokerStars.NET
2008-01-31 20:56 . 2008-01-31 20:57 <DIR>    d--------   C:\Program Files\Remington Shoot!
2008-01-31 14:34 . 2008-01-31 14:34 <DIR>    d--------   C:\Program Files\Windows Defender
2008-01-30 23:55 . 2008-01-30 23:55 <DIR>    d--------   C:\Program Files\Lavasoft
2008-01-30 23:55 . 2008-01-30 23:56 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-30 23:11 . 2008-01-30 23:11 <DIR>    d--------   C:\Documents and Settings\Tim\Application Data\TrojanHunter
2008-01-30 22:57 . 2008-02-01 09:14 <DIR>    d--------   C:\Program Files\TrojanHunter 5.0
2008-01-30 21:42 . 2008-01-30 21:42 <DIR>    d--------   C:\WINDOWS\McAfee.com
2008-01-30 14:08 . 2008-01-30 14:08 153 --a------   C:\DelUS.bat
2008-01-30 12:24 . 2008-01-30 12:24 552 --a------   C:\WINDOWS\system32\d3d8caps.dat
2008-01-30 12:08 . 2008-01-12 18:32 23,904  --a------   C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-01-30 12:08 . 2008-01-15 09:54 10,537  --a------   C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-01-30 12:08 . 2008-01-15 05:28 706 --a------   C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-01-30 10:55 . 2008-01-30 10:55 16  --a------   C:\WINDOWS\system32\coh.cache
2008-01-30 10:25 . 2008-01-30 10:47 123,952 --a------   C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-01-30 10:25 . 2008-01-30 10:47 60,800  --a------   C:\WINDOWS\system32\S32EVNT1.DLL
2008-01-30 10:25 . 2008-01-30 10:47 10,740  --a------   C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-01-30 10:25 . 2008-01-30 10:47 805 --a------   C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-01-29 22:38 . 2008-01-29 22:38 332,288 --a------   C:\WINDOWS\system32\ACF.tmp
2008-01-29 22:22 . 2008-01-29 22:34 8,627   --a------   C:\WINDOWS\system32\PAV_FOG.OPC
2008-01-29 21:42 . 2008-01-29 21:42 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\sentinel
2008-01-29 21:31 . 2008-01-29 21:31 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Backup
2008-01-29 21:30 . 2008-01-29 21:30 <DIR>    d--------   C:\Program Files\Panda Security
2008-01-29 21:25 . 2008-01-30 10:12 <DIR>    d--------   C:\Program Files\Common Files\Panda Software
2008-01-29 20:00 . 2008-01-29 20:00 2,550   --a------   C:\WINDOWS\system32\Uninstall.ico
2008-01-29 20:00 . 2008-01-29 20:00 1,406   --a------   C:\WINDOWS\system32\Help.ico
2008-01-29 18:23 . 2008-01-29 18:23 <DIR>    d--------   C:\KAV
2008-01-29 14:59 . 2008-01-29 14:59 58  --a------   C:\WINDOWS\mchguid.ini
2008-01-29 10:26 . 2008-01-30 14:06 <DIR>    d--------   C:\Program Files\DNA
2008-01-29 10:26 . 2008-01-29 11:51 <DIR>    d--------   C:\Documents and Settings\Tim\Application Data\BitTorrent
2008-01-29 09:11 . 2008-01-29 09:11 <DIR>    d--h-----   C:\WINDOWS\PIF
2008-01-28 23:54 . 2008-01-30 12:11 <DIR>    d--------   C:\Program Files\Windows Desktop Search
2008-01-28 23:52 . 2006-09-15 04:36 192,000 -----c---   C:\WINDOWS\system32\dllcache\offfilt.dll
2008-01-28 23:52 . 2006-09-15 04:36 98,304  -----c---   C:\WINDOWS\system32\dllcache\nlhtml.dll
2008-01-28 23:52 . 2006-09-15 04:36 29,696  -----c---   C:\WINDOWS\system32\dllcache\mimefilt.dll
2008-01-28 17:04 . 2008-01-28 17:04 <DIR>    d----c---   C:\WINDOWS\system32\DRVSTORE
2008-01-28 17:04 . 2008-01-28 17:04 <DIR>    d--------   C:\Program Files\SentrilockCardUtility
2008-01-28 17:04 . 2008-01-28 17:04 <DIR>    d--------   C:\Program Files\DIFX
2008-01-28 17:04 . 2006-11-07 05:35 47,488  --a------   C:\WINDOWS\system32\drivers\SCR3XX2K.sys
2008-01-28 17:03 . 2008-01-30 23:54 <DIR>    d--------   C:\Program Files\Common Files\Wise Installation Wizard
2008-01-28 17:03 . 2008-01-28 17:03 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\SentriLock
2008-01-28 16:25 . 2008-01-28 16:45 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-28 15:40 . 2008-01-28 15:40 <DIR>    d--------   C:\Program Files\Microsoft WSE
2008-01-28 15:39 . 2007-07-11 12:04 1,064,960   --a------   C:\WINDOWS\system32\cdintf300.dll
2008-01-28 15:39 . 2007-07-11 12:04 1,064,960   --a------   C:\WINDOWS\system32\acXMLParser.dll
2008-01-28 15:37 . 2008-01-28 15:41 <DIR>    d--------   C:\WINPOINT
2008-01-28 15:37 . 2008-01-30 16:32 674 --a------   C:\WINDOWS\winpoint.ini
2008-01-28 11:53 . 2001-08-17 13:53 6,784   --a------   C:\WINDOWS\system32\drivers\serscan.sys
2008-01-28 11:53 . 2001-08-17 13:53 6,784   --a--c---   C:\WINDOWS\system32\dllcache\serscan.sys
2008-01-28 11:53 . 2008-01-31 16:22 1,222   --a------   C:\WINDOWS\Brpfx04a.ini
2008-01-28 11:53 . 2008-01-28 11:53 410 --a------   C:\WINDOWS\BRWMARK.INI
2008-01-28 11:53 . 2008-01-29 16:45 153 --a------   C:\WINDOWS\brpcfx.ini
2008-01-28 11:53 . 2008-01-28 11:53 65  --a------   C:\WINDOWS\system32\BD8660DN.DAT
2008-01-28 11:52 . 2008-01-28 11:52 <DIR>    d--------   C:\Program Files\Brother
2008-01-28 11:48 . 2008-01-28 11:48 <DIR>    d--------   C:\Program Files\ScanSoft
2008-01-28 11:48 . 2008-01-28 11:48 <DIR>    d--------   C:\Program Files\Common Files\ScanSoft Shared
2008-01-28 11:48 . 2008-01-28 11:48 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\ScanSoft
2008-01-28 11:48 . 2008-01-28 11:48 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\InstallShield
2008-01-28 11:48 . 2003-09-24 11:36 27,019  --a------   C:\WINDOWS\maxlink.ini
2008-01-28 11:46 . 2008-01-28 11:46 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Brother
2008-01-28 11:36 . 2008-01-31 23:31 54,156  --ah-----   C:\WINDOWS\QTFont.qfn
2008-01-28 11:36 . 2008-01-28 11:36 1,409   --a------   C:\WINDOWS\QTFont.for
2008-01-28 11:09 . 2008-01-28 11:09 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\LogiShrd
2008-01-28 11:08 . 2008-01-28 11:08 <DIR>    d--------   C:\Documents and Settings\Tim\Application Data\Logitech
2008-01-28 11:07 . 2008-01-28 11:07 0   --ah-----   C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-01-28 11:06 . 2008-01-28 11:06 0   --ah-----   C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-01-28 11:06 . 2008-01-28 11:06 0   --ah-----   C:\WINDOWS\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf
2008-01-28 11:06 . 2008-01-28 11:06 0   --ah-----   C:\WINDOWS\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2008-01-28 11:05 . 2007-11-15 10:06 301,656 --a------   C:\WINDOWS\system32\BtCoreIf.dll
2008-01-28 11:05 . 2007-11-15 10:07 170,512 --a------   C:\WINDOWS\system32\kemutb.dll
2008-01-28 11:05 . 2007-11-15 10:07 141,840 --a------   C:\WINDOWS\system32\KemUtil.dll
2008-01-28 11:05 . 2007-11-15 10:07 117,264 --a------   C:\WINDOWS\system32\KemWnd.dll
2008-01-28 11:05 . 2007-11-15 10:07 76,304  --a------   C:\WINDOWS\system32\KemXML.dll
2008-01-28 11:04 . 2008-01-28 11:04 <DIR>    d--------   C:\Program Files\Logitech
2008-01-28 11:04 . 2008-01-28 11:05 <DIR>    d--------   C:\Program Files\Common Files\Logishrd
2008-01-28 11:04 . 2008-01-28 11:04 <DIR>    d--------   C:\Documents and Settings\Tim\Application Data\InstallShield
2008-01-28 11:04 . 2008-01-28 11:04 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Logitech
2008-01-28 10:34 . 2008-01-30 12:08 <DIR>    d--------   C:\Program Files\Norton AntiVirus
2008-01-28 10:32 . 2008-01-30 10:47 <DIR>    d--------   C:\Program Files\Symantec
2008-01-28 10:32 . 2008-01-31 23:17 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-28 09:18 . 2004-08-03 23:08 31,616  --a------   C:\WINDOWS\system32\drivers\usbccgp.sys
2008-01-28 09:18 . 2004-08-03 23:08 31,616  --a--c---   C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-01-28 09:18 . 2004-08-04 00:56 21,504  --a------   C:\WINDOWS\system32\hidserv.dll
2008-01-28 09:18 . 2004-08-04 00:56 21,504  --a--c---   C:\WINDOWS\system32\dllcache\hidserv.dll
2008-01-28 09:18 . 2004-08-03 22:58 14,848  --a------   C:\WINDOWS\system32\drivers\kbdhid.sys
2008-01-28 09:18 . 2004-08-03 22:58 14,848  --a--c---   C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-01-28 09:18 . 2001-08-17 13:48 12,160  --a------   C:\WINDOWS\system32\drivers\mouhid.sys
2008-01-28 09:18 . 2001-08-17 13:48 12,160  --a--c---   C:\WINDOWS\system32\dllcache\mouhid.sys
2008-01-28 09:18 . 2001-08-17 14:02 9,600   --a------   C:\WINDOWS\system32\drivers\hidusb.sys
2008-01-28 09:18 . 2001-08-17 14:02 9,600   --a--c---   C:\WINDOWS\system32\dllcache\hidusb.sys
2008-01-28 00:09 . 2008-01-28 00:09 <DIR>    d--------   C:\WINDOWS\Sun
2008-01-28 00:06 . 2008-01-28 00:06 <DIR>    d--------   C:\Program Files\Macromedia
2008-01-28 00:06 . 2008-01-28 00:06 <DIR>    d--------   C:\Program Files\Common Files\Macromedia Shared
2008-01-27 23:45 . 2008-01-27 23:45 <DIR>    d--------   C:\Program Files\Common Files\supportsoft
2008-01-27 23:44 . 2006-04-12 10:11 1,933,312   --a------   C:\WINDOWS\system32\cdintf251.dll
2008-01-27 23:39 . 2008-01-27 23:45 <DIR>    d--------   C:\Program Files\Intuit
2008-01-27 23:39 . 2008-01-27 23:39 <DIR>    d--------   C:\Program Files\Common Files\AnswerWorks 4.0
2008-01-27 23:37 . 2008-01-27 23:37 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\COMMON FILES
2008-01-27 23:36 . 2008-01-27 23:36 <DIR>    d--------   C:\Program Files\MSXML 4.0


.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-01 18:10    1,562,112   ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-01-30 18:12    ---------   d--h--w C:\Program Files\InstallShield Installation Information
2008-01-30 04:15    ---------   d-----w C:\Program Files\QuickTime
2008-01-30 04:14    ---------   d-----w C:\Program Files\Google
2008-01-29 22:02    ---------   d-----w C:\Program Files\Common Files\Adobe
2008-01-28 19:52    ---------   d-----w C:\Program Files\Common Files\InstallShield
2008-01-28 17:13    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Intuit
2008-01-28 07:41    ---------   d-----w C:\Program Files\Common Files\Intuit
2008-01-27 21:36    ---------   d-----w C:\Program Files\Napster
2008-01-27 21:36    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Napster
2008-01-27 21:35    ---------   d-----w C:\Program Files\TOSHIBA
2008-01-27 21:26    ---------   d-----w C:\Program Files\Common Files\aolshare
2008-01-27 21:26    ---------   d-----w C:\Program Files\Common Files\AOL
2008-01-27 21:26    ---------   d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-01-27 21:20    15,890  ----a-w C:\WINDOWS\system32\drivers\mdc8021x.sys
2008-01-27 21:15    ---------   d-----w C:\Program Files\Sonic
2007-12-14 19:32    12,632  ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-11-15 00:05    75,248  ----a-w C:\WINDOWS\zllsputility.exe
2007-11-15 00:05    1,086,952   ----a-w C:\WINDOWS\system32\zpeng24.dll
2007-11-07 09:26    721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
.


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6A01B65F-727B-486B-A5C2-2B45A2D12C6B}]
C:\WINDOWS\system32\ddabx.dll


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-01-27 23:30    262144  --a------   C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-29 23:32 65536]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-01-27 16:19 171448]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2005-04-25 08:15 339968]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-12 15:17 88358 C:\WINDOWS\agrsmmsg.exe]
"NDSTray.exe"="NDSTray.exe" []
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2005-04-05 15:25 73728]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-11 09:00 339968]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-01-14 01:05 122939]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-14 14:28 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-14 14:26 688218]
"TPSMain"="TPSMain.exe" [2004-12-28 15:02 270336 C:\WINDOWS\system32\TPSMain.exe]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 15:37 151552]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 03:10 55824 C:\WINDOWS\KHALMNPR.Exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-04-20 14:12 98304]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 10:22 155648]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 14:25 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 14:45 40960]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2005-11-11 18:30 995328]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59 115816]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-01-13 23:11 771704]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]


C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-01-29 14:02:21 113664]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-01-28 11:05:24 784912]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2006-11-29 11:09:20 968224]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2005-04-20 13:34:50 155648]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll 2007-11-15 10:10 72208 c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll


S3 MSControlService;Microsoft cache control;C:\WINDOWS\system32\windows []
S3 SCR3xx USB Smart Card Reader;SCR3xx USB Smart Card Reader;C:\WINDOWS\system32\DRIVERS\SCR3XX2K.sys [2006-11-07 05:35]


.
Contents of the 'Scheduled Tasks' folder
"2008-02-03 04:40:56 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-01-30 18:40:29 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Tim.job"
- C:\Program Files\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************


catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-02 21:40:42
Windows 5.1.2600 Service Pack 2 NTFS


scanning hidden processes ...


scanning hidden autostart entries ...


scanning hidden files ...


scan completed successfully
hidden files: 0


**************************************************************************
.
Completion time: 2008-02-02 21:41:37
ComboFix-quarantined-files.txt  2008-02-03 05:41:33
ComboFix2.txt  2008-02-03 04:35:22
ComboFix3.txt  2008-02-01 18:17:44
.
2008-01-29 00:06:24 --- E O F ---



And here's a new HiJackThisLog (I shut down spybot again prior to running this):


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:44:46 PM, on 2/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Tim\Desktop\HiJackThis.exe


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6A01B65F-727B-486B-A5C2-2B45A2D12C6B} - C:\WINDOWS\system32\ddabx.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - (no file)
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O15 - Trusted Zone: http://www.pandasoftware.com
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5219/mcfscan.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) -   - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


--
End of file - 11405 bytes

gerbil 216 Industrious Poster · Answer 7 · 2008-02-03T18:47:55+00:00

Hello Tim,
perhaps Windows Defender is blocking us - please disable its Realtime Protection....
Open Windows Defender, click Tools, General Settings, Scroll to and uncheck Turn on real-time protection.
Click Save and close Windows Defender.
[Btw, this is the easy way to shutdown Teatimer temporarily....
To disable TeaTimer:
Open Spybot, click Mode, select Advanced Mode, click Yes in new window, click on Tools in bottom left hand corner.
Click the Resident icon and uncheck Teatimer box].

To avoid the time consumption of running Combofix again let's do this another way:
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: (no name) - {6A01B65F-727B-486B-A5C2-2B45A2D12C6B} - C:\WINDOWS\system32\ddabx.dll (file missing)
O3 - Toolbar: (no name) - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

Really, you should fix those two O15 items also - there is no good reason to have any items in the Trusted Zone.
Good, now we remove this service...:
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)
==Go Start, run, type services.msc -and press Enter. Maximise the window and at foot select Extended tab, scroll to the specific service, rclick it, select properties. Write down the exact Service Name. Press Stop if it is highlighted [you may have to set the service to Disable first]. Close Services, now type this line into the run text box and press Enter:
sc delete "exact Service Name" - don't be silly now....

Done? Make a new hijackthis Scan Only and check that those four items have been removed. If they are gone please tell me, plus re-enable Windows Defender and Teatimer, and reinstall ZoneAlarm SpyBlocker.

tj3333 0 Newbie Poster · Answer 8 · 2008-02-04T03:27:31+00:00

OK - looks like I was able to get rid of those O2 and O3 entries (and I followed your advice and got rid of the O15 entries while I was in the business) and then was able to delete that O23 service. Here's the new HiJack this (before re-enabling Teatimer, Windows defender, et al):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:23:37 PM, on 2/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TPSMain.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Tim\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5219/mcfscan.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 10945 bytes

gerbil 216 Industrious Poster · Answer 9 · 2008-02-04T06:03:20+00:00

Ripper. That's a good job, tim, log looks clean, too. I assume all is working well now?
If so, re-enable those guards and reinstall SpyBlock and off you go. Cheers

tj3333 0 Newbie Poster · Answer 10 · 2008-02-04T10:18:55+00:00

Seems to be doing great. Thanks so much Gerbil, I really appreciate you taking the time to help me out!

Tim

gerbil 216 Industrious Poster · Answer 11 · 2008-02-04T10:38:20+00:00

gerbil 216 Industrious Poster

16 Years Ago

Not a problem, tim. Glad I could help.

Help, please...

Recommended Answers Collapse Answers

All 15 Replies

Recommended Answers