[InActive] W32.ircbot.gen

Herd72 · 17th October 2008

When I start up my laptop (Vista) my Symantec scan finds the W32.IRCBOT.GEN and says it needs to take action but seems unable to remove it. I appears to be resident in the task manager. What would be a good way to approach removal? I have run Spybot Search and Destroy and Adaware with no success. I am including a HJT log. One other thing, each time I start up I get a prompt asking me to install System Cleaner 5. I downloaded the trial version and did not like it so I uninstalled but the prompt still comes up. I have checked Msconfig and did not find anything, so maybe that is in the HJT log as well. All I have to do is hit cancel and proceed but it is a pain to deal with.
Thanks in advance for you kind consideration.
Jim in WV

Logfile of HijackThis v1.99.1
Scan saved at 9:52:26 AM, on 10/17/2008
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16711)

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Toshiba\IVP\ISM\pinger.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Toshiba\Utilities\VolControl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\net.exe
C:\Windows\system32\net1.exe
C:\Windows\tskmgr.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
c:\Users\Jim LeMaster\Desktop\Downloads\Games\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [PINGER] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [TOSHIBA Volume Indicator] "C:\Program Files\Toshiba\Utilities\VolControl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Firewall] tskmgr.exe
O4 - HKCU\..\Run: [TOSCDSPD] TOSCDSPD.EXE
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: psfus - C:\Windows\system32\psqlpwd.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

**noahdfear** · 19th October 2008

Hi Herd72,

We need to get a more detailed log and an updated version of HijackThis. The following will accomplish both.

Download RSIT by random/random and save it to your desktop.

Double click RSIT.exe to start the tool.
At the disclaimer, please use the drop down box to select 3 months for the file/folder search, then click Continue.
If prompted to allow RSIT to access the internet, please allow it.
When the scan completes it will open a log named log.txt maximized, and a log named info.txt minimized.
Please post the contents of log.txt here in a new reply.

Herd72 · 21st October 2008

Sorry it took me so long to get back to you. I was traveling and did not have internet access there. Here is the Combofix log.
Thanks for your response!
Jim in WV

ComboFix 08-10-19.04 - Jim LeMaster 2008-10-21 13:16:45.3 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1073 [GMT -4:00]
Running from: C:\Users\Jim LeMaster\Desktop\Utiltities\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Users\Jim LeMaster\AppData\Roaming\inst.exe
C:\Windows\system32\x64
C:\Windows\tskmgr.exe

.
((((((((((((((((((((((((( Files Created from 2008-09-21 to 2008-10-21 )))))))))))))))))))))))))))))))
.

2008-10-21 13:10 . 2008-10-21 13:10 3,775,064 --a------ C:\Windows\830.exe
2008-10-21 12:58 . 2008-10-21 12:58 3,775,064 --a------ C:\Windows\1794.exe
2008-10-17 15:19 . 2008-10-17 15:19 118 --a------ C:\Windows\System32\MRT.INI
2008-10-17 15:11 . 2008-09-17 22:03 2,027,520 --a------ C:\Windows\System32\win32k.sys
2008-10-17 15:11 . 2008-08-05 23:27 1,244,672 --a------ C:\Windows\System32\mcmde.dll
2008-10-17 15:11 . 2008-08-05 23:27 428,032 --a------ C:\Windows\System32\EncDec.dll
2008-10-17 15:11 . 2008-08-05 23:27 292,352 --a------ C:\Windows\System32\psisdecd.dll
2008-10-17 15:11 . 2008-08-25 21:12 290,304 --a------ C:\Windows\System32\drivers\srv.sys
2008-10-17 15:11 . 2008-08-05 23:26 217,088 --a------ C:\Windows\System32\psisrndr.ax
2008-10-17 15:11 . 2008-08-05 23:26 177,152 --a------ C:\Windows\System32\mpg2splt.ax
2008-10-17 15:11 . 2008-08-05 23:26 80,896 --a------ C:\Windows\System32\MSNP.ax
2008-10-17 15:11 . 2008-08-05 23:26 68,608 --a------ C:\Windows\System32\Mpeg2Data.ax
2008-10-17 15:11 . 2008-08-05 23:26 57,856 --a------ C:\Windows\System32\MSDvbNP.ax
2008-10-17 15:09 . 2008-09-18 00:35 3,505,208 --a------ C:\Windows\System32\ntkrnlpa.exe
2008-10-17 15:09 . 2008-09-18 00:35 3,470,904 --a------ C:\Windows\System32\ntoskrnl.exe
2008-10-17 15:01 . 2008-10-17 15:01 3,775,064 --a------ C:\Windows\3986.exe
2008-10-17 13:50 . 2008-10-17 13:50 3,775,064 --a------ C:\Windows\1954.exe
2008-10-17 13:49 . 2008-10-17 13:49 3,775,064 --a------ C:\Windows\3639.exe
2008-10-17 13:00 . 2008-10-17 13:00 3,775,064 --a------ C:\Windows\3599.exe
2008-10-17 09:48 . 2008-10-17 09:48 3,775,064 --a------ C:\Windows\3421.exe
2008-10-16 19:51 . 2008-10-16 20:17 <DIR> d-------- C:\Dad's Photos
2008-10-16 19:43 . 2008-10-16 19:43 3,775,064 --a------ C:\Windows\557.exe
2008-10-13 20:21 . 2008-10-13 20:21 3,775,064 --a------ C:\Windows\127.exe
2008-10-13 20:12 . 2008-10-13 20:12 3,775,064 --a------ C:\Windows\3318.exe
2008-10-13 15:19 . 2008-10-13 15:19 3,775,064 --a------ C:\Windows\3369.exe
2008-10-11 22:34 . 2008-10-11 22:57 <DIR> d-------- C:\M&M Wedding
2008-10-11 11:36 . 2008-10-11 11:36 3,775,064 --a------ C:\Windows\3024.exe
2008-10-11 09:29 . 2008-10-11 09:30 3,775,064 --a------ C:\Windows\4064.exe
2008-10-10 22:50 . 2008-10-10 22:50 3,775,064 --a------ C:\Windows\3885.exe
2008-10-09 22:04 . 2008-10-09 22:04 3,775,064 --a------ C:\Windows\2980.exe
2008-10-09 21:47 . 2008-10-09 21:47 3,775,064 --a------ C:\Windows\2087.exe
2008-10-09 10:08 . 2008-10-09 10:08 3,775,064 --a------ C:\Windows\728.exe
2008-10-08 13:55 . 2008-10-08 13:55 3,775,064 --a------ C:\Windows\3605.exe
2008-10-02 19:29 . 2008-10-02 19:29 3,775,064 --a------ C:\Windows\2737.exe
2008-09-30 21:32 . 2008-09-30 21:32 3,775,064 --a------ C:\Windows\3081.exe
2008-09-30 19:29 . 2008-09-30 19:29 <DIR> d-------- C:\Users\Jim LeMaster\AppData\Roaming\EleFun Games
2008-09-30 11:37 . 2008-09-30 11:37 3,775,064 --a------ C:\Windows\1611.exe
2008-09-29 20:42 . 2008-09-29 20:42 3,775,064 --a------ C:\Windows\3447.exe
2008-09-29 19:24 . 2008-09-29 19:24 3,775,064 --a------ C:\Windows\4721.exe
2008-09-29 16:36 . 2008-09-29 16:36 3,775,064 --a------ C:\Windows\4063.exe
2008-09-28 15:13 . 2008-09-28 15:13 3,775,064 --a------ C:\Windows\2264.exe
2008-09-28 13:38 . 2008-09-28 13:38 3,775,064 --a------ C:\Windows\4207.exe
2008-09-28 11:48 . 2008-09-28 11:48 3,775,064 --a------ C:\Windows\792.exe
2008-09-27 06:58 . 2008-09-27 06:58 3,775,064 --a------ C:\Windows\2406.exe
2008-09-26 18:56 . 2008-09-26 18:56 3,775,064 --a------ C:\Windows\2026.exe
2008-09-26 16:54 . 2008-09-26 16:54 3,775,064 --a------ C:\Windows\1553.exe
2008-09-26 13:59 . 2008-09-26 13:59 3,775,064 --a------ C:\Windows\3125.exe
2008-09-26 10:21 . 2008-09-26 10:21 3,775,064 --a------ C:\Windows\3927.exe
2008-09-25 19:09 . 2008-09-25 19:09 3,775,064 --a------ C:\Windows\2679.exe
2008-09-25 10:25 . 2008-09-25 10:25 3,775,064 --a------ C:\Windows\2527.exe
2008-09-25 08:21 . 2008-09-25 08:21 3,775,064 --a------ C:\Windows\116.exe
2008-09-24 23:22 . 2008-09-24 23:22 3,775,064 --a------ C:\Windows\2693.exe
2008-09-24 19:42 . 2008-09-24 19:42 3,775,064 --a------ C:\Windows\3726.exe
2008-09-24 17:19 . 2008-09-24 17:19 3,775,064 --a------ C:\Windows\1048.exe
2008-09-24 13:50 . 2008-09-24 13:50 3,775,064 --a------ C:\Windows\2161.exe
2008-09-24 11:59 . 2008-09-24 11:59 3,775,064 --a------ C:\Windows\4178.exe
2008-09-23 21:33 . 2008-09-23 21:33 3,775,064 --a------ C:\Windows\2306.exe
2008-09-23 19:01 . 2008-09-23 19:01 3,775,064 --a------ C:\Windows\3984.exe
2008-09-23 16:44 . 2008-09-23 16:44 3,775,064 --a------ C:\Windows\447.exe
2008-09-23 11:14 . 2008-09-23 11:14 3,775,064 --a------ C:\Windows\2965.exe
2008-09-22 22:38 . 2008-09-22 22:38 3,775,064 --a------ C:\Windows\4528.exe
2008-09-22 19:25 . 2008-09-22 19:25 3,775,064 --a------ C:\Windows\1351.exe
2008-09-22 12:06 . 2008-09-22 12:06 3,775,064 --a------ C:\Windows\69.exe
2008-09-21 21:26 . 2008-09-21 21:26 3,775,064 --a------ C:\Windows\2536.exe
2008-09-21 16:29 . 2008-09-21 16:29 3,775,064 --a------ C:\Windows\254.exe
2008-09-21 12:36 . 2008-09-21 12:36 3,775,064 --a------ C:\Windows\2001.exe
2008-09-21 10:13 . 2008-09-21 10:13 3,775,064 --a------ C:\Windows\371.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-17 19:58 --------- d-----w C:\Program Files\Windows Mail
2008-10-17 19:21 --------- d-----w C:\ProgramData\Microsoft Help
2008-10-14 00:27 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-10-14 00:26 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-10-12 02:32 3,775,064 ----a-w C:\Windows\4107.exe
2008-10-09 14:31 --------- d-----w C:\Users\Jim LeMaster\AppData\Roaming\Vso
2008-10-02 03:49 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-09-29 21:35 --------- d-----w C:\Program Files\LimeWire
2008-09-29 21:30 --------- d-----w C:\Program Files\Frame Maker Pro
2008-09-28 11:37 3,775,064 ----a-w C:\Windows\2837.exe
2008-09-21 00:01 3,775,064 ----a-w C:\Windows\1750.exe
2008-09-20 15:58 --------- d-----w C:\Users\Jim LeMaster\AppData\Roaming\.starphone
2008-09-20 03:10 3,775,064 ----a-w C:\Windows\4529.exe
2008-09-20 02:04 3,775,064 ----a-w C:\Windows\3109.exe
2008-09-20 01:10 3,775,064 ----a-w C:\Windows\548.exe
2008-09-19 12:40 3,775,064 ----a-w C:\Windows\1725.exe
2008-09-19 11:37 3,775,064 ----a-w C:\Windows\643.exe
2008-09-19 02:37 --------- d-----w C:\Program Files\Common Files\Pointstone
2008-09-19 02:33 3,775,064 ----a-w C:\Windows\743.exe
2008-09-18 23:56 3,775,064 ----a-w C:\Windows\162.exe
2008-09-18 18:46 3,775,064 ----a-w C:\Windows\1806.exe
2008-09-18 13:56 3,775,064 ----a-w C:\Windows\727.exe
2008-09-18 02:44 3,775,064 ----a-w C:\Windows\1158.exe
2008-09-18 01:18 3,775,064 ----a-w C:\Windows\4029.exe
2008-09-17 20:36 3,775,064 ----a-w C:\Windows\4129.exe
2008-09-17 18:41 3,775,064 ----a-w C:\Windows\3673.exe
2008-09-17 18:40 3,775,064 ----a-w C:\Windows\1714.exe
2008-09-17 18:09 --------- d-----w C:\Program Files\FrostWire
2008-09-17 17:52 --------- d-----w C:\Users\Jim LeMaster\AppData\Roaming\FrostWire
2008-09-17 17:49 --------- d---a-w C:\ProgramData\TEMP
2008-09-09 23:49 --------- d-----w C:\Program Files\The Price Is Right
2008-09-09 23:44 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-09 23:44 --------- d-----w C:\Program Files\Nodtronics
2008-08-26 03:10 --------- d-----w C:\Program Files\Poster Forge
2008-07-31 03:34 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-07-31 03:34 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-07-31 03:34 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-07-31 03:34 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-07-30 23:32 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-07-09 07:10 174 --sha-w C:\Program Files\desktop.ini
2008-01-12 01:34 47,360 ----a-w C:\Users\Jim LeMaster\AppData\Roaming\pcouffin.sys
2007-11-04 20:14 16,607,023 ----a-w C:\Program Files\Monopoly_Classic_v1.0.406_Thinstalled.rar
2006-12-01 00:41 262,144 ----a-w C:\ProgramData\ntuser.dat
2007-09-19 20:46 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\His tory\History.IE5\index.dat
2007-09-19 20:46 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Tem porary Internet Files\Content.IE5\index.dat
2007-09-19 20:46 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\C ookies\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2006-11-06 15:46 2854912 --a------ C:\Program Files\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2006-11-06 15:46 2854912 --a------ C:\Program Files\Protector Suite QL\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 125440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-27 815104]
"PINGER"="C:\TOSHIBA\IVP\ISM\pinger.exe" [2006-07-20 151552]
"TPwrMain"="C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-11-22 409264]
"HSON"="C:\Program Files\TOSHIBA\TBS\HSON.exe" [2006-11-28 52912]
"SmoothView"="C:\Program Files\Toshiba\SmoothView\SmoothView.exe" [2006-11-20 446128]
"00TCrdMain"="C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe" [2006-11-29 523952]
"TOSHIBA Volume Indicator"="C:\Program Files\Toshiba\Utilities\VolControl.exe" [2006-10-30 94208]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-11-22 107112]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-11-28 134808]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2007-08-24 141848]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2007-08-24 154136]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2007-08-24 129560]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"NDSTray.exe"="NDSTray.exe" [BU]

C:\Users\Jim LeMaster\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"EnableLUA"= 0 (0x0)
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-11-06 15:34 52224 C:\Windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm
"msacm.divxa32"= divxa32.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2945078278-320699333-1265183931-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{535A5CEB-1BB9-4A8A-93F2-2352D959AA4A}"= UDP:C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{B01F51DB-8620-4F20-9ED7-D2987E8BE7BE}"= UDP:C:\Program Files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{C0811495-00E0-49DD-A7F5-8300FFFDC7EA}"= TCP:C:\Program Files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{0F896869-9B5E-4814-BBEA-4C98D86616FA}"= UDP:C:\Program Files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{0C59AC63-5722-4A29-A859-886E6263729A}"= TCP:C:\Program Files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{A1E1563D-F338-477C-95C0-30A619F988F8}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{A78C4FF9-B948-4505-9399-9271587046E1}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{28F99DCF-E79F-4A8A-93BC-27334C5FDA71}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{C3A0C0FE-0E47-4A6E-A8F3-10771C67CECC}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{E0A63230-877C-4091-AECB-EE5938BF78EC}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{79226944-8113-4AAB-BFB3-E18B1F6990A9}"= UDP:C:\Program Files\FrostWire\FrostWire.exe:FrostWire
"{6284E5B1-A60E-4E72-ACD4-59C378C0F66B}"= TCP:C:\Program Files\FrostWire\FrostWire.exe:FrostWire

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\S tatic\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\Auth orizedApplications\List]
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= C:\TOSHIBA\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= C:\TOSHIBA\Ivp\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger

R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-07-07 809296]
R2 wwEngineSvc;Window Washer Engine;C:\Program Files\Webroot\Washer\WasherSvc.exe [2007-11-26 598856]
R3 BoiHwsetup;Access 32bits INT15 routine;C:\Windows\system32\drivers\BoiHwSetup.sys [2006-10-12 7680]
R3 qkbfiltr;Keyboard Filter Driver;C:\Windows\system32\DRIVERS\qkbfiltr.sys [2006-11-20 33792]
S3 wrssweep;Webroots Volume Access Driver;C:\Program Files\Webroot\Washer\wrssweep.sys [2007-11-26 21832]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-TOSCDSPD - TOSCDSPD.EXE

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Users\Jim LeMaster\AppData\Roaming\Mozilla\Firefox\Profiles\ciwzanjs.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.msn.com/|http://www.wvmat.com/|http://marshal...px?n=633720891
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-21 13:23:02
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\audiodg.exe
C:\Program Files\Protector Suite QL\upeksvr.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\microsoft shared\VS7DEBUG\MDM.EXE
C:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Windows\System32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Windows\System32\drivers\XAudio.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\igfxsrvc.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Windows\System32\wbem\WMIADAP.exe
C:\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\System32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-10-21 13:29:18 - machine was rebooted [Jim LeMaster]
ComboFix-quarantined-files.txt 2008-10-21 17:29:12

Pre-Run: 134,734,159,872 bytes free
Post-Run: 134,462,238,720 bytes free

255 --- E O F --- 2008-10-17 19:22:00

**noahdfear** · 22nd October 2008

I'm confused. Why did you run ComboFix? I asked for an RSIT log.

Why have you turned off UAC? You realize that may well be a huge contributing factor to your current situation? By turning off UAC, you have given malware unrestricted access to your system. Add in the fact that you're using a P2P application (Limewire) and it's like begging for an infection. By the look of things, you've got it pretty bad too. Lets get to work on it.

Please download Malwarebytes' Anti-Malware (MBAM) from here or here and save the file to your desktop.

Double click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select 'Perform Quick Scan', then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note below)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Post the entire report in your next reply along with a fresh HijackThis log.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Herd72 · 22nd October 2008

Sorry for my incompetence and thanks for taking the time to answer! I did not realize that the UAC was even off. I kept hitting the link you posted and it kept taking me to the Combifix program so I thought that was the right one. I think one of my sons ran the Limewire thing but they moved out a year ago and it has not been used since. I will need to uninstall that thing too. I will take the steps you outlined and post the new log.
Jim

Herd72 · 22nd October 2008

The Malwarebytes did not seem to find anything and it never asked me to restart so I am sending the log along with a fresh Hijack this.
Jim

Malwarebytes' Anti-Malware 1.29
Database version: 1304
Windows 6.0.6000

10/21/2008 11:15:02 PM
mbam-log-2008-10-21 (23-15-02).txt

Scan type: Quick Scan
Objects scanned: 47836
Time elapsed: 4 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Logfile of HijackThis v1.99.1
Scan saved at 11:17:15 PM, on 10/21/2008
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16757)

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Toshiba\IVP\ISM\pinger.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Toshiba\Utilities\VolControl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\system32\NOTEPAD.EXE
c:\Users\Jim LeMaster\Desktop\Downloads\Games\New Folder\HijackThis.exe
c:\Users\Jim LeMaster\Desktop\Downloads\Previous Downloads Before Meadowcreek\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [PINGER] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [TOSHIBA Volume Indicator] "C:\Program Files\Toshiba\Utilities\VolControl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: psfus - C:\Windows\system32\psqlpwd.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

Herd72 · 22nd October 2008

Here is the other log you first requested. Sorry again for the confusion.
Jim

Logfile of random's system information tool 1.04 (written by random/random)
Run by Jim LeMaster at 2008-10-21 23:22:12
Microsoft® Windows Vista™ Home Premium
System drive C: has 128 GB (67%) free of 189 GB
Total RAM: 2038 MB (51% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:22:19 PM, on 10/21/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16757)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Toshiba\IVP\ISM\pinger.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Toshiba\Utilities\VolControl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\000 Downloads Summer 000\RSIT.exe
C:\Program Files\trend micro\Jim LeMaster.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [PINGER] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [TOSHIBA Volume Indicator] "C:\Program Files\Toshiba\Utilities\VolControl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7724 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 63136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2008-09-15 1562960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2007-08-24 2212224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2006-10-27 815104]
"NDSTray.exe"=NDSTray.exe []
"PINGER"=C:\TOSHIBA\IVP\ISM\pinger.exe [2006-07-20 151552]
"TPwrMain"=C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE [2006-11-22 409264]
"HSON"=C:\Program Files\TOSHIBA\TBS\HSON.exe [2006-11-28 52912]
"SmoothView"=C:\Program Files\Toshiba\SmoothView\SmoothView.exe [2006-11-20 446128]
"00TCrdMain"=C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe [2006-11-29 523952]
"TOSHIBA Volume Indicator"=C:\Program Files\Toshiba\Utilities\VolControl.exe [2006-10-30 94208]
"ccApp"=C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2006-11-22 107112]
"vptray"=C:\PROGRA~1\SYMANT~1\VPTray.exe [2006-11-28 134808]
"IgfxTray"=C:\Windows\system32\igfxtray.exe [2007-08-24 141848]
"HotKeysCmds"=C:\Windows\system32\hkcmd.exe [2007-08-24 154136]
"Persistence"=C:\Windows\system32\igfxpers.exe [2007-08-24 129560]
"GrooveMonitor"=C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2007-08-24 33648]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes' Anti-Malware"=C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe [2008-10-16 398992]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2006-11-02 201728]
"ehTray.exe"=C:\Windows\ehome\ehTray.exe [2006-11-02 125440]

C:\Users\Jim LeMaster\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\Windows\system32\igfxdev.dll [2007-08-24 204800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\psfus]
C:\Windows\system32\psqlpwd.dll [2006-11-06 52224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell ExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2007-08-24 2212224]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
psqlpwd

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Syste m]
"EnableLUA"=0
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"DisableCAD"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explor er]
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explo rer]
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameter s\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\TOSHIBA\ivp\NetInt\Netint.exe"="C:\TOSHIBA\ivp\NetInt\Netint.exe:*:Enab led:NIE - Toshiba Software Upgrades Engine"
"C:\TOSHIBA\Ivp\ISM\pinger.exe"="C:\TOSHIBA\Ivp\ISM\pinger.exe:*:Enabled:To shiba Software Upgrades Pinger"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameter s\firewallpolicy\domainprofile\authorizedapplications\list]

======File associations======

.js - open - C:\Corel\Suite8\Programs\CCWin\Cscape.exe

======List of files/folders created in the last 1 months======

2008-10-21 23:22:12 ----D---- C:\rsit
2008-10-21 23:22:12 ----D---- C:\Program Files\trend micro
2008-10-21 23:08:44 ----D---- C:\Users\Jim LeMaster\AppData\Roaming\Malwarebytes
2008-10-21 23:08:38 ----D---- C:\ProgramData\Malwarebytes
2008-10-21 23:08:38 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-21 14:24:00 ----D---- C:\ProgramData\HipSoft
2008-10-21 13:29:19 ----A---- C:\ComboFix.txt
2008-10-21 13:20:08 ----A---- C:\Windows\PSEXESVC.EXE
2008-10-21 13:19:59 ----D---- C:\Windows\temp
2008-10-21 13:10:48 ----A---- C:\Windows\830.exe
2008-10-21 12:58:12 ----A---- C:\Windows\1794.exe
2008-10-17 15:19:50 ----A---- C:\Windows\system32\MRT.INI
2008-10-17 15:11:39 ----A---- C:\Windows\system32\EncDec.dll
2008-10-17 15:11:38 ----A---- C:\Windows\system32\psisdecd.dll
2008-10-17 15:11:38 ----A---- C:\Windows\system32\mcmde.dll
2008-10-17 15:09:57 ----A---- C:\Windows\system32\ntoskrnl.exe
2008-10-17 15:09:57 ----A---- C:\Windows\system32\ntkrnlpa.exe
2008-10-17 15:08:51 ----A---- C:\Windows\system32\mshtml.dll
2008-10-17 15:08:49 ----A---- C:\Windows\system32\ieframe.dll
2008-10-17 15:08:47 ----A---- C:\Windows\system32\urlmon.dll
2008-10-17 15:08:46 ----A---- C:\Windows\system32\wininet.dll
2008-10-17 15:08:46 ----A---- C:\Windows\system32\mshtmled.dll
2008-10-17 15:08:46 ----A---- C:\Windows\system32\iertutil.dll
2008-10-17 15:08:46 ----A---- C:\Windows\system32\dxtmsft.dll
2008-10-17 15:08:45 ----A---- C:\Windows\system32\mstime.dll
2008-10-17 15:08:45 ----A---- C:\Windows\system32\ieapfltr.dll
2008-10-17 15:08:45 ----A---- C:\Windows\system32\dxtrans.dll
2008-10-17 15:08:45 ----A---- C:\Windows\system32\advpack.dll
2008-10-17 15:08:44 ----A---- C:\Windows\system32\jsproxy.dll
2008-10-17 15:08:44 ----A---- C:\Windows\system32\ieUnatt.exe
2008-10-17 15:08:44 ----A---- C:\Windows\system32\ieui.dll
2008-10-17 15:08:44 ----A---- C:\Windows\system32\iesetup.dll
2008-10-17 15:08:44 ----A---- C:\Windows\system32\iernonce.dll
2008-10-17 15:08:44 ----A---- C:\Windows\system32\ie4uinit.exe
2008-10-17 15:08:44 ----A---- C:\Windows\system32\icardie.dll
2008-10-17 15:08:43 ----A---- C:\Windows\system32\pngfilt.dll
2008-10-17 15:01:54 ----A---- C:\Windows\3986.exe
2008-10-17 13:50:05 ----A---- C:\Windows\1954.exe
2008-10-17 13:49:19 ----A---- C:\Windows\3639.exe
2008-10-17 13:32:35 ----A---- C:\Windows\NIRCMD.exe
2008-10-17 13:32:34 ----A---- C:\Windows\zip.exe
2008-10-17 13:32:34 ----A---- C:\Windows\VFIND.exe
2008-10-17 13:32:34 ----A---- C:\Windows\SWXCACLS.exe
2008-10-17 13:32:34 ----A---- C:\Windows\SWSC.exe
2008-10-17 13:32:34 ----A---- C:\Windows\SWREG.exe
2008-10-17 13:32:34 ----A---- C:\Windows\sed.exe
2008-10-17 13:32:34 ----A---- C:\Windows\grep.exe
2008-10-17 13:32:34 ----A---- C:\Windows\fdsv.exe
2008-10-17 13:31:11 ----D---- C:\Windows\ERDNT
2008-10-17 13:31:11 ----D---- C:\Qoobox
2008-10-17 13:00:47 ----A---- C:\Windows\3599.exe
2008-10-17 09:48:25 ----A---- C:\Windows\3421.exe
2008-10-16 19:51:08 ----D---- C:\Dad's Photos
2008-10-16 19:43:52 ----A---- C:\Windows\557.exe
2008-10-13 20:21:32 ----A---- C:\Windows\127.exe
2008-10-13 20:12:12 ----A---- C:\Windows\3318.exe
2008-10-13 15:19:59 ----A---- C:\Windows\3369.exe
2008-10-11 22:34:51 ----D---- C:\M&M Wedding
2008-10-11 11:36:03 ----A---- C:\Windows\3024.exe
2008-10-11 09:29:58 ----A---- C:\Windows\4064.exe
2008-10-10 22:50:35 ----A---- C:\Windows\3885.exe
2008-10-09 22:04:17 ----A---- C:\Windows\2980.exe
2008-10-09 21:47:32 ----A---- C:\Windows\2087.exe
2008-10-09 10:08:17 ----A---- C:\Windows\728.exe
2008-10-08 13:55:55 ----A---- C:\Windows\3605.exe
2008-10-02 19:29:37 ----A---- C:\Windows\2737.exe
2008-09-30 21:32:49 ----A---- C:\Windows\3081.exe
2008-09-30 19:29:13 ----D---- C:\Users\Jim LeMaster\AppData\Roaming\EleFun Games
2008-09-30 11:37:12 ----A---- C:\Windows\1611.exe
2008-09-29 20:42:14 ----A---- C:\Windows\3447.exe
2008-09-29 19:24:19 ----A---- C:\Windows\4721.exe
2008-09-29 16:36:09 ----A---- C:\Windows\4063.exe
2008-09-28 15:13:27 ----A---- C:\Windows\2264.exe
2008-09-28 13:38:33 ----A---- C:\Windows\4207.exe
2008-09-28 11:48:49 ----A---- C:\Windows\792.exe
2008-09-27 06:58:25 ----A---- C:\Windows\2406.exe
2008-09-26 18:56:55 ----A---- C:\Windows\2026.exe
2008-09-26 16:54:00 ----A---- C:\Windows\1553.exe
2008-09-26 13:59:12 ----A---- C:\Windows\3125.exe
2008-09-26 10:21:57 ----A---- C:\Windows\3927.exe
2008-09-25 19:09:37 ----A---- C:\Windows\2679.exe
2008-09-25 10:25:25 ----A---- C:\Windows\2527.exe
2008-09-25 08:21:32 ----A---- C:\Windows\116.exe
2008-09-24 23:22:30 ----A---- C:\Windows\2693.exe
2008-09-24 19:42:16 ----A---- C:\Windows\3726.exe
2008-09-24 17:19:16 ----A---- C:\Windows\1048.exe
2008-09-24 13:50:48 ----A---- C:\Windows\2161.exe
2008-09-24 11:59:02 ----A---- C:\Windows\4178.exe
2008-09-23 21:33:14 ----A---- C:\Windows\2306.exe
2008-09-23 19:01:08 ----A---- C:\Windows\3984.exe
2008-09-23 16:44:20 ----A---- C:\Windows\447.exe
2008-09-23 11:14:46 ----A---- C:\Windows\2965.exe
2008-09-22 22:38:58 ----A---- C:\Windows\4528.exe
2008-09-22 19:25:28 ----A---- C:\Windows\1351.exe
2008-09-22 12:06:17 ----A---- C:\Windows\69.exe

======List of files/folders modified in the last 1 months======

2008-10-21 23:22:12 ----RD---- C:\Program Files
2008-10-21 23:08:43 ----D---- C:\Windows\system32\drivers
2008-10-21 23:08:38 ----HD---- C:\ProgramData
2008-10-21 23:02:57 ----D---- C:\000 Downloads Summer 000
2008-10-21 22:42:50 ----AD---- C:\Windows\System32
2008-10-21 22:42:49 ----D---- C:\Windows\inf
2008-10-21 22:42:49 ----A---- C:\Windows\system32\PerfStringBackup.INI
2008-10-21 20:22:41 ----D---- C:\ProgramData\Spybot - Search & Destroy
2008-10-21 13:23:00 ----D---- C:\Windows
2008-10-21 13:23:00 ----A---- C:\Windows\system.ini
2008-10-21 13:20:37 ----SHD---- C:\Boot
2008-10-21 13:20:37 ----D---- C:\Windows\system32\config
2008-10-21 13:19:04 ----D---- C:\Windows\AppPatch
2008-10-21 13:19:04 ----D---- C:\Program Files\Common Files
2008-10-21 13:16:02 ----D---- C:\Windows\system32\en-US
2008-10-21 13:06:30 ----SHD---- C:\System Volume Information
2008-10-17 16:02:20 ----D---- C:\Windows\Microsoft.NET
2008-10-17 16:01:49 ----D---- C:\Windows\winsxs
2008-10-17 16:01:41 ----D---- C:\Windows\system32\catroot
2008-10-17 15:58:23 ----D---- C:\Windows\ehome
2008-10-17 15:58:21 ----D---- C:\Program Files\Windows Mail
2008-10-17 15:58:19 ----D---- C:\Windows\system32\migration
2008-10-17 15:58:19 ----D---- C:\Program Files\Internet Explorer
2008-10-17 15:21:59 ----SHD---- C:\Windows\Installer
2008-10-17 15:21:41 ----D---- C:\ProgramData\Microsoft Help
2008-10-17 15:10:34 ----D---- C:\Windows\system32\catroot2
2008-10-13 20:27:05 ----D---- C:\Windows\Prefetch
2008-10-13 20:27:04 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-10-11 22:32:29 ----A---- C:\Windows\4107.exe
2008-10-09 10:31:27 ----D---- C:\Users\Jim LeMaster\AppData\Roaming\Vso
2008-10-07 15:19:40 ----A---- C:\Windows\system32\mrt.exe
2008-09-29 17:35:29 ----D---- C:\Program Files\LimeWire
2008-09-29 17:30:02 ----D---- C:\Program Files\Frame Maker Pro
2008-09-28 07:37:38 ----A---- C:\Windows\2837.exe
2008-09-26 20:42:08 ----A---- C:\Windows\win.ini
2008-09-25 23:35:39 ----D---- C:\MyFiles
2008-09-25 08:23:10 ----D---- C:\Program Files\Mozilla Firefox

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [2008-09-05 371248]
R1 SPBBCDrv;SPBBCDrv; \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys [2006-10-06 406672]
R1 SRTSP;SRTSP; C:\Windows\System32\Drivers\SRTSP.SYS [2006-11-22 247144]
R1 SRTSPX;SRTSPX; C:\Windows\System32\Drivers\SRTSPX.SYS [2006-11-22 25448]
R1 SYMTDI;SYMTDI; C:\Windows\System32\Drivers\SYMTDI.SYS [2006-10-26 185744]
R2 ElbyCDIO;ElbyCDIO Driver; C:\Windows\System32\Drivers\ElbyCDIO.sys [2007-02-28 15440]
R2 mdmxsdk;mdmxsdk; C:\Windows\system32\DRIVERS\mdmxsdk.sys [2006-06-19 12672]
R2 XAudio;XAudio; C:\Windows\system32\DRIVERS\xaudio.sys [2006-08-04 8192]
R3 AnyDVD;AnyDVD; C:\Windows\System32\Drivers\AnyDVD.sys [2007-03-15 77000]
R3 BoiHwsetup;Access 32bits INT15 routine; C:\Windows\system32\drivers\BoiHwSetup.sys [2006-10-12 7680]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\Windows\system32\DRIVERS\CmBatt.sys [2007-11-20 14208]
R3 e1express;Intel(R) PRO/1000 PCI Express Network Connection Driver; C:\Windows\system32\DRIVERS\e1e6032.sys [2006-11-02 200704]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-05 99376]
R3 HdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\CHDART.sys [2006-11-17 145920]
R3 HSF_DPV;HSF_DPV; C:\Windows\system32\DRIVERS\HSX_DPV.sys [2006-10-09 987648]
R3 HSXHWAZL;HSXHWAZL; C:\Windows\system32\DRIVERS\HSXHWAZL.sys [2006-10-09 206336]
R3 igfx;igfx; C:\Windows\system32\DRIVERS\igdkmd32.sys [2007-08-24 1899008]
R3 NAVENG;NAVENG; \??\C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20080929.003\NAVENG.SYS [2008-08-25 89104]
R3 NAVEX15;NAVEX15; \??\C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20080929.003\NAVEX15.SYS [2008-08-25 873552]
R3 NETw4v32;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit; C:\Windows\system32\DRIVERS\NETw4v32.sys [2007-09-26 2251776]
R3 pcouffin;VSO Software pcouffin; C:\Windows\System32\Drivers\pcouffin.sys [2008-01-11 47360]
R3 qkbfiltr;Keyboard Filter Driver; C:\Windows\system32\DRIVERS\qkbfiltr.sys [2006-11-20 33792]
R3 sdbus;sdbus; C:\Windows\system32\DRIVERS\sdbus.sys [2007-10-15 82432]
R3 SymEvent;SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT.SYS [2007-10-28 109744]
R3 SYMREDRV;SYMREDRV; C:\Windows\System32\Drivers\SYMREDRV.SYS [2006-10-26 26384]
R3 SynTP;Synaptics TouchPad Driver; C:\Windows\system32\DRIVERS\SynTP.sys [2006-10-27 179896]
R3 TcUsb;TC USB Kernel Driver; C:\Windows\System32\Drivers\tcusb.sys [2006-11-06 39056]
R3 tdcmdpst;TOSHIBA Writing Engine Filter Driver; C:\Windows\system32\DRIVERS\tdcmdpst.sys [2006-10-18 16128]
R3 tifm21;tifm21; C:\Windows\system32\drivers\tifm21.sys [2006-07-06 168448]
R3 winachsf;winachsf; C:\Windows\system32\DRIVERS\HSX_CNXT.sys [2006-10-09 657920]
R3 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\DRIVERS\wmiacpi.sys [2007-11-20 11264]
S1 Tosrfcom;Tosrfcom; C:\Windows\system32\drivers\Tosrfcom.sys [2005-08-01 64896]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2006-11-02 5632]
S3 HSFHWAZL;HSFHWAZL; C:\Windows\system32\DRIVERS\VSTAZL3.SYS [2006-11-02 200704]
S3 ialm;ialm; C:\Windows\system32\DRIVERS\igdkmd32.sys [2007-08-24 1899008]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2006-11-02 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2006-11-02 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2006-11-02 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2006-11-02 6016]
S3 NETw3v32;Intel(R) PRO/Wireless 3945ABG Adapter Driver for Windows Vista 32 Bit; C:\Windows\system32\DRIVERS\NETw3v32.sys [2006-10-30 1786880]
S3 SRTSPL;SRTSPL; C:\Windows\System32\Drivers\SRTSPL.SYS [2006-11-22 274328]
S3 tosrfec;Bluetooth ACPI; C:\Windows\system32\DRIVERS\tosrfec.sys [2006-10-23 9216]
S3 wrssweep;Webroots Volume Access Driver; \??\C:\Program Files\Webroot\Washer\wrssweep.sys [2007-11-26 21832]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2006-11-02 82560]
S4 KR10I;KR10I; C:\Windows\system32\drivers\kr10i.sys [2006-02-14 216320]
S4 KR10N;KR10N; C:\Windows\system32\drivers\kr10n.sys [2005-09-27 207104]
S4 KR3NPXP;KR3NPXP; C:\Windows\system32\drivers\kr3npxp.sys [2006-09-27 479488]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2006-11-22 107624]
R2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2006-11-22 107624]
R2 CFSvcs;ConfigFree Service; C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe [2006-11-15 40960]
R2 DefWatch;Symantec AntiVirus Definition Watcher; C:\Program Files\Symantec AntiVirus\DefWatch.exe [2006-11-28 30872]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 SBSDWSCService;SBSD Security Center Service; C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-07-07 809296]
R2 Swupdtmr;Swupdtmr; c:\Toshiba\IVP\swupdate\swupdtmr.exe [2006-07-20 40960]
R2 Symantec AntiVirus;Symantec AntiVirus; C:\Program Files\Symantec AntiVirus\Rtvscan.exe [2006-11-28 1962136]
R2 TODDSrv;TOSHIBA Optical Disc Drive Service; C:\Windows\system32\TODDSrv.exe [2006-05-25 114688]
R2 TosCoSrv;TOSHIBA Power Saver; C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe [2006-11-22 425648]
R2 TOSHIBA Bluetooth Service;TOSHIBA Bluetooth Service; C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe [2006-11-01 77824]
R2 UleadBurningHelper;Ulead Burning Helper; C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe [2006-08-23 49152]
R2 wwEngineSvc;Window Washer Engine; C:\Program Files\Webroot\Washer\WasherSvc.exe [2007-11-26 598856]
R2 XAudioService;XAudioService; C:\Windows\system32\DRIVERS\xaudio.exe [2006-08-04 386560]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 LiveUpdate;LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2006-10-31 2541248]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2007-08-24 68464]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-24 443776]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 SavRoam;SAVRoam; C:\Program Files\Symantec AntiVirus\SavRoam.exe [2006-11-28 122008]

-----------------EOF-----------------

**noahdfear** · 22nd October 2008

Please do an online scan with Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click View scan report at the bottom.
Click the Save Report As... button.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Post the Kaspersky log and one more fresh HijackThis log.

Herd72 · 22nd October 2008

Scanning now - will post log asap. The reason I could not get the RSIT thing going was the downloads were saving to a different folder and I did not find it for a while. I had downloaded it numerous times but was looking in the wrong folder.

Herd72 · 22nd October 2008

Finally finished!
Here is the log from the Kasperky Online Scanner

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, October 22, 2008
Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit (build 6000)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, October 22, 2008 12:51:25
Records in database: 1334864
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 136085
Threat name: 7
Infected objects: 14
Suspicious objects: 0
Duration of the scan: 04:19:32

File name / Threat name / Threats count
C:\000 Downloads Summer 000\April -May 08\Evidence_Eliminator_6.01.rar Infected: Backdoor.Win32.Bifrose.xzl 1
C:\000 Downloads Summer 000\April -May 08\July 08\Turbo_Subs.rar Infected: Trojan-Downloader.Win32.Agent.aefp 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C980028.VBN Infected: Trojan.Win32.Delf.bps 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C980029.VBN Infected: Trojan.Win32.Delf.bps 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C98002D.VBN Infected: not-a-virus:FraudTool.Win32.SpyKill.b 2
C:\Qoobox\Quarantine\C\Windows\tskmgr.exe.vir Infected: Trojan-Dropper.Win32.Delf.byv 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C980028.VBN Infected: Trojan.Win32.Delf.bps 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C980029.VBN Infected: Trojan.Win32.Delf.bps 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C98002D.VBN Infected: not-a-virus:FraudTool.Win32.SpyKill.b 2
C:\Users\Jim LeMaster\Desktop\Downloads\Hidden Objects Games\Archipelago.rar Infected: Trojan-Downloader.Win32.Agent.ahwl 1
C:\Users\Jim LeMaster\Desktop\Downloads\Retired Downloads\DVD TOOLS\Nero-8.1.1.0b_eng_trial(2).exe Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.bm 1
C:\Users\Jim LeMaster\Desktop\Downloads\Retired Downloads\DVD TOOLS\Nero-8.1.1.0b_eng_trial.exe Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.bm 1

The selected area was scanned.

Herd72 · 22nd October 2008

Here is the best that I could do on the HJT logfile. When I ran HJT I got an error message saying that the system was denying access to write to the log files. Anyway this is what it gave me and I hope it is complete.
Jim

Logfile of HijackThis v1.99.1
Scan saved at 3:22:17 PM, on 10/22/2008
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16757)

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Toshiba\IVP\ISM\pinger.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Toshiba\Utilities\VolControl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Users\Jim LeMaster\Desktop\Downloads\Previous Downloads Before Meadowcreek\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [PINGER] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [TOSHIBA Volume Indicator] "C:\Program Files\Toshiba\Utilities\VolControl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: psfus - C:\Windows\system32\psqlpwd.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

**noahdfear** · 26th October 2008

Sorry for the delayed response Jim. I've been on the road the past couple of days.

Please delete the following infected files.

C:\000 Downloads Summer 000\April -May 08\Evidence_Eliminator_6.01.rar
C:\000 Downloads Summer 000\April -May 08\July 08\Turbo_Subs.rar
C:\Users\Jim LeMaster\Desktop\Downloads\Hidden Objects Games\Archipelago.rar

Open your Norton Antivirus interface and remove all quarantined items.
Empty the recycle bin.

You have quite a number of files in the C:\Windows folder that are similar to the ones listed below.

C:\Windows\830.exe
C:\Windows\1794.exe
C:\Windows\3986.exe
C:\Windows\1954.exe

They are all 3,775,064 bytes in size, which converted is = to approximately 3,686 KB or 3.6 MB. They appear very suspicious and I'd like to get some samples for analysis. Please upload 3 or 4 of those to my submission channel by first clicking Browse, then after selecting a file, click Send File. Leave a link back to this topic please. Thanks!

Have you re-enabled UAC yet? Do you need instructions for doing so?

Herd72 · 26th October 2008

I deleted the files as you said and emptied the Norton Quarantine. Good grief, there are about 50 of those files,they like like applications and are from Pointstone. That was the program that kept trying to get me to install it. (System Cleaner 5) I had a friend that used the Pointstone Shredder (shareware) and I downloaded it to my other computer and have used it for a couple of years with zero issues to shred school documents. My wife is a teacher. The problem started when I downloaded the trial version on the System Cleaner 5 and did not like it and uninstalled it. It kept trying to get me to reinstall it on each bootup. I am submitting those files to your submission channel now.
Jim

**noahdfear** · 26th October 2008

They are all installers for System Cleaner 5. Delete them. Let me know if any return after a couple of reboots and some use.

Herd72 · 26th October 2008

Will do. I have also enabled the UAC again.
Thanks for the help and quick reply.
Jim
I also deleted the Vista shadow copies of the files. I will get rid of the Limewire my son left on there as well.