PDA

View Full Version : Virtumonde infection :( need help ASAP



enzoks
2007-09-06, 13:04
Infected by that damned virtumonde..


heres the HJT log:

----------------------------------

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 8:02:29 PM, on 7/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\Empowering Technology\admServ.exe
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Acer\Acer Arcade\PCMService.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\DOCUME~1\enzok\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
c:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\enzok\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://au.rd.yahoo.com/customize/ycomp/defaults/sp/*http://au.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.au.acer.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.au.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.au.acer.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://au.rd.yahoo.com/customize/ycomp/defaults/su/*http://au.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://en.au.acer.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {0366D1C0-A093-483F-9FA9-5AEBC61972D6} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {39C6B6C8-E01E-3175-B583-04FDA1EE088B} - C:\Program Files\Rtfoeoop\cortyipe.dll
O2 - BHO: (no name) - {435D08DD-665E-474F-B977-5EE75A2BDCB2} - C:\WINDOWS\system32\tuvsssr.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7C3F02FD-EA00-4AB4-87C3-2AF4C82E1B12} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {98432E21-E3FC-4ECB-ABB4-2B856639A54F} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {C28D8920-8D7C-4EEF-B708-25A6F524395A} - C:\WINDOWS\system32\geedc.dll
O2 - BHO: (no name) - {DBEDBBB5-ED5E-40FF-A0A5-F99FA101825B} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [urijkxeb] rundll32.exe "C:\Program Files\urijkxeb\izurwrqx.dll",Init
O4 - HKLM\..\Run: [qjklmtyv] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\qjklmtyv.dll"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [jgjinevk] rundll32.exe "C:\Program Files\ebazobyr\alivinqf.dll",Init
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Dreu] "C:\PROGRA~1\COMMON~1\SSTEM~1\rundll32.exe" -vt yazb
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\Updater.exe
O8 - Extra context menu item: &Sample Toolband Serach - res://C:\WINDOWS\system32\ToolBand.dll/MENUSEARCH.HTM
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: winexy32 - winexy32.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 13844 bytes


--------------------------------

thanks, Enzo

Blade81
2007-09-06, 23:40
Hi Enzo


1. Download this file -
combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your
next reply with a fresh hjt log

Note:
Do not mouseclick combofix's window whilst it's running. That may cause
it to stall

enzoks
2007-09-07, 12:01
ok i ran combofix.. heres the log
HJT log follows in next post


-----------------------------------------------------


ComboFix 07-08-30.3 - "enzok" 2007-09-08 18:50:16.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1553 [GMT 10:00]


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\d.exe
C:\WINDOWS\system32\cdeeg.bak1
C:\WINDOWS\system32\cdeeg.bak2
C:\WINDOWS\system32\cdeeg.ini
C:\WINDOWS\system32\cdeeg.tmp
C:\WINDOWS\system32\dboyrsee.dll
C:\WINDOWS\system32\gsvkdqdk.exe
C:\WINDOWS\system32\lanmandrv.sys
C:\WINDOWS\system32\lanmanwrk.exe
C:\WINDOWS\system32\ptpjghcu.ini
C:\WINDOWS\System32\qmfehakg.exe
C:\WINDOWS\system32\qmolgokb.exe
C:\WINDOWS\system32\qmopt.dll
C:\WINDOWS\system32\uchgjptp.dll
C:\WINDOWS\system32\wmmpfgyc.exe
C:\WINDOWS\system32\xpdx.sys


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE
-------\LEGACY_LANMANDRV
-------\DomainService
-------\lanmandrv
-------\xpdx


((((((((((((((((((((((((( Files Created from 2007-08-08 to 2007-09-08 )))))))))))))))))))))))))))))))


2007-09-08 18:55 705 --a------ C:\d.exe
2007-09-08 18:54 75,328 --a------ C:\WINDOWS\system32\ksecckmy.exe
2007-09-08 18:54 724 --a------ C:\WINDOWS\system32\qmopt.dll
2007-09-08 18:54 714,399 ---hs---- C:\WINDOWS\system32\cdeeg.bak1
2007-09-08 18:54 55,516 --a------ C:\WINDOWS\system32\xpdx.sys
2007-09-07 18:57 <DIR> d---s---- C:\DOCUME~1\enzok\UserData
2007-09-07 18:30 <DIR> d--hs---- C:\FOUND.001
2007-09-07 17:41 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-09-07 17:40 89,664 --a------ C:\WINDOWS\system32\lparwgts.exe
2007-09-07 17:27 <DIR> d-------- C:\VundoFix Backups
2007-09-07 17:04 137,216 --a------ C:\jcsnyyk.exe
2007-09-07 16:58 <DIR> d--hs---- C:\FOUND.000
2007-09-06 21:31 <DIR> d-------- C:\DOCUME~1\enzok\APPLIC~1\Design Science
2007-09-06 21:30 <DIR> d-------- C:\Program Files\MathType
2007-09-05 18:53 <DIR> d-------- C:\Program Files\ebazobyr
2007-09-05 18:40 15,640 --a------ C:\rmgovfi.exe
2007-09-05 18:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-05 18:07 87,808 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-09-05 18:07 107,696 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-09-05 18:07 <DIR> d-------- C:\Program Files\Symantec AntiVirus
2007-09-05 17:05 71,680 --a------ C:\msceqkix.exe
2007-09-04 21:50 671 --a------ C:\WINDOWS\mozver.dat
2007-09-04 13:49 244,832 --a------ C:\WINDOWS\system32\geedc.dll
2007-09-04 10:23 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2007-09-04 10:18 <DIR> d-------- C:\Program Files\MSBuild
2007-09-04 10:18 <DIR> d-------- C:\Program Files\Microsoft Works
2007-09-04 10:16 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-09-04 10:13 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-09-04 10:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
2007-09-04 10:11 <DIR> dr-h----- C:\MSOCache
2007-09-04 10:10 <DIR> d--h----- C:\WINDOWS\PIF
2007-09-04 10:07 <DIR> d-------- C:\Program Files\Symantec
2007-09-04 10:06 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-09-04 10:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-09-03 17:58 <DIR> d-------- C:\WINDOWS\system32\wowrlegl
2007-09-03 17:58 <DIR> d-------- C:\Program Files\Rtfoeoop
2007-09-03 17:16 <DIR> d-------- C:\Program Files\urijkxeb
2007-09-02 01:04 29,696 --a------ C:\WINDOWS\mickey32.dll
2007-09-01 12:51 <DIR> d-------- C:\Program Files\Soulseek-Test
2007-09-01 12:51 <DIR> d-------- C:\Program Files\Soulseek
2007-09-01 11:14 <DIR> d-------- C:\Temp
2007-09-01 11:13 <DIR> d-------- C:\Program Files\UMod Browser
2007-08-25 23:34 <DIR> d-------- C:\DOCUME~1\enzok\APPLIC~1\Apple Computer
2007-08-25 20:21 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-08-18 17:29 196,608 --a------ C:\WINDOWS\unvise32.exe
2007-08-18 17:29 0 --a------ C:\WINDOWS\PowerReg.dat
2007-08-17 16:27 <DIR> d-------- C:\DOCUME~1\enzok\WINDOWS
2007-08-17 10:24 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\nView_Profiles


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-06 22:37 9041 --a------ C:\WINDOWS\system32\iefpmod.dll
2007-09-06 22:37 49 --a------ C:\WINDOWS\system32\ierql.dll
2007-09-06 22:37 4 --a------ C:\WINDOWS\system32\iebudata.dll
2007-09-06 22:37 32 --a------ C:\WINDOWS\system32\iesc.dll
2007-09-06 22:37 302 --a------ C:\WINDOWS\system32\iehrdata.dll
2007-09-06 22:37 105 --a------ C:\WINDOWS\system32\qshl.dll
2007-09-05 17:50 69927 --a------ C:\Program Files\setup.exe
2007-08-05 21:26 --------- d-------- C:\Program Files\Skype
2007-08-05 21:26 --------- d-------- C:\Program Files\Common Files\Skype
2007-08-05 21:26 --------- d-------- C:\DOCUME~1\enzok\APPLIC~1\Skype
2007-08-05 21:26 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Skype
2007-08-02 20:06 108144 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-07-29 22:34 --------- d-------- C:\Program Files\Google
2007-07-29 01:56 --------- d-------- C:\Program Files\Common Files\NSV
2007-07-26 18:31 --------- d-------- C:\Program Files\DebugMode
2007-07-22 15:10 --------- d-------- C:\Program Files\uTorrent
2007-07-22 15:10 --------- d-------- C:\DOCUME~1\enzok\APPLIC~1\uTorrent
2007-07-21 14:51 163644 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2007-07-20 02:30 --------- d-------- C:\DOCUME~1\enzok\APPLIC~1\AdobeUM
2007-07-14 23:23 --------- d-------- C:\DOCUME~1\enzok\APPLIC~1\Canon
2007-07-14 14:13 445440 --a------ C:\WINDOWS\system32\ss2uinst.exe
2007-07-12 22:10 --------- d-------- C:\Program Files\QuickTime
2007-07-12 22:10 --------- d-------- C:\Program Files\Apple Software Update
2007-07-12 22:10 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-07-12 22:10 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-12 18:30 33952 --a------ C:\WINDOWS\system32\drivers\oreans32.sys
2007-07-12 17:46 --------- d-------- C:\Program Files\DAEMON Tools
2007-07-12 17:45 682232 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-07-10 18:57 --------- d-------- C:\Program Files\VTFEdit
2007-07-10 18:57 --------- d-------- C:\Program Files\VTF Shell Extensions
2007-07-10 17:11 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Messenger Plus!
2007-07-10 16:39 --------- d-------- C:\DOCUME~1\enzok\APPLIC~1\uk.co.planetside
2007-07-10 15:49 --------- d-------- C:\Program Files\Terragen
2007-07-10 09:06 --------- d-------- C:\DOCUME~1\enzok\APPLIC~1\CyberLink
2007-07-10 08:53 --------- d-------- C:\Program Files\WIDCOMM
2007-07-10 01:29 --------- d-------- C:\Program Files\GCFScape
2007-07-10 00:25 --------- d-------- C:\Program Files\Steam
2007-07-09 19:22 --------- d-------- C:\DOCUME~1\enzok\APPLIC~1\WinRAR
2007-07-09 19:05 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe Systems
2007-07-09 19:04 --------- d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-07-09 18:29 --------- d-------- C:\Program Files\Windows Live
2007-07-09 18:29 --------- d-------- C:\Program Files\Messenger Plus! Live
2007-07-09 18:28 --------- d-------- C:\Program Files\MSN Messenger
2007-07-09 18:10 --------- d-------- C:\Program Files\Last.fm
2007-07-09 17:43 --------- d-------- C:\Program Files\Windows Media Connect 2
2007-07-09 17:38 --------- d-------- C:\Program Files\Winamp
2007-07-09 16:33 --------- d-------- C:\DOCUME~1\enzok\APPLIC~1\vlc
2007-07-09 16:32 --------- d-------- C:\Program Files\VideoLAN
2007-07-09 15:01 9 --a------ C:\WINDOWS\HotFix.bat
2007-07-09 15:01 888 --a------ C:\WINDOWS\CLEANUP.CMD


((((((((((((((((((((((((((((( snapshot_2007-09-07_174957.51 )))))))))))))))))))))))))))))))))))))))))

------w 32,768 2007-09-08 08:53:42 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
------w 32,768 2007-09-08 08:53:42 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
----a-w 7,168 2007-09-08 08:54:24 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WJOLE3Y1\adv735[1].exe
----a-w 138,240 2007-09-08 08:54:34 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ZO1WV2J4\dl[1].exe
------w 16,384 2007-09-08 08:53:42 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
----a-w 16,384 2007-09-08 08:54:14 C:\WINDOWS\Temp\Perflib_Perfdata_890.dat
----a-w 16,384 2007-09-08 07:48:18 C:\WINDOWS\Temp\Perflib_Perfdata_c20.dat

------w 32,768 2007-09-07 07:47:08 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
------w 32,768 2007-09-07 07:47:08 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
----a-w 7,168 2007-09-07 07:00:48 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WJOLE3Y1\adv735[1].exe
------w 16,384 2007-09-07 07:47:08 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0366D1C0-A093-483F-9FA9-5AEBC61972D6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39C6B6C8-E01E-3175-B583-04FDA1EE088B}]
2007-09-03 17:58 98304 --a------ C:\Program Files\Rtfoeoop\cortyipe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{435D08DD-665E-474F-B977-5EE75A2BDCB2}]
C:\WINDOWS\system32\tuvsssr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C3F02FD-EA00-4AB4-87C3-2AF4C82E1B12}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98432E21-E3FC-4ECB-ABB4-2B856639A54F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C28D8920-8D7C-4EEF-B708-25A6F524395A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CF46BFB3-2ACC-441b-B82B-36B9562C7FF1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D04CEC40-7DF7-40E5-899E-300A9342589F}]
2007-09-04 13:49 244832 --a------ C:\WINDOWS\system32\geedc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DBEDBBB5-ED5E-40FF-A0A5-F99FA101825B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F80DEA94-5A4B-4C70-9263-02092EAC7FF2}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" []
"RTHDCPL"="RTHDCPL.EXE" [2005-12-19 14:52 C:\WINDOWS\RTHDCPL.exe]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2005-12-21 15:02]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-07-20 15:05]
"PCMService"="C:\Program Files\Acer\Acer Arcade\PCMService.exe" [2005-12-13 21:31]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-01-03 16:28]
"nwiz"="nwiz.exe" [2006-01-03 16:28 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-01-03 16:28]
"eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-10-19 09:30]
"ePower_DMC"="C:\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-01-17 18:28]
"Acer ePower Management"="C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe" [2006-01-16 11:58]
"ADMTray.exe"="C:\Acer\Empowering Technology\admtray.exe" [2005-10-24 16:45]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 05:00 C:\WINDOWS\system32\bthprops.cpl]
"LManager"="C:\PROGRA~1\LAUNCH~1\LManager.exe" [2006-01-09 18:23]
"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\Monitor.exe" [2006-01-24 18:00]
"Adobe Version Cue CS2"="C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 18:58]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 02:12]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"urijkxeb"="C:\Program Files\urijkxeb\izurwrqx.dll" [2007-09-03 17:16]
"qjklmtyv"="regsvr32 /u C:\Documents and Settings\All Users\Application Data\qjklmtyv.dll" []
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 17:14]
"jgjinevk"="C:\Program Files\ebazobyr\alivinqf.dll" [2007-09-05 18:53]
"jgjinevk"="C:\Program Files\ebazobyr\alivinqf.dll" [2007-09-05 18:53]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="" []
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-04 08:29]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
"Dreu"="C:\PROGRA~1\COMMON~1\SSTEM~1\rundll32.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{435D08DD-665E-474F-B977-5EE75A2BDCB2}"= C:\WINDOWS\system32\tuvsssr.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winexy32]
winexy32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\WINDOWS\\system32\\geedc

R1 lanmandrv;lanmandrv;\??\C:\WINDOWS\System32\lanmandrv.sys
R1 oreans32;oreans32;\??\C:\WINDOWS\system32\drivers\oreans32.sys
R1 OsaFsLoc;OsaFsLoc;\??\C:\WINDOWS\system32\drivers\OsaFsLoc.sys
R2 DomainService;DomainService;C:\WINDOWS\system32\ksecckmy.exe /service
R2 EpmPsd;Acer EPM Power Scheme Driver;\??\C:\WINDOWS\system32\drivers\epm-psd.sys
R2 EpmShd;Acer EPM System Hardware Driver;\??\C:\WINDOWS\system32\drivers\epm-shd.sys
R2 int15.sys;int15.sys;\??\C:\Acer\Empowering Technology\eRecovery\int15.sys
R2 osaio;osaio;\??\C:\WINDOWS\system32\drivers\osaio.sys
R2 osanbm;osanbm;\??\C:\WINDOWS\system32\drivers\osanbm.sys
R3 DKbFltr;Dritek Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\DKbFltr.sys
R3 EMSCR;EMSCR;C:\WINDOWS\system32\DRIVERS\EMS7SK.sys
R3 ESDCR;ESDCR;C:\WINDOWS\system32\DRIVERS\ESD7SK.sys
R3 ESMCR;ESMCR;C:\WINDOWS\system32\DRIVERS\ESM7SK.sys
R3 lv321av;Logitech USB PC Camera (VC0321);C:\WINDOWS\system32\DRIVERS\lv321av.sys
S1 xpdx;xpdx system driver;\??\C:\WINDOWS\system32\xpdx.sys
S3 DMSKSSRh;DMSKSSRh;\??\C:\DOCUME~1\enzok\LOCALS~1\Temp\DMSKSSRh.sys
S3 NdisFilt;OSA NdisFilter Protocol;C:\WINDOWS\system32\Drivers\NdisFilt.sys

*Newly Created Service* - DOMAINSERVICE
*Newly Created Service* - LANMANDRV

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-08 18:54:34
Windows 5.1.2600 Service Pack 2 FAT NTAPI

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

C:\WINDOWS\System32\qmloclea.exe [1876] 0x891C0DA0


scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
lanmanwrk.exe = C:\WINDOWS\System32\lanmanwrk.exe

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"lanmanwrk.exe"="C:\\WINDOWS\\System32\\lanmanwrk.exe"

Completion time: 2007-09-08 18:56:40 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-08 18:56
C:\ComboFix2.txt ... 2007-09-07 17:50

--- E O F ---

enzoks
2007-09-07, 12:02
Heres the HJT log:

-------------------------------------

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:02:19 PM, on 8/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\Empowering Technology\admServ.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Acer\Acer Arcade\PCMService.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\WINDOWS\system32\ksecckmy.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\DOCUME~1\enzok\LOCALS~1\Temp\RtkBtMnt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\enzok\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://au.rd.yahoo.com/customize/ycomp/defaults/sp/*http://au.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.au.acer.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.au.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.au.acer.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://au.rd.yahoo.com/customize/ycomp/defaults/su/*http://au.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://en.au.acer.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {0366D1C0-A093-483F-9FA9-5AEBC61972D6} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {39C6B6C8-E01E-3175-B583-04FDA1EE088B} - C:\Program Files\Rtfoeoop\cortyipe.dll
O2 - BHO: (no name) - {435D08DD-665E-474F-B977-5EE75A2BDCB2} - C:\WINDOWS\system32\tuvsssr.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7C3F02FD-EA00-4AB4-87C3-2AF4C82E1B12} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {98432E21-E3FC-4ECB-ABB4-2B856639A54F} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {C28D8920-8D7C-4EEF-B708-25A6F524395A} - (no file)
O2 - BHO: (no name) - {D04CEC40-7DF7-40E5-899E-300A9342589F} - C:\WINDOWS\system32\geedc.dll
O2 - BHO: (no name) - {DBEDBBB5-ED5E-40FF-A0A5-F99FA101825B} - (no file)
O2 - BHO: (no name) - {F80DEA94-5A4B-4C70-9263-02092EAC7FF2} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [urijkxeb] rundll32.exe "C:\Program Files\urijkxeb\izurwrqx.dll",Init
O4 - HKLM\..\Run: [qjklmtyv] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\qjklmtyv.dll"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [jgjinevk] rundll32.exe "C:\Program Files\ebazobyr\alivinqf.dll",Init
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Dreu] "C:\PROGRA~1\COMMON~1\SSTEM~1\rundll32.exe" -vt yazb
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\Updater.exe
O8 - Extra context menu item: &Sample Toolband Serach - res://C:\WINDOWS\system32\ToolBand.dll/MENUSEARCH.HTM
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: winexy32 - winexy32.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 13825 bytes

Blade81
2007-09-07, 13:18
Hi

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please read following for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)


Open notepad and copy/paste the text in the quotebox below into it:



File::
C:\d.exe
C:\WINDOWS\system32\ksecckmy.exe
C:\WINDOWS\system32\qmopt.dll
C:\WINDOWS\system32\cdeeg.bak1
C:\WINDOWS\system32\xpdx.sys
C:\WINDOWS\system32\lparwgts.exe
C:\jcsnyyk.exe
C:\rmgovfi.exe
C:\msceqkix.exe
C:\WINDOWS\system32\geedc.dll
C:\WINDOWS\unvise32.exe
C:\Documents and Settings\All Users\Application Data\qjklmtyv.dll
c:\windows\system32\winexy32.dll
C:\DOCUME~1\enzok\LOCALS~1\Temp\DMSKSSRh.sys
C:\WINDOWS\System32\qmloclea.exe

DirLook::
C:\DOCUME~1\enzok\WINDOWS

Folder::
C:\VundoFix Backups
C:\Program Files\ebazobyr
C:\WINDOWS\system32\wowrlegl
C:\Program Files\Rtfoeoop
C:\Program Files\urijkxeb
C:\Temp

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0366D1C0-A093-483F-9FA9-5AEBC61972D6}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39C6B6C8-E01E-3175-B583-04FDA1EE088B}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{435D08DD-665E-474F-B977-5EE75A2BDCB2}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C3F02FD-EA00-4AB4-87C3-2AF4C82E1B12}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98432E21-E3FC-4ECB-ABB4-2B856639A54F}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C28D8920-8D7C-4EEF-B708-25A6F524395A}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CF46BFB3-2ACC-441b-B82B-36B9562C7FF1}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D04CEC40-7DF7-40E5-899E-300A9342589F}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DBEDBBB5-ED5E-40FF-A0A5-F99FA101825B}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F80DEA94-5A4B-4C70-9263-02092EAC7FF2}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"urijkxeb"=-
"qjklmtyv"=-
"jgjinevk"=-
"Dreu"-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{435D08DD-665E-474F-B977-5EE75A2BDCB2}"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winexy32]

Driver::
lanmandrv
DomainService
xpdx
DMSKSSRh



Save this as
CFScript


http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & a fresh hjt log.

enzoks
2007-09-07, 13:36
ok ran the script through combofix.
heres the log:

------------------------------------

ComboFix 07-08-30.3 - "enzok" 2007-09-08 20:29:21.3 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1496 [GMT 10:00]
* Created a new restore point

FILE::
C:\d.exe
C:\WINDOWS\system32\ksecckmy.exe
C:\WINDOWS\system32\qmopt.dll
C:\WINDOWS\system32\cdeeg.bak1
C:\WINDOWS\system32\xpdx.sys
C:\WINDOWS\system32\lparwgts.exe
C:\jcsnyyk.exe
C:\rmgovfi.exe
C:\msceqkix.exe
C:\WINDOWS\system32\geedc.dll
C:\WINDOWS\unvise32.exe
C:\Documents and Settings\All Users\Application Data\qjklmtyv.dll
c:\windows\system32\winexy32.dll
C:\DOCUME~1\enzok\LOCALS~1\Temp\DMSKSSRh.sys
C:\WINDOWS\System32\qmloclea.exe


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\d.exe
C:\jcsnyyk.exe
C:\msceqkix.exe
C:\Program Files\ebazobyr
C:\Program Files\ebazobyr\alivinqf.dll
C:\Program Files\Rtfoeoop
C:\Program Files\Rtfoeoop\cortyipe.dll
C:\Program Files\urijkxeb
C:\Program Files\urijkxeb\izurwrqx.dll
C:\rmgovfi.exe
C:\Temp
C:\VundoFix Backups
C:\VundoFix Backups\amwjffcv.dll.bad
C:\VundoFix Backups\drvbuv.dll.bad
C:\VundoFix Backups\drvbuvr.dll.bad
C:\VundoFix Backups\drvsadr.dll.bad
C:\VundoFix Backups\fgdpcvvt.dll.bad
C:\VundoFix Backups\gtofuxws.dll.bad
C:\VundoFix Backups\luoplnry.ini.bad
C:\VundoFix Backups\melaejcr.ini.bad
C:\VundoFix Backups\rcjealem.dll.bad
C:\VundoFix Backups\tuvsssr.dll.bad
C:\VundoFix Backups\tvvcpdgf.ini.bad
C:\VundoFix Backups\vtuurom.dll.bad
C:\VundoFix Backups\yrnlpoul.dll.bad
C:\WINDOWS\system32\bjgaqmfy.ini
C:\WINDOWS\system32\cdeeg.bak1
C:\WINDOWS\system32\cdeeg.ini
C:\WINDOWS\system32\dkbmxwef.dll
C:\WINDOWS\system32\geedc.dll
C:\WINDOWS\system32\ksecckmy.exe
C:\WINDOWS\system32\lanmandrv.sys
C:\WINDOWS\system32\lanmanwrk.exe
C:\WINDOWS\system32\lparwgts.exe
C:\WINDOWS\system32\qmloclea.exe
C:\WINDOWS\system32\qmopt.dll
C:\WINDOWS\system32\wowrlegl
C:\WINDOWS\system32\wowrlegl\bg1.gif
C:\WINDOWS\system32\wowrlegl\bgtop.gif
C:\WINDOWS\system32\wowrlegl\bottom1.gif
C:\WINDOWS\system32\wowrlegl\essentials.gif
C:\WINDOWS\system32\wowrlegl\icon1.ico
C:\WINDOWS\system32\wowrlegl\install1.gif
C:\WINDOWS\system32\wowrlegl\left1.gif
C:\WINDOWS\system32\wowrlegl\li.gif
C:\WINDOWS\system32\wowrlegl\logo.gif
C:\WINDOWS\system32\wowrlegl\main.htm
C:\WINDOWS\system32\wowrlegl\mainframe.htm
C:\WINDOWS\system32\wowrlegl\reinstall1.gif
C:\WINDOWS\system32\wowrlegl\right1.gif
C:\WINDOWS\system32\wowrlegl\s1.htm
C:\WINDOWS\system32\wowrlegl\s2.htm
C:\WINDOWS\system32\wowrlegl\s3.htm
C:\WINDOWS\system32\wowrlegl\SMTop1.gif
C:\WINDOWS\system32\wowrlegl\SMTop2.gif
C:\WINDOWS\system32\wowrlegl\SMTop3.gif
C:\WINDOWS\system32\wowrlegl\SMTop4.gif
C:\WINDOWS\system32\wowrlegl\soft1_off.gif
C:\WINDOWS\system32\wowrlegl\soft1_off_ext.gif
C:\WINDOWS\system32\wowrlegl\soft1_on.gif
C:\WINDOWS\system32\wowrlegl\soft1_on_ext.gif
C:\WINDOWS\system32\wowrlegl\soft2_off.gif
C:\WINDOWS\system32\wowrlegl\soft2_off_ext.gif
C:\WINDOWS\system32\wowrlegl\soft2_on.gif
C:\WINDOWS\system32\wowrlegl\soft2_on_ext.gif
C:\WINDOWS\system32\wowrlegl\soft3_off.gif
C:\WINDOWS\system32\wowrlegl\soft3_off_ext.gif
C:\WINDOWS\system32\wowrlegl\soft3_on.gif
C:\WINDOWS\system32\wowrlegl\soft3_on_ext.gif
C:\WINDOWS\system32\wowrlegl\softbottom_off.gif
C:\WINDOWS\system32\wowrlegl\softbottom_on.gif
C:\WINDOWS\system32\wowrlegl\softleft_off.gif
C:\WINDOWS\system32\wowrlegl\softleft_on.gif
C:\WINDOWS\system32\wowrlegl\top1.gif
C:\WINDOWS\system32\wowrlegl\top2.gif
C:\WINDOWS\system32\wowrlegl\turnoff1.gif
C:\WINDOWS\system32\wowrlegl\turnon1.gif
C:\WINDOWS\system32\wowrlegl\wowrlegl1.exe
C:\WINDOWS\system32\wowrlegl\wowrlegl2.exe
C:\WINDOWS\system32\wowrlegl\wowrlegl3.exe
C:\WINDOWS\system32\xpdx.sys
C:\WINDOWS\system32\yfmqagjb.dll
C:\WINDOWS\unvise32.exe


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DMSKSSRH
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_LANMANDRV
-------\DMSKSSRh


((((((((((((((((((((((((( Files Created from 2007-08-08 to 2007-09-08 )))))))))))))))))))))))))))))))


2007-09-08 20:33 8,192 --a------ C:\jcsnyyk.exe
2007-09-08 20:33 15,640 --a------ C:\onjonuhx.exe
2007-09-07 18:57 <DIR> d---s---- C:\DOCUME~1\enzok\UserData
2007-09-07 18:30 <DIR> d--hs---- C:\FOUND.001
2007-09-07 17:41 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-09-07 16:58 <DIR> d--hs---- C:\FOUND.000
2007-09-06 21:31 <DIR> d-------- C:\DOCUME~1\enzok\APPLIC~1\Design Science
2007-09-06 21:30 <DIR> d-------- C:\Program Files\MathType
2007-09-05 18:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-05 18:07 87,808 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-09-05 18:07 107,696 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-09-05 18:07 <DIR> d-------- C:\Program Files\Symantec AntiVirus
2007-09-04 21:50 671 --a------ C:\WINDOWS\mozver.dat
2007-09-04 10:23 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2007-09-04 10:18 <DIR> d-------- C:\Program Files\MSBuild
2007-09-04 10:18 <DIR> d-------- C:\Program Files\Microsoft Works
2007-09-04 10:16 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-09-04 10:13 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-09-04 10:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
2007-09-04 10:11 <DIR> dr-h----- C:\MSOCache
2007-09-04 10:10 <DIR> d--h----- C:\WINDOWS\PIF
2007-09-04 10:07 <DIR> d-------- C:\Program Files\Symantec
2007-09-04 10:06 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-09-04 10:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-09-02 01:04 29,696 --a------ C:\WINDOWS\mickey32.dll
2007-09-01 12:51 <DIR> d-------- C:\Program Files\Soulseek-Test
2007-09-01 12:51 <DIR> d-------- C:\Program Files\Soulseek
2007-09-01 11:13 <DIR> d-------- C:\Program Files\UMod Browser
2007-08-25 23:34 <DIR> d-------- C:\DOCUME~1\enzok\APPLIC~1\Apple Computer
2007-08-25 20:21 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-08-18 17:29 0 --a------ C:\WINDOWS\PowerReg.dat
2007-08-17 16:27 <DIR> d-------- C:\DOCUME~1\enzok\WINDOWS
2007-08-17 10:24 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\nView_Profiles


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-08 20:33 5376 --a------ C:\WINDOWS\system32\lanmandrv.sys
2007-09-08 20:33 15640 --a------ C:\WINDOWS\system32\qmbnfggn.exe
2007-09-08 20:33 15640 --a------ C:\WINDOWS\system32\lanmanwrk.exe
2007-09-06 22:37 9041 --a------ C:\WINDOWS\system32\iefpmod.dll
2007-09-06 22:37 49 --a------ C:\WINDOWS\system32\ierql.dll
2007-09-06 22:37 4 --a------ C:\WINDOWS\system32\iebudata.dll
2007-09-06 22:37 32 --a------ C:\WINDOWS\system32\iesc.dll
2007-09-06 22:37 302 --a------ C:\WINDOWS\system32\iehrdata.dll
2007-09-06 22:37 105 --a------ C:\WINDOWS\system32\qshl.dll
2007-09-05 17:50 69927 --a------ C:\Program Files\setup.exe
2007-08-05 21:26 --------- d-------- C:\Program Files\Skype
2007-08-05 21:26 --------- d-------- C:\Program Files\Common Files\Skype
2007-08-05 21:26 --------- d-------- C:\DOCUME~1\enzok\APPLIC~1\Skype
2007-08-05 21:26 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Skype
2007-08-02 20:06 108144 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-07-29 22:34 --------- d-------- C:\Program Files\Google
2007-07-29 01:56 --------- d-------- C:\Program Files\Common Files\NSV
2007-07-26 18:31 --------- d-------- C:\Program Files\DebugMode
2007-07-22 15:10 --------- d-------- C:\Program Files\uTorrent
2007-07-22 15:10 --------- d-------- C:\DOCUME~1\enzok\APPLIC~1\uTorrent
2007-07-21 14:51 163644 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2007-07-20 02:30 --------- d-------- C:\DOCUME~1\enzok\APPLIC~1\AdobeUM
2007-07-14 23:23 --------- d-------- C:\DOCUME~1\enzok\APPLIC~1\Canon
2007-07-14 14:13 445440 --a------ C:\WINDOWS\system32\ss2uinst.exe
2007-07-12 22:10 --------- d-------- C:\Program Files\QuickTime
2007-07-12 22:10 --------- d-------- C:\Program Files\Apple Software Update
2007-07-12 22:10 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-07-12 22:10 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-12 18:30 33952 --a------ C:\WINDOWS\system32\drivers\oreans32.sys
2007-07-12 17:46 --------- d-------- C:\Program Files\DAEMON Tools
2007-07-12 17:45 682232 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-07-10 18:57 --------- d-------- C:\Program Files\VTFEdit
2007-07-10 18:57 --------- d-------- C:\Program Files\VTF Shell Extensions
2007-07-10 17:11 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Messenger Plus!
2007-07-10 16:39 --------- d-------- C:\DOCUME~1\enzok\APPLIC~1\uk.co.planetside
2007-07-10 15:49 --------- d-------- C:\Program Files\Terragen
2007-07-10 09:06 --------- d-------- C:\DOCUME~1\enzok\APPLIC~1\CyberLink
2007-07-10 08:53 --------- d-------- C:\Program Files\WIDCOMM
2007-07-10 01:29 --------- d-------- C:\Program Files\GCFScape
2007-07-10 00:25 --------- d-------- C:\Program Files\Steam
2007-07-09 19:22 --------- d-------- C:\DOCUME~1\enzok\APPLIC~1\WinRAR
2007-07-09 19:05 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe Systems
2007-07-09 19:04 --------- d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-07-09 18:29 --------- d-------- C:\Program Files\Windows Live
2007-07-09 18:29 --------- d-------- C:\Program Files\Messenger Plus! Live
2007-07-09 18:28 --------- d-------- C:\Program Files\MSN Messenger
2007-07-09 18:10 --------- d-------- C:\Program Files\Last.fm
2007-07-09 17:43 --------- d-------- C:\Program Files\Windows Media Connect 2
2007-07-09 17:38 --------- d-------- C:\Program Files\Winamp
2007-07-09 16:33 --------- d-------- C:\DOCUME~1\enzok\APPLIC~1\vlc
2007-07-09 16:32 --------- d-------- C:\Program Files\VideoLAN
2007-07-09 15:01 9 --a------ C:\WINDOWS\HotFix.bat
2007-07-09 15:01 888 --a------ C:\WINDOWS\CLEANUP.CMD
C:\WINDOWS\system32\xpdx.sys
C:\WINDOWS\system32\iexchg.dll
C:\ptbpxk.exe


(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))


---- Directory of C:\DOCUME~1\enzok\WINDOWS ----



((((((((((((((((((((((((((((( snapshot_2007-09-07_174957.51 )))))))))))))))))))))))))))))))))))))))))

------w 32,768 2007-09-08 10:33:00 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
------w 32,768 2007-09-08 10:33:00 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
----a-w 7,168 2007-09-08 08:54:24 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WJOLE3Y1\adv735[1].exe
----a-w 138,240 2007-09-08 08:54:34 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ZO1WV2J4\dl[1].exe
------w 16,384 2007-09-08 10:33:00 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
----a-w 16,384 2007-09-08 08:54:14 C:\WINDOWS\Temp\Perflib_Perfdata_890.dat

------w 32,768 2007-09-07 07:47:08 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
------w 32,768 2007-09-07 07:47:08 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
----a-w 7,168 2007-09-07 07:00:48 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WJOLE3Y1\adv735[1].exe
------w 16,384 2007-09-07 07:47:08 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0366D1C0-A093-483F-9FA9-5AEBC61972D6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39C6B6C8-E01E-3175-B583-04FDA1EE088B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{435D08DD-665E-474F-B977-5EE75A2BDCB2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C3F02FD-EA00-4AB4-87C3-2AF4C82E1B12}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98432E21-E3FC-4ECB-ABB4-2B856639A54F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C28D8920-8D7C-4EEF-B708-25A6F524395A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D04CEC40-7DF7-40E5-899E-300A9342589F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DBEDBBB5-ED5E-40FF-A0A5-F99FA101825B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F80DEA94-5A4B-4C70-9263-02092EAC7FF2}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" []
"RTHDCPL"="RTHDCPL.EXE" [2005-12-19 14:52 C:\WINDOWS\RTHDCPL.exe]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2005-12-21 15:02]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-07-20 15:05]
"PCMService"="C:\Program Files\Acer\Acer Arcade\PCMService.exe" [2005-12-13 21:31]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-01-03 16:28]
"nwiz"="nwiz.exe" [2006-01-03 16:28 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-01-03 16:28]
"eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-10-19 09:30]
"ePower_DMC"="C:\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-01-17 18:28]
"Acer ePower Management"="C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe" [2006-01-16 11:58]
"ADMTray.exe"="C:\Acer\Empowering Technology\admtray.exe" [2005-10-24 16:45]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 05:00 C:\WINDOWS\system32\bthprops.cpl]
"LManager"="C:\PROGRA~1\LAUNCH~1\LManager.exe" [2006-01-09 18:23]
"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\Monitor.exe" [2006-01-24 18:00]
"Adobe Version Cue CS2"="C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 18:58]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 02:12]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 17:14]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 17:14]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="" []
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-04 08:29]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
"Dreu"="C:\PROGRA~1\COMMON~1\SSTEM~1\rundll32.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winexy32]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\WINDOWS\\system32\\geedc

R1 lanmandrv;lanmandrv;\??\C:\WINDOWS\System32\lanmandrv.sys
R1 oreans32;oreans32;\??\C:\WINDOWS\system32\drivers\oreans32.sys
R1 OsaFsLoc;OsaFsLoc;\??\C:\WINDOWS\system32\drivers\OsaFsLoc.sys
R1 xpdx;xpdx system driver;\??\C:\WINDOWS\system32\xpdx.sys
R2 EpmPsd;Acer EPM Power Scheme Driver;\??\C:\WINDOWS\system32\drivers\epm-psd.sys
R2 EpmShd;Acer EPM System Hardware Driver;\??\C:\WINDOWS\system32\drivers\epm-shd.sys
R2 int15.sys;int15.sys;\??\C:\Acer\Empowering Technology\eRecovery\int15.sys
R2 osaio;osaio;\??\C:\WINDOWS\system32\drivers\osaio.sys
R2 osanbm;osanbm;\??\C:\WINDOWS\system32\drivers\osanbm.sys
R3 DKbFltr;Dritek Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\DKbFltr.sys
R3 EMSCR;EMSCR;C:\WINDOWS\system32\DRIVERS\EMS7SK.sys
R3 ESDCR;ESDCR;C:\WINDOWS\system32\DRIVERS\ESD7SK.sys
R3 ESMCR;ESMCR;C:\WINDOWS\system32\DRIVERS\ESM7SK.sys
R3 lv321av;Logitech USB PC Camera (VC0321);C:\WINDOWS\system32\DRIVERS\lv321av.sys
S3 NdisFilt;OSA NdisFilter Protocol;C:\WINDOWS\system32\Drivers\NdisFilt.sys

*Newly Created Service* - LANMANDRV

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-08 20:33:17
Windows 5.1.2600 Service Pack 2 FAT NTAPI

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

C:\WINDOWS\System32\qmbnfggn.exe [2568] 0x8A2B8020


scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
lanmanwrk.exe = C:\WINDOWS\System32\lanmanwrk.exe

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"lanmanwrk.exe"="C:\\WINDOWS\\System32\\lanmanwrk.exe"

Completion time: 2007-09-08 20:34:17 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-08 20:34
C:\ComboFix3.txt ... 2007-09-07 17:50
C:\ComboFix2.txt ... 2007-09-08 18:56

--- E O F ---

enzoks
2007-09-07, 13:37
HJT log:

----------------------------------------

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 8:37:23 PM, on 8/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\Empowering Technology\admServ.exe
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Acer\Acer Arcade\PCMService.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\DOCUME~1\enzok\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\enzok\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://au.rd.yahoo.com/customize/ycomp/defaults/sp/*http://au.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.au.acer.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.au.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.au.acer.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://au.rd.yahoo.com/customize/ycomp/defaults/su/*http://au.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://en.au.acer.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Dreu] "C:\PROGRA~1\COMMON~1\SSTEM~1\rundll32.exe" -vt yazb
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\Updater.exe
O8 - Extra context menu item: &Sample Toolband Serach - res://C:\WINDOWS\system32\ToolBand.dll/MENUSEARCH.HTM
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 12776 bytes

Blade81
2007-09-07, 19:20
Hi

1. Download - rustbfix.exe (http://www.uploads.ejvindh.net/rustbfix.exe) ...and save it to your desktop.
2. Double click on rustbfix.exe to run the tool.
1. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically.
2. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). Post the content of these logfiles along with a new HijackThis log.

enzoks
2007-09-08, 02:26
Ran rustbfix
1st log:

************************* Rustock.b-fix v. 1.01 -- By ejvindh *************************
Sun 09/09/2007 9:10:30.06

******************* Pre-run Status of system *******************

Rootkit driver xpdx is found. Starting the unload-procedure....

Rustock.b-ADS attached to the System32-folder:
No streams found.

Looking for Rustock.b-files in the System32-folder:
system32\xpdx.sys FOUND!
attempting to delete xpdx.sys from system32-folder


******************* Post-run Status of system *******************

Rustock.b-driver on the system: NONE!

Rustock.b-ADS attached to the System32-folder:
No System32-ADS found.

Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32


******************************* End of Logfile ********************************







----------------------------------------------------

2nd log:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\^dylcndm

*******************

Script file located at: \??\C:\WINDOWS\xpwxtcrr.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver xpdx unloaded successfully.
Program C:\Rustbfix\2run.bat successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.

enzoks
2007-09-08, 02:27
new HJT log:



Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 9:23:42 AM, on 9/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\Empowering Technology\admServ.exe
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Acer\Acer Arcade\PCMService.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\DOCUME~1\enzok\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\enzok\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://au.rd.yahoo.com/customize/ycomp/defaults/sp/*http://au.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.au.acer.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.au.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.au.acer.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://au.rd.yahoo.com/customize/ycomp/defaults/su/*http://au.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://en.au.acer.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Dreu] "C:\PROGRA~1\COMMON~1\SSTEM~1\rundll32.exe" -vt yazb
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\Updater.exe
O8 - Extra context menu item: &Sample Toolband Serach - res://C:\WINDOWS\system32\ToolBand.dll/MENUSEARCH.HTM
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 12720 bytes

Blade81
2007-09-08, 20:16
Hi

Ok, let's try to run combofix now again.

Open notepad and copy/paste the text in the quotebox below into it:



File::
C:\d.exe
C:\WINDOWS\system32\ksecckmy.exe
C:\WINDOWS\system32\qmopt.dll
C:\WINDOWS\system32\cdeeg.bak1
C:\WINDOWS\system32\xpdx.sys
C:\WINDOWS\system32\lparwgts.exe
C:\jcsnyyk.exe
C:\rmgovfi.exe
C:\msceqkix.exe
C:\WINDOWS\system32\geedc.dll
C:\WINDOWS\unvise32.exe
C:\Documents and Settings\All Users\Application Data\qjklmtyv.dll
c:\windows\system32\winexy32.dll
C:\DOCUME~1\enzok\LOCALS~1\Temp\DMSKSSRh.sys
C:\WINDOWS\System32\qmloclea.exe

Folder::
C:\VundoFix Backups
C:\Program Files\ebazobyr
C:\WINDOWS\system32\wowrlegl
C:\Program Files\Rtfoeoop
C:\Program Files\urijkxeb
C:\Temp
C:\DOCUME~1\enzok\WINDOWS

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0366D1C0-A093-483F-9FA9-5AEBC61972D6}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39C6B6C8-E01E-3175-B583-04FDA1EE088B}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{435D08DD-665E-474F-B977-5EE75A2BDCB2}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C3F02FD-EA00-4AB4-87C3-2AF4C82E1B12}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98432E21-E3FC-4ECB-ABB4-2B856639A54F}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C28D8920-8D7C-4EEF-B708-25A6F524395A}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CF46BFB3-2ACC-441b-B82B-36B9562C7FF1}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D04CEC40-7DF7-40E5-899E-300A9342589F}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DBEDBBB5-ED5E-40FF-A0A5-F99FA101825B}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F80DEA94-5A4B-4C70-9263-02092EAC7FF2}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"urijkxeb"=-
"qjklmtyv"=-
"jgjinevk"=-
"Dreu"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{435D08DD-665E-474F-B977-5EE75A2BDCB2}"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winexy32]

Driver::
lanmandrv
DomainService
xpdx
DMSKSSRh



Save this as
CFScript


http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & a fresh hjt log.

enzoks
2007-09-09, 06:36
Serious problem now.. After I ran the script in combofix and rebooted my laptop now keeps displaying an error with 'winlogon' a few seconds after logging on and then restarts. When ever I try to reboot the laptop the same thing happens.

Blade81
2007-09-09, 20:40
Hi

Looks like repair installation is needed :sad: Here are instructions (http://www.michaelstevenstech.com/XPrepairinstall.htm).