Free Malware Removal Forum

by **chryssi2001** » June 4th, 2008, 2:02 pm

Hello DJGarry,

I need some time to check your reports. Meanwhile i need some information for the problems your pc is having now.

Right, I dont thnk AVG turned off.... just the control centre shut down.

It's off, Combofix would show if AVG was running, just below the heading.

Before we continue, let me know more details about this.

Windowsis now VERY unstable. I keep getting 'Windows Explorer needs to shut down' messages.

What are the messages? Any file names? Any other messages?
Or just Windows Explorer needs to shut down?

Everything dissapears except the window I'm working on, the desktop goes blank (to wallpaper) and it then restarts. It stays for only 10 - 20 seconds, then shuts down again... over and over.

Did you have this problem before?

Did all these appear after you run Combofix?

Check pc wires.

Let me know please.

by **DJGarry** » June 4th, 2008, 10:31 pm

Right, here goes.

I'm glad AVG was off for the Combofix run.

I was getting just Windows Explorer needs to shut down messages. It would then restart it'self and then shut down again 20 seconds later.

Now.... I'm not even getting any messages. Windows spends it's whole time shutting down and re starting every 8 seconds. Any program windows that are open remain on the screen. These have included IE, Windows Mail, WinAmp (it even keeps playing music while Windows shuts down), Open office documents etc. Folder windows that are opened, close and do not re-open during or after the shutdowns. That makes it very difficult to find anything at the moment only having 8 seconds to locate a file and double click it.

The taskbar completly dissapears with all the tabs, start button, clock and system tray as do all the icons on the desktop and the side bar. The only thing that is visible is the wallpaper screen, the arrow cursor and it's 'busy' rotating icon, and any open program windows.
All programs that are running, stay running. Even skype stays connected as does the internet connection to the wireless router.

This was happening before Combofix and as it's a laptop there are no 'wires' to check.

Garry.

by **DJGarry** » June 5th, 2008, 12:07 am

I just did a reboot and on startup I got four error messages. They were:

Error loading C:\Windows\system32\ssqNHyaz.dll
Access is denied

Error loading C:\Users\Garry\AppData\Local\Temp\fjcbfjgk.dll
Access is denied

Error loading C:\Users\Garry\AppData\Local\Temp\wvUoNFL.dll
Access is denied

Error loading C:\Users\Garry\AppData\Local\Temp\wabvcduq.dll
Access is denied

Windows still seemed to load ok and went straight into it's shutdown / re-start routine.

Don't know if they are any help to you,

Garry

by **DJGarry** » June 5th, 2008, 12:17 am

AVG has now started it's daily scan and has found the first three of the .dll's as Trojan horse Generic10.AIBI or AIEP and will presumably heal them when it's finished.

It has also found a 'Change' to C:\Windows\system32\ntoskrnl.exe

Again, hope this helps.

Garry

by **chryssi2001** » June 5th, 2008, 1:24 am

Hi, yes they do help. As i suspected, all these symptoms are from the infections.

I've checked your reports, and i will prepare a fix at my lunch break.
It's early morning here now, so i am off to work.
Be patient please.

by **DJGarry** » June 5th, 2008, 4:42 am

Hi.

I've had a few hours sleep and woke to find AVG scan is still going, 4 1/2 hours later. It's found loads of Trogans most of which are in a P2P downloads folder full of Torrents. The one in question is for a copy of Microsoft Expression Web that at one point a little while ago I tried to unzip and run from the folder but it didn't work so I burnt the files to an autostart data cd and tried installing the program from the disk.

That didn't work either (surprise surprise) as the whole thing seems to be riddled with trogans.

I guess the best thing to do is let it finish... god only knows how long it's gonig to take. It's going through other downloads at the moment taking a very long time scanning through each .dll file.
Out of 97971 scanned objects so far, it's found 52 threats.

Garry

by **chryssi2001** » June 5th, 2008, 7:20 am

Hello DJGarry,

If your AVG is still scanning, please cancel it.
----------------------------------------------
I would like to do the whole fix in Safe mode to prevent something going wrong.

Safe Mode

Print out these instructions or save them into a notepad on your desktop, because you will not have internet access while in Safe Mode.
Go in Safe Mode by restarting your computer, then continually tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.
----------------------------------------------
FIX HIJACKTHIS ENTRIES

Open up Hijackthis.
Click on do a system scan only.
Place a checkmark next to these lines(if still present).

O4 - HKCU\..\Run: [BM299b28c0] Rundll32.exe "C:\Users\Garry\AppData\Local\Temp\fjcbfjgk.dll",s
O4 - HKCU\..\Run: [2aa81b5c] rundll32.exe "C:\Users\Garry\AppData\Local\Temp\wabvcduq.dll",b

Then close all windows except Hijackthis and click Fix Checked
Close HijackThis.
----------------------------------------------
COMBOFIX-Script

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Code: Select all

KILLALL::

File::
C:\Windows\System32\fcccbaWp.dll
C:\Windows\System32\xxyabyaB.dll
C:\Windows\System32\hgGxYSIB.dll
C:\Windows\System32\ssqNHyax.dll
C:\Users\Garry\AppData\Local\Temp\rQhEwUNg.dll
C:\Users\Garry\AppData\Local\Temp\fjcbfjgk.dll
C:\Users\Garry\AppData\Local\Temp\wabvcduq.dll
C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - Garry.job

Folder::
C:\ProgramData\Symantec
c:\PROGRA~1\NORTON~1

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{81AA6A16-B8CA-43C4-A347-A487764FF528}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cmds"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSServer"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{81AA6A16-B8CA-43C4-A347-A487764FF528}"=-

Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------------------------------------------
Post back:
Combofix report.
A new HijackThis log.
Is the pc running better?

by **DJGarry** » June 5th, 2008, 9:11 am

Right......

When I dropped the .txt file onto the Combofix icon it started running but came up with quite a few massages in the text box about not beiang able to find some files but it ran through and produced a log file of sorts on the desktop but it now seems to have dissapeared. It just mentioned that it couldn't find one of the .dll's it was looking for I think.

After the re-boot, I made sure AVG and Defender etc were turned off and ran Combofix normally (the log files I'll put in the next post).

I then opened up an IE window to satrt posting the logs and a full scren IE window opened with an advert in it, then a Windows error box appeared entitled:

Microsoft Visual C++ Runtime Library

In the error box it says:

Buffer oerrun detected!

Program C:\Windows\Explorer.exe

A Buffer overrun has been detected which has corrupted the program's internal state. The program cannot safely continue execution and must now be terminated.

When I hit the 'OK' button Windows Explorer shut down and quickly re-started leaving the programs running ie. Hijack this, IE, Notepad.

The laptop seems not to be constantly restarting over and over any more but when I try to go to a new website, a new window opens with an advert site in it.

Anyway, logs in next post.

Garry

by **DJGarry** » June 5th, 2008, 9:12 am

ComboFix 08-06-03.1 - Garry 2008-06-05 13:49:31.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1304 [GMT 1:00]
Running from: C:\Users\Garry\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-05-05 to 2008-06-05 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-05 12:44 --------- d-----w C:\Users\Garry\AppData\Roaming\Skype
2008-06-05 12:40 --------- d-----w C:\Users\Garry\AppData\Roaming\skypePM
2008-06-05 12:40 --------- d-----w C:\Users\Garry\AppData\Roaming\OpenOffice.org2
2008-06-05 12:05 --------- d-----w C:\Users\Garry\AppData\Roaming\AVG7
2008-06-05 12:00 13,025 ----a-w C:\Users\Garry\AppData\Roaming\nvModes.dat
2008-06-03 22:30 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-03 22:27 --------- d-----w C:\ProgramData\Symantec
2008-06-03 11:35 --------- d-----w C:\Program Files\Trend Micro
2008-05-26 11:56 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-26 11:54 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-05-19 10:29 5,642 --sha-w C:\Windows\System32\KGyGaAvL.sys
2008-05-18 20:36 --------- d-----w C:\Program Files\THQ
2008-05-18 20:32 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-14 14:52 --------- d-----w C:\Users\Garry\AppData\Roaming\Corel
2008-05-14 14:43 --------- d-----w C:\Program Files\Common Files\Corel
2008-05-14 14:41 --------- d-----w C:\Program Files\Corel
2008-05-14 10:43 --------- d-----w C:\Program Files\Windows Mail
2008-05-13 13:52 --------- d-----w C:\Program Files\Yamp 2.3
2008-04-29 22:46 691,545 ----a-w C:\Windows\unins000.exe
2008-04-15 12:07 --------- d-----w C:\ProgramData\EPSON
2008-04-15 11:43 --------- d-----w C:\Program Files\epson
2008-04-04 13:26 32 ----a-w C:\Users\All Users\ezsid.dat
2008-04-04 13:26 32 ----a-w C:\ProgramData\ezsid.dat
2008-03-13 18:53 107,888 ----a-w C:\Windows\System32\CmdLineExt.dll
2008-03-08 04:30 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-03-08 04:30 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-03-08 04:30 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-03-08 04:30 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-03-08 04:30 1,686,528 ----a-w C:\Windows\System32\gameux.dll
2008-03-08 00:37 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-03-08 00:22 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2007-10-13 17:54 174 --sha-w C:\Program Files\desktop.ini
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((( snapshot@2008-06-04_16.18.20.74 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-04 15:07:27 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-06-05 12:38:05 67,584 --s-a-w C:\Windows\bootstat.dat
- 2008-06-04 15:07:27 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-06-05 12:38:06 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-06-04 15:07:27 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-06-05 12:38:06 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-06-04 15:09:18 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-06-05 12:39:56 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-06-05 12:39:56 262,144 ---ha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2008-06-04 15:17:29 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-06-05 12:51:51 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-06-05 12:51:51 262,144 ---ha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-06-04 10:41:11 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-06-05 12:42:55 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-06-04 10:41:11 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-05 12:42:55 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-06-04 10:41:11 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-06-05 12:42:55 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-06-04 15:14:01 108,526 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-06-05 12:44:38 108,526 ----a-w C:\Windows\System32\perfc009.dat
- 2008-06-04 15:14:01 623,342 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-06-05 12:44:38 623,342 ----a-w C:\Windows\System32\perfh009.dat
- 2008-06-04 15:09:59 14,108 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3213793974-2534403334-2120894616-1000_UserData.bin
+ 2008-06-05 12:41:17 14,188 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3213793974-2534403334-2120894616-1000_UserData.bin
- 2008-06-04 15:09:59 66,976 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-06-05 12:41:14 67,142 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-06-04 15:09:59 60,752 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-06-05 12:00:46 60,932 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{81AA6A16-B8CA-43C4-A347-A487764FF528}]
C:\Windows\system32\ssqNHyax.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-10 04:01 1232896]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 13:35 125440]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 16:35 202024]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2007-12-14 20:31 1637312]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-06 18:37 21898024]
"EPSON Stylus DX4400 Series"="C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATICAE.exe" [2007-01-25 07:00 179200]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 13:36 201728]
"cmds"="C:\Users\Garry\AppData\Local\Temp\rQhEwUNg.dll" [2008-06-03 11:19 373248]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2006-11-09 19:57 3784704 C:\Windows\RtHDVCpl.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-23 20:00 815104]
"Acer Tour"="" []
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2006-12-20 21:50 90191]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2006-12-20 21:50 7766016]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2006-12-20 21:50 81920]
"eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-01-03 02:58 464168]
"LManager"="C:\PROGRA~1\LAUNCH~1\LManager.exe" [2006-12-21 01:02 659456]
"eRecoveryService"="" []
"WarReg_PopUp"="C:\Acer\WR_PopUp\WarReg_PopUp.exe" [2006-11-05 21:48 57344]
"Acer Tour Reminder"="C:\Acer\AcerTour\Reminder.exe" [2007-01-14 19:38 151552]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-10-10 03:31 36352]
"AudioHQ"="C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE" [1999-04-12 01:00 203264]
"Creative Launcher"="C:\Program Files\Creative\Launcher\CTLauncher.exe" [ ]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 16:57 153136]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 10:51 1836328]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 12:09 63712]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"pdfSaver3"="" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-19 08:53 579584]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 16:27 385024]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"Corel Photo Downloader"="C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2007-08-28 12:00 531272]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-24 18:04 219136]

C:\Users\Garry\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 22:57:56 393216]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{81AA6A16-B8CA-43C4-A347-A487764FF528}"= C:\Windows\system32\ssqNHyax.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2008-01-24 18:00 9216 C:\Windows\System32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=eNetHook.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.mkdmp3enc"= C:\PROGRA~1\ACERAR~1\DVWIZA~1\Kernel\Burner\MKDMP3Enc.ACM
"wave1"= ctmm32.dll
"midi1"= ctmm32.dll
"mixer1"= ctmm32.dll
"midi2"= ctsyn32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{C1990356-814B-4F86-B2DC-14464FAD9AE5}"= UDP:C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\MCE Deluxe Suite.exe:CyberLink MCE Deluxe Suite
"{2B755953-EFE3-41CF-9C65-416CBCFDC842}"= TCP:C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\MCE Deluxe Suite.exe:CyberLink MCE Deluxe Suite
"{DF10B9AE-A742-4E36-AD58-DC079F98D0C9}"= C:\Program Files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R0 PSDFilter;PSDFilter;C:\Windows\system32\DRIVERS\psdfilter.sys [2007-01-03 02:59]
R0 PSDNServ;PSDNSERVER;C:\Windows\system32\drivers\PSDNServ.sys [2007-01-03 02:59]
R0 psdvdisk;psdvdisk;C:\Windows\system32\drivers\psdvdisk.sys [2007-01-03 02:59]
R1 CTSYN;Creative S/W Synth;C:\Windows\system32\drivers\CTSYN.SYS [1999-06-16 02:00]
R2 eDataSecurity Service;eDataSecurity Service;"C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe" [2007-01-03 02:58]
R2 eNet Service;eNet Service;C:\Acer\Empowering Technology\eNet\eNet Service.exe [2006-12-29 04:07]
R2 eSettingsService;eSettings Service;C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe [2007-01-03 00:46]
R2 MobilityService;MobilityService;C:\Acer\Mobility Center\MobilityService.exe [2006-11-24 20:57]
R2 WMIService;ePower Service;C:\Acer\Empowering Technology\ePower\ePowerSvc.exe [2007-01-02 17:33]
R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [2006-08-04 18:39]
R3 AvgWFP;AVG7 Firewall Driver x86;C:\Windows\system32\Drivers\avgwfp.sys [2008-03-13 10:06]
R3 Cam5607;Acer OrbiCam;C:\Windows\system32\Drivers\BisonC07.sys [2005-11-29 23:20]
R3 moufiltr;Mouse Filter;C:\Windows\system32\DRIVERS\moufiltr.sys [2007-01-09 09:22]
R3 nvsmu;nvsmu;C:\Windows\system32\DRIVERS\nvsmu.sys [2006-09-15 17:44]
S3 athr;Atheros Extensible Wireless LAN device driver;C:\Windows\system32\DRIVERS\athr.sys [2006-11-02 08:30]
S3 BCM43XV;Broadcom Extensible 802.11 Network Adapter Driver;C:\Windows\system32\DRIVERS\bcmwl6.sys [2006-12-19 20:18]
S3 KMWDFilter;KMWDFilter;C:\Windows\System32\Drivers\KMWDFilter.SYS [2007-02-13 07:42]
S3 n558;N558 Bluetooth USB Filter Driver;C:\Windows\system32\Drivers\n558.sys [2007-08-15 07:27]
S3 USB_NDIS_51;USB Ndis Cable Modem Network Device Driver;C:\Windows\system32\DRIVERS\bcmndis.sys [2007-07-09 06:48]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{74eb9dd2-e5f6-11dc-9a85-0016d354dfda}]
\shell\AutoRun\command - F:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-05-16 21:47:50 C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - Garry.job"
- c:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeB/TASK:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-05 13:52:08
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe
-> C:\Users\Garry\AppData\Local\Temp\rQhEwUNg.dll
.
Completion time: 2008-06-05 13:53:41
ComboFix-quarantined-files.txt 2008-06-05 12:53:14
ComboFix2.txt 2008-06-04 15:18:58

The system cannot find message text for message number 0x2379 in the message file for Application.
The system cannot find message text for message number 0x2379 in the message file for Application.

196 --- E O F --- 2008-05-30 02:02:47

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:01:14, on 05/06/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {81AA6A16-B8CA-43C4-A347-A487764FF528} - C:\Windows\system32\ssqNHyax.dll (file missing)
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe
O4 - HKLM\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Creative Launcher] C:\Program Files\Creative\Launcher\CTLauncher.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [EPSON Stylus DX4400 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATICAE.EXE /FU "C:\Windows\TEMP\E_S9CFA.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Garry\AppData\Local\Temp\rQhEwUNg.dll,c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Fac ... oader5.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Fac ... oader3.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/ ... 586-jc.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: eNetHook.dll
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9975 bytes

by **chryssi2001** » June 5th, 2008, 9:22 am

Hi, the fix didn't work.

There was not need to run Combofix again in normal mode.

My fix is the CF-Script. Running Combofix without dragging CF-Script onto Combofix like it shows in the image i posted, will not fix things.

Please try to do it again as all the infections are still there.

Try doing it in Normal mode if it's easier for you, but i prefer Safe mode.
Create the CF-Script, and drag it onto Combofix.
Do not touch the pc untill it finish and reboots back to windows screen.
The report will be at:
C:\Combofix2.txt or Combofix3.txt depending of the times Combofix run.

Can you find this file and post back the Contents before you re-try?
ComboFix-quarantined-files.txt

by **DJGarry** » June 5th, 2008, 10:18 am

Found th quarantined files txt:

2008-06-05 15:02 162 --a------ C:\Qoobox\Quarantine\catchme.log

This refersthis log file (this is the one that was on the desktop for a while and dissapeared):

-------- 2008-06-04 - 16:17:31.01 -------------

-------- 2008-06-05 - 13:51:55.36 -------------

-------- 2008-06-05 - 15:02:47.92 -------------

Then there's the ComboFix logs. No. 3 is dated before No. 2 but here they both are:

No. 3 Dated: 04/06/2008 16:19

ComboFix 08-06-03.1 - Garry 2008-06-04 16:14:34.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1282 [GMT 1:00]
Running from: C:\Users\Garry\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-05-04 to 2008-06-04 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-04 15:10 13,025 ----a-w C:\Users\Garry\AppData\Roaming\nvModes.dat
2008-06-04 15:10 --------- d-----w C:\Users\Garry\AppData\Roaming\Skype
2008-06-04 15:10 --------- d-----w C:\Users\Garry\AppData\Roaming\OpenOffice.org2
2008-06-04 12:29 --------- d-----w C:\Users\Garry\AppData\Roaming\AVG7
2008-06-04 00:00 --------- d-----w C:\Users\Garry\AppData\Roaming\skypePM
2008-06-03 22:30 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-03 22:27 --------- d-----w C:\ProgramData\Symantec
2008-06-03 11:35 --------- d-----w C:\Program Files\Trend Micro
2008-05-26 11:56 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-26 11:54 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-05-20 10:13 58,368 ----a-w C:\Windows\System32\fcccbaWp.dll
2008-05-20 09:48 58,368 ----a-w C:\Windows\System32\xxyabyaB.dll
2008-05-20 09:47 58,368 ----a-w C:\Windows\System32\hgGxYSIB.dll
2008-05-20 09:25 58,368 ----a-w C:\Windows\System32\ssqNHyax.dll
2008-05-19 10:29 5,642 --sha-w C:\Windows\System32\KGyGaAvL.sys
2008-05-18 20:36 --------- d-----w C:\Program Files\THQ
2008-05-18 20:32 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-14 14:52 --------- d-----w C:\Users\Garry\AppData\Roaming\Corel
2008-05-14 14:43 --------- d-----w C:\Program Files\Common Files\Corel
2008-05-14 14:41 --------- d-----w C:\Program Files\Corel
2008-05-14 10:43 --------- d-----w C:\Program Files\Windows Mail
2008-05-13 13:52 --------- d-----w C:\Program Files\Yamp 2.3
2008-04-29 22:46 691,545 ----a-w C:\Windows\unins000.exe
2008-04-15 12:07 --------- d-----w C:\ProgramData\EPSON
2008-04-15 11:43 --------- d-----w C:\Program Files\epson
2008-04-04 13:26 32 ----a-w C:\Users\All Users\ezsid.dat
2008-04-04 13:26 32 ----a-w C:\ProgramData\ezsid.dat
2008-03-13 18:53 107,888 ----a-w C:\Windows\System32\CmdLineExt.dll
2008-03-08 04:30 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-03-08 04:30 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-03-08 04:30 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-03-08 04:30 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-03-08 04:30 1,686,528 ----a-w C:\Windows\System32\gameux.dll
2008-03-08 00:37 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-03-08 00:22 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2007-10-13 17:54 174 --sha-w C:\Program Files\desktop.ini
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{81AA6A16-B8CA-43C4-A347-A487764FF528}]
2008-05-20 10:25 58368 --a------ C:\Windows\system32\ssqNHyax.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-10 04:01 1232896]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 13:35 125440]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 16:35 202024]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2007-12-14 20:31 1637312]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-06 18:37 21898024]
"EPSON Stylus DX4400 Series"="C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATICAE.exe" [2007-01-25 07:00 179200]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 13:36 201728]
"cmds"="C:\Users\Garry\AppData\Local\Temp\rQhEwUNg.dll" [2008-06-03 11:19 373248]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2006-11-09 19:57 3784704 C:\Windows\RtHDVCpl.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-23 20:00 815104]
"Acer Tour"="" []
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2006-12-20 21:50 90191]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2006-12-20 21:50 7766016]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2006-12-20 21:50 81920]
"eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-01-03 02:58 464168]
"LManager"="C:\PROGRA~1\LAUNCH~1\LManager.exe" [2006-12-21 01:02 659456]
"eRecoveryService"="" []
"WarReg_PopUp"="C:\Acer\WR_PopUp\WarReg_PopUp.exe" [2006-11-05 21:48 57344]
"Acer Tour Reminder"="C:\Acer\AcerTour\Reminder.exe" [2007-01-14 19:38 151552]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-10-10 03:31 36352]
"AudioHQ"="C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE" [1999-04-12 01:00 203264]
"Creative Launcher"="C:\Program Files\Creative\Launcher\CTLauncher.exe" [ ]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 16:57 153136]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 10:51 1836328]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 12:09 63712]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"pdfSaver3"="" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-19 08:53 579584]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 16:27 385024]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"Corel Photo Downloader"="C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2007-08-28 12:00 531272]
"MSServer"="C:\Windows\system32\ssqNHyax.dll" [2008-05-20 10:25 58368]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-24 18:04 219136]

C:\Users\Garry\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 22:57:56 393216]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{81AA6A16-B8CA-43C4-A347-A487764FF528}"= C:\Windows\system32\ssqNHyax.dll [2008-05-20 10:25 58368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2008-01-24 18:00 9216 C:\Windows\System32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=eNetHook.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.mkdmp3enc"= C:\PROGRA~1\ACERAR~1\DVWIZA~1\Kernel\Burner\MKDMP3Enc.ACM
"wave1"= ctmm32.dll
"midi1"= ctmm32.dll
"mixer1"= ctmm32.dll
"midi2"= ctsyn32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{C1990356-814B-4F86-B2DC-14464FAD9AE5}"= UDP:C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\MCE Deluxe Suite.exe:CyberLink MCE Deluxe Suite
"{2B755953-EFE3-41CF-9C65-416CBCFDC842}"= TCP:C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\MCE Deluxe Suite.exe:CyberLink MCE Deluxe Suite
"{DF10B9AE-A742-4E36-AD58-DC079F98D0C9}"= C:\Program Files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R0 PSDFilter;PSDFilter;C:\Windows\system32\DRIVERS\psdfilter.sys [2007-01-03 02:59]
R0 PSDNServ;PSDNSERVER;C:\Windows\system32\drivers\PSDNServ.sys [2007-01-03 02:59]
R0 psdvdisk;psdvdisk;C:\Windows\system32\drivers\psdvdisk.sys [2007-01-03 02:59]
R1 CTSYN;Creative S/W Synth;C:\Windows\system32\drivers\CTSYN.SYS [1999-06-16 02:00]
R2 eDataSecurity Service;eDataSecurity Service;"C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe" [2007-01-03 02:58]
R2 eNet Service;eNet Service;C:\Acer\Empowering Technology\eNet\eNet Service.exe [2006-12-29 04:07]
R2 eSettingsService;eSettings Service;C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe [2007-01-03 00:46]
R2 MobilityService;MobilityService;C:\Acer\Mobility Center\MobilityService.exe [2006-11-24 20:57]
R2 WMIService;ePower Service;C:\Acer\Empowering Technology\ePower\ePowerSvc.exe [2007-01-02 17:33]
R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [2006-08-04 18:39]
R3 AvgWFP;AVG7 Firewall Driver x86;C:\Windows\system32\Drivers\avgwfp.sys [2008-03-13 10:06]
R3 Cam5607;Acer OrbiCam;C:\Windows\system32\Drivers\BisonC07.sys [2005-11-29 23:20]
R3 moufiltr;Mouse Filter;C:\Windows\system32\DRIVERS\moufiltr.sys [2007-01-09 09:22]
R3 nvsmu;nvsmu;C:\Windows\system32\DRIVERS\nvsmu.sys [2006-09-15 17:44]
S3 athr;Atheros Extensible Wireless LAN device driver;C:\Windows\system32\DRIVERS\athr.sys [2006-11-02 08:30]
S3 BCM43XV;Broadcom Extensible 802.11 Network Adapter Driver;C:\Windows\system32\DRIVERS\bcmwl6.sys [2006-12-19 20:18]
S3 KMWDFilter;KMWDFilter;C:\Windows\System32\Drivers\KMWDFilter.SYS [2007-02-13 07:42]
S3 n558;N558 Bluetooth USB Filter Driver;C:\Windows\system32\Drivers\n558.sys [2007-08-15 07:27]
S3 USB_NDIS_51;USB Ndis Cable Modem Network Device Driver;C:\Windows\system32\DRIVERS\bcmndis.sys [2007-07-09 06:48]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{74eb9dd2-e5f6-11dc-9a85-0016d354dfda}]
\shell\AutoRun\command - F:\setupSNK.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-16 21:47:50 C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - Garry.job"
- c:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeB/TASK:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-04 16:17:44
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-04 16:18:57
ComboFix-quarantined-files.txt 2008-06-04 15:18:37

The system cannot find message text for message number 0x2379 in the message file for Application.
The system cannot find message text for message number 0x2379 in the message file for Application.

167 --- E O F --- 2008-05-30 02:02:47

Then No 2. Dated 05/06/2008 13:53

ComboFix 08-06-03.1 - Garry 2008-06-05 13:49:31.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1304 [GMT 1:00]
Running from: C:\Users\Garry\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-05-05 to 2008-06-05 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-05 12:44 --------- d-----w C:\Users\Garry\AppData\Roaming\Skype
2008-06-05 12:40 --------- d-----w C:\Users\Garry\AppData\Roaming\skypePM
2008-06-05 12:40 --------- d-----w C:\Users\Garry\AppData\Roaming\OpenOffice.org2
2008-06-05 12:05 --------- d-----w C:\Users\Garry\AppData\Roaming\AVG7
2008-06-05 12:00 13,025 ----a-w C:\Users\Garry\AppData\Roaming\nvModes.dat
2008-06-03 22:30 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-03 22:27 --------- d-----w C:\ProgramData\Symantec
2008-06-03 11:35 --------- d-----w C:\Program Files\Trend Micro
2008-05-26 11:56 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-26 11:54 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-05-19 10:29 5,642 --sha-w C:\Windows\System32\KGyGaAvL.sys
2008-05-18 20:36 --------- d-----w C:\Program Files\THQ
2008-05-18 20:32 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-14 14:52 --------- d-----w C:\Users\Garry\AppData\Roaming\Corel
2008-05-14 14:43 --------- d-----w C:\Program Files\Common Files\Corel
2008-05-14 14:41 --------- d-----w C:\Program Files\Corel
2008-05-14 10:43 --------- d-----w C:\Program Files\Windows Mail
2008-05-13 13:52 --------- d-----w C:\Program Files\Yamp 2.3
2008-04-29 22:46 691,545 ----a-w C:\Windows\unins000.exe
2008-04-15 12:07 --------- d-----w C:\ProgramData\EPSON
2008-04-15 11:43 --------- d-----w C:\Program Files\epson
2008-04-04 13:26 32 ----a-w C:\Users\All Users\ezsid.dat
2008-04-04 13:26 32 ----a-w C:\ProgramData\ezsid.dat
2008-03-13 18:53 107,888 ----a-w C:\Windows\System32\CmdLineExt.dll
2008-03-08 04:30 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-03-08 04:30 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-03-08 04:30 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-03-08 04:30 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-03-08 04:30 1,686,528 ----a-w C:\Windows\System32\gameux.dll
2008-03-08 00:37 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-03-08 00:22 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2007-10-13 17:54 174 --sha-w C:\Program Files\desktop.ini
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((( snapshot@2008-06-04_16.18.20.74 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-04 15:07:27 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-06-05 12:38:05 67,584 --s-a-w C:\Windows\bootstat.dat
- 2008-06-04 15:07:27 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-06-05 12:38:06 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-06-04 15:07:27 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-06-05 12:38:06 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-06-04 15:09:18 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-06-05 12:39:56 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-06-05 12:39:56 262,144 ---ha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2008-06-04 15:17:29 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-06-05 12:51:51 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-06-05 12:51:51 262,144 ---ha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-06-04 10:41:11 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-06-05 12:42:55 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-06-04 10:41:11 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-05 12:42:55 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-06-04 10:41:11 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-06-05 12:42:55 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-06-04 15:14:01 108,526 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-06-05 12:44:38 108,526 ----a-w C:\Windows\System32\perfc009.dat
- 2008-06-04 15:14:01 623,342 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-06-05 12:44:38 623,342 ----a-w C:\Windows\System32\perfh009.dat
- 2008-06-04 15:09:59 14,108 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3213793974-2534403334-2120894616-1000_UserData.bin
+ 2008-06-05 12:41:17 14,188 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3213793974-2534403334-2120894616-1000_UserData.bin
- 2008-06-04 15:09:59 66,976 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-06-05 12:41:14 67,142 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-06-04 15:09:59 60,752 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-06-05 12:00:46 60,932 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{81AA6A16-B8CA-43C4-A347-A487764FF528}]
C:\Windows\system32\ssqNHyax.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-10 04:01 1232896]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 13:35 125440]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 16:35 202024]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2007-12-14 20:31 1637312]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-06 18:37 21898024]
"EPSON Stylus DX4400 Series"="C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATICAE.exe" [2007-01-25 07:00 179200]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 13:36 201728]
"cmds"="C:\Users\Garry\AppData\Local\Temp\rQhEwUNg.dll" [2008-06-03 11:19 373248]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2006-11-09 19:57 3784704 C:\Windows\RtHDVCpl.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-23 20:00 815104]
"Acer Tour"="" []
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2006-12-20 21:50 90191]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2006-12-20 21:50 7766016]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2006-12-20 21:50 81920]
"eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-01-03 02:58 464168]
"LManager"="C:\PROGRA~1\LAUNCH~1\LManager.exe" [2006-12-21 01:02 659456]
"eRecoveryService"="" []
"WarReg_PopUp"="C:\Acer\WR_PopUp\WarReg_PopUp.exe" [2006-11-05 21:48 57344]
"Acer Tour Reminder"="C:\Acer\AcerTour\Reminder.exe" [2007-01-14 19:38 151552]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-10-10 03:31 36352]
"AudioHQ"="C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE" [1999-04-12 01:00 203264]
"Creative Launcher"="C:\Program Files\Creative\Launcher\CTLauncher.exe" [ ]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 16:57 153136]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 10:51 1836328]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 12:09 63712]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"pdfSaver3"="" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-19 08:53 579584]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 16:27 385024]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"Corel Photo Downloader"="C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2007-08-28 12:00 531272]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-24 18:04 219136]

C:\Users\Garry\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 22:57:56 393216]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{81AA6A16-B8CA-43C4-A347-A487764FF528}"= C:\Windows\system32\ssqNHyax.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2008-01-24 18:00 9216 C:\Windows\System32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=eNetHook.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.mkdmp3enc"= C:\PROGRA~1\ACERAR~1\DVWIZA~1\Kernel\Burner\MKDMP3Enc.ACM
"wave1"= ctmm32.dll
"midi1"= ctmm32.dll
"mixer1"= ctmm32.dll
"midi2"= ctsyn32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{C1990356-814B-4F86-B2DC-14464FAD9AE5}"= UDP:C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\MCE Deluxe Suite.exe:CyberLink MCE Deluxe Suite
"{2B755953-EFE3-41CF-9C65-416CBCFDC842}"= TCP:C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\MCE Deluxe Suite.exe:CyberLink MCE Deluxe Suite
"{DF10B9AE-A742-4E36-AD58-DC079F98D0C9}"= C:\Program Files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R0 PSDFilter;PSDFilter;C:\Windows\system32\DRIVERS\psdfilter.sys [2007-01-03 02:59]
R0 PSDNServ;PSDNSERVER;C:\Windows\system32\drivers\PSDNServ.sys [2007-01-03 02:59]
R0 psdvdisk;psdvdisk;C:\Windows\system32\drivers\psdvdisk.sys [2007-01-03 02:59]
R1 CTSYN;Creative S/W Synth;C:\Windows\system32\drivers\CTSYN.SYS [1999-06-16 02:00]
R2 eDataSecurity Service;eDataSecurity Service;"C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe" [2007-01-03 02:58]
R2 eNet Service;eNet Service;C:\Acer\Empowering Technology\eNet\eNet Service.exe [2006-12-29 04:07]
R2 eSettingsService;eSettings Service;C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe [2007-01-03 00:46]
R2 MobilityService;MobilityService;C:\Acer\Mobility Center\MobilityService.exe [2006-11-24 20:57]
R2 WMIService;ePower Service;C:\Acer\Empowering Technology\ePower\ePowerSvc.exe [2007-01-02 17:33]
R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [2006-08-04 18:39]
R3 AvgWFP;AVG7 Firewall Driver x86;C:\Windows\system32\Drivers\avgwfp.sys [2008-03-13 10:06]
R3 Cam5607;Acer OrbiCam;C:\Windows\system32\Drivers\BisonC07.sys [2005-11-29 23:20]
R3 moufiltr;Mouse Filter;C:\Windows\system32\DRIVERS\moufiltr.sys [2007-01-09 09:22]
R3 nvsmu;nvsmu;C:\Windows\system32\DRIVERS\nvsmu.sys [2006-09-15 17:44]
S3 athr;Atheros Extensible Wireless LAN device driver;C:\Windows\system32\DRIVERS\athr.sys [2006-11-02 08:30]
S3 BCM43XV;Broadcom Extensible 802.11 Network Adapter Driver;C:\Windows\system32\DRIVERS\bcmwl6.sys [2006-12-19 20:18]
S3 KMWDFilter;KMWDFilter;C:\Windows\System32\Drivers\KMWDFilter.SYS [2007-02-13 07:42]
S3 n558;N558 Bluetooth USB Filter Driver;C:\Windows\system32\Drivers\n558.sys [2007-08-15 07:27]
S3 USB_NDIS_51;USB Ndis Cable Modem Network Device Driver;C:\Windows\system32\DRIVERS\bcmndis.sys [2007-07-09 06:48]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{74eb9dd2-e5f6-11dc-9a85-0016d354dfda}]
\shell\AutoRun\command - F:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-05-16 21:47:50 C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - Garry.job"
- c:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeB/TASK:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-05 13:52:08
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe
-> C:\Users\Garry\AppData\Local\Temp\rQhEwUNg.dll
.
Completion time: 2008-06-05 13:53:41
ComboFix-quarantined-files.txt 2008-06-05 12:53:14
ComboFix2.txt 2008-06-04 15:18:58

The system cannot find message text for message number 0x2379 in the message file for Application.
The system cannot find message text for message number 0x2379 in the message file for Application.

196 --- E O F --- 2008-05-30 02:02:47

I'll do the drag and drop onto ComboFix again and post that log in my next post with another Hijack this log too.

Garry.

by **DJGarry** » June 5th, 2008, 10:36 am

Now got a ComboFix4.txt log (run in safe mode):

ComboFix 08-06-03.1 - Garry 2008-06-04 16:14:34.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1282 [GMT 1:00]
Running from: C:\Users\Garry\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-05-04 to 2008-06-04 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-04 15:10 13,025 ----a-w C:\Users\Garry\AppData\Roaming\nvModes.dat
2008-06-04 15:10 --------- d-----w C:\Users\Garry\AppData\Roaming\Skype
2008-06-04 15:10 --------- d-----w C:\Users\Garry\AppData\Roaming\OpenOffice.org2
2008-06-04 12:29 --------- d-----w C:\Users\Garry\AppData\Roaming\AVG7
2008-06-04 00:00 --------- d-----w C:\Users\Garry\AppData\Roaming\skypePM
2008-06-03 22:30 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-03 22:27 --------- d-----w C:\ProgramData\Symantec
2008-06-03 11:35 --------- d-----w C:\Program Files\Trend Micro
2008-05-26 11:56 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-26 11:54 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-05-20 10:13 58,368 ----a-w C:\Windows\System32\fcccbaWp.dll
2008-05-20 09:48 58,368 ----a-w C:\Windows\System32\xxyabyaB.dll
2008-05-20 09:47 58,368 ----a-w C:\Windows\System32\hgGxYSIB.dll
2008-05-20 09:25 58,368 ----a-w C:\Windows\System32\ssqNHyax.dll
2008-05-19 10:29 5,642 --sha-w C:\Windows\System32\KGyGaAvL.sys
2008-05-18 20:36 --------- d-----w C:\Program Files\THQ
2008-05-18 20:32 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-14 14:52 --------- d-----w C:\Users\Garry\AppData\Roaming\Corel
2008-05-14 14:43 --------- d-----w C:\Program Files\Common Files\Corel
2008-05-14 14:41 --------- d-----w C:\Program Files\Corel
2008-05-14 10:43 --------- d-----w C:\Program Files\Windows Mail
2008-05-13 13:52 --------- d-----w C:\Program Files\Yamp 2.3
2008-04-29 22:46 691,545 ----a-w C:\Windows\unins000.exe
2008-04-15 12:07 --------- d-----w C:\ProgramData\EPSON
2008-04-15 11:43 --------- d-----w C:\Program Files\epson
2008-04-04 13:26 32 ----a-w C:\Users\All Users\ezsid.dat
2008-04-04 13:26 32 ----a-w C:\ProgramData\ezsid.dat
2008-03-13 18:53 107,888 ----a-w C:\Windows\System32\CmdLineExt.dll
2008-03-08 04:30 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-03-08 04:30 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-03-08 04:30 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-03-08 04:30 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-03-08 04:30 1,686,528 ----a-w C:\Windows\System32\gameux.dll
2008-03-08 00:37 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-03-08 00:22 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2007-10-13 17:54 174 --sha-w C:\Program Files\desktop.ini
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{81AA6A16-B8CA-43C4-A347-A487764FF528}]
2008-05-20 10:25 58368 --a------ C:\Windows\system32\ssqNHyax.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-10 04:01 1232896]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 13:35 125440]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 16:35 202024]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2007-12-14 20:31 1637312]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-06 18:37 21898024]
"EPSON Stylus DX4400 Series"="C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATICAE.exe" [2007-01-25 07:00 179200]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 13:36 201728]
"cmds"="C:\Users\Garry\AppData\Local\Temp\rQhEwUNg.dll" [2008-06-03 11:19 373248]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2006-11-09 19:57 3784704 C:\Windows\RtHDVCpl.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-23 20:00 815104]
"Acer Tour"="" []
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2006-12-20 21:50 90191]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2006-12-20 21:50 7766016]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2006-12-20 21:50 81920]
"eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-01-03 02:58 464168]
"LManager"="C:\PROGRA~1\LAUNCH~1\LManager.exe" [2006-12-21 01:02 659456]
"eRecoveryService"="" []
"WarReg_PopUp"="C:\Acer\WR_PopUp\WarReg_PopUp.exe" [2006-11-05 21:48 57344]
"Acer Tour Reminder"="C:\Acer\AcerTour\Reminder.exe" [2007-01-14 19:38 151552]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-10-10 03:31 36352]
"AudioHQ"="C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE" [1999-04-12 01:00 203264]
"Creative Launcher"="C:\Program Files\Creative\Launcher\CTLauncher.exe" [ ]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 16:57 153136]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 10:51 1836328]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 12:09 63712]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"pdfSaver3"="" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-19 08:53 579584]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 16:27 385024]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"Corel Photo Downloader"="C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2007-08-28 12:00 531272]
"MSServer"="C:\Windows\system32\ssqNHyax.dll" [2008-05-20 10:25 58368]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-24 18:04 219136]

C:\Users\Garry\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 22:57:56 393216]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{81AA6A16-B8CA-43C4-A347-A487764FF528}"= C:\Windows\system32\ssqNHyax.dll [2008-05-20 10:25 58368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2008-01-24 18:00 9216 C:\Windows\System32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=eNetHook.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.mkdmp3enc"= C:\PROGRA~1\ACERAR~1\DVWIZA~1\Kernel\Burner\MKDMP3Enc.ACM
"wave1"= ctmm32.dll
"midi1"= ctmm32.dll
"mixer1"= ctmm32.dll
"midi2"= ctsyn32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{C1990356-814B-4F86-B2DC-14464FAD9AE5}"= UDP:C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\MCE Deluxe Suite.exe:CyberLink MCE Deluxe Suite
"{2B755953-EFE3-41CF-9C65-416CBCFDC842}"= TCP:C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\MCE Deluxe Suite.exe:CyberLink MCE Deluxe Suite
"{DF10B9AE-A742-4E36-AD58-DC079F98D0C9}"= C:\Program Files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R0 PSDFilter;PSDFilter;C:\Windows\system32\DRIVERS\psdfilter.sys [2007-01-03 02:59]
R0 PSDNServ;PSDNSERVER;C:\Windows\system32\drivers\PSDNServ.sys [2007-01-03 02:59]
R0 psdvdisk;psdvdisk;C:\Windows\system32\drivers\psdvdisk.sys [2007-01-03 02:59]
R1 CTSYN;Creative S/W Synth;C:\Windows\system32\drivers\CTSYN.SYS [1999-06-16 02:00]
R2 eDataSecurity Service;eDataSecurity Service;"C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe" [2007-01-03 02:58]
R2 eNet Service;eNet Service;C:\Acer\Empowering Technology\eNet\eNet Service.exe [2006-12-29 04:07]
R2 eSettingsService;eSettings Service;C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe [2007-01-03 00:46]
R2 MobilityService;MobilityService;C:\Acer\Mobility Center\MobilityService.exe [2006-11-24 20:57]
R2 WMIService;ePower Service;C:\Acer\Empowering Technology\ePower\ePowerSvc.exe [2007-01-02 17:33]
R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [2006-08-04 18:39]
R3 AvgWFP;AVG7 Firewall Driver x86;C:\Windows\system32\Drivers\avgwfp.sys [2008-03-13 10:06]
R3 Cam5607;Acer OrbiCam;C:\Windows\system32\Drivers\BisonC07.sys [2005-11-29 23:20]
R3 moufiltr;Mouse Filter;C:\Windows\system32\DRIVERS\moufiltr.sys [2007-01-09 09:22]
R3 nvsmu;nvsmu;C:\Windows\system32\DRIVERS\nvsmu.sys [2006-09-15 17:44]
S3 athr;Atheros Extensible Wireless LAN device driver;C:\Windows\system32\DRIVERS\athr.sys [2006-11-02 08:30]
S3 BCM43XV;Broadcom Extensible 802.11 Network Adapter Driver;C:\Windows\system32\DRIVERS\bcmwl6.sys [2006-12-19 20:18]
S3 KMWDFilter;KMWDFilter;C:\Windows\System32\Drivers\KMWDFilter.SYS [2007-02-13 07:42]
S3 n558;N558 Bluetooth USB Filter Driver;C:\Windows\system32\Drivers\n558.sys [2007-08-15 07:27]
S3 USB_NDIS_51;USB Ndis Cable Modem Network Device Driver;C:\Windows\system32\DRIVERS\bcmndis.sys [2007-07-09 06:48]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{74eb9dd2-e5f6-11dc-9a85-0016d354dfda}]
\shell\AutoRun\command - F:\setupSNK.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-16 21:47:50 C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - Garry.job"
- c:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeB/TASK:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-04 16:17:44
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-04 16:18:57
ComboFix-quarantined-files.txt 2008-06-04 15:18:37

The system cannot find message text for message number 0x2379 in the message file for Application.
The system cannot find message text for message number 0x2379 in the message file for Application.

167 --- E O F --- 2008-05-30 02:02:47

and a new Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:34, on 2008-06-05
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Users\Garry\AppData\Local\Temp\RtkBtMnt.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\wermgr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {81AA6A16-B8CA-43C4-A347-A487764FF528} - C:\Windows\system32\ssqNHyax.dll (file missing)
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe
O4 - HKLM\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Creative Launcher] C:\Program Files\Creative\Launcher\CTLauncher.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [EPSON Stylus DX4400 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATICAE.EXE /FU "C:\Windows\TEMP\E_S9CFA.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Garry\AppData\Local\Temp\rQhEwUNg.dll,c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Fac ... oader5.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Fac ... oader3.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/ ... 586-jc.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: eNetHook.dll
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9759 bytes

Garry.

by **DJGarry** » June 5th, 2008, 10:37 am

Got a few messages on the blue text box when ComboFix ran.

Now got a Cannot find message text for ...................... something or other.
Wasn't on screen long enough to see it all.

Also messages about using administrator something.........
Is this is because I'm just dragging and dropping the file over, ComboFix is not running 'as aministrator' ???

by **chryssi2001** » June 5th, 2008, 12:52 pm

Hi, the latest Combofix you run in safe mode doesn't show that the CF-Script was used, because no infections were again removed.

Delete the CF-Script you saved.

Re-Create CF-Script and be sure you save it exactly as per my instructions.

Then repeat the whole procedure.
I made a small change at the CF-Script, i will remove the link to this thread and changed it so it will not need to create a zip file to send the infected files.

Try it and let's see if it will work.
Othewise i will have to ask Combofix creator.
Combofix doesn't need to run as administrator.

If you see message about administrator, try to write down or remember exactly what it says.

by **DJGarry** » June 5th, 2008, 2:34 pm

Ran ComboFix in safe mode using the text from the post earlier (that you said you ammended) and the blue window opened and it said:

The system cannto find message text for number 0x8 in the message file or System.

Access denied.
Administration permissions are needed to use the selected opions.
Use administration command prompt to complete these tasks.

The system cannot find message text for number 0x8 in the message file or System.

Access denied.
Administration permissions are needed to use the selected opions.
Use administration command prompt to complete these tasks.

Creating access point.............

Combo fix then runs for a few seconds and then the laptop reboots to desktop but with message from Data Execution Prevention that it's closed Windows Explorer to protect my computer.

There doesn't seem to have been a ComboFix5.txt created either.

Do you still want any logs from this or do you need to check with ComboFix about it first????

Garry

Free Malware Removal Forum

New Hijackthis log for your help please

Re: New Hijackthis log for your help please

Re: New Hijackthis log for your help please

Re: New Hijackthis log for your help please

Re: New Hijackthis log for your help please

Re: New Hijackthis log for your help please

Re: New Hijackthis log for your help please

Re: New Hijackthis log for your help please

Re: New Hijackthis log for your help please

Re: New Hijackthis log for your help please

Re: New Hijackthis log for your help please

Re: New Hijackthis log for your help please

Re: New Hijackthis log for your help please

Re: New Hijackthis log for your help please

Re: New Hijackthis log for your help please

Re: New Hijackthis log for your help please

Who is online