New HJT log file below. attached the combofix file
ComboFix 08-03-24.1 - mstratman 2008-04-01 11:44:58.2 -
FAT32x86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.345 [GMT 9.5:30]
Running from: C:\Documents and Settings\mstratman.RMGPL\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\mstratman.RMGPL\Desktop\Privacy Protector.url
C:\WINNT\dwnrpofk.dll
.
((((((((((((((((((((((((( Files Created from 2008-03-01 to 2008-04-01 )))))))))))))))))))))))))))))))
.
2008-04-01 11:45 . 08-04-01 11:45 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_30c.dat
2008-04-01 07:39 . 08-04-01 07:39 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_320.dat
2008-03-31 12:00 . 08-03-31 12:00 94,208 --a------ C:\WINNT\system32\betkdotc.exe
2008-03-30 09:55 . 08-03-30 09:55 <DIR> d-------- C:\WINNT\Favorites
2008-03-25 11:35 . 08-03-25 11:35 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_32c.dat
2008-03-25 11:33 . 08-03-25 11:33 <DIR> d-------- C:\Deckard
2008-03-25 11:32 . 08-03-25 10:02 686,630 --a------ C:\Program Files\dss.exe
2008-03-25 07:45 . 08-03-25 07:45 0 --a------ C:\si0.1k
2008-03-24 18:25 . 08-03-24 18:25 <DIR> d-------- C:\DrWatson
2008-03-24 18:25 . 08-03-24 18:25 16,384 --a------ C:\WINNT\system32\Perflib_Perfdata_b08.dat
2008-03-24 11:40 . 08-03-24 11:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\yfmrqhsn
2008-03-24 11:39 . 08-03-24 10:41 270,336 --a------ C:\WINNT\vbgtorfd.dll
2008-03-24 11:39 . 08-03-24 10:41 249,856 --a------ C:\WINNT\kdftlboepta.dll
2008-03-24 11:39 . 08-03-24 10:41 94,208 --a------ C:\WINNT\norlatmx.exe
2008-03-17 18:13 . 08-03-24 11:42 54,156 --ah----- C:\WINNT\QTFont.qfn
2008-03-17 18:13 . 08-03-17 18:13 1,409 --a------ C:\WINNT\QTFont.for
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-06 00:18 25,755,448 ----a-w C:\wmp11-windowsxp-x86-enu.exe
2007-01-12 06:52 92,064 ----a-w C:\Documents and Settings\mstratman.RMGPL\mqdmmdm.sys
2007-01-12 06:52 9,232 ----a-w C:\Documents and Settings\mstratman.RMGPL\mqdmmdfl.sys
2007-01-12 06:52 79,328 ----a-w C:\Documents and Settings\mstratman.RMGPL\mqdmserd.sys
2007-01-12 06:52 66,656 ----a-w C:\Documents and Settings\mstratman.RMGPL\mqdmbus.sys
2007-01-12 06:52 6,208 ----a-w C:\Documents and Settings\mstratman.RMGPL\mqdmcmnt.sys
2007-01-12 06:52 5,936 ----a-w C:\Documents and Settings\mstratman.RMGPL\mqdmwhnt.sys
2007-01-12 06:52 4,048 ----a-w C:\Documents and Settings\mstratman.RMGPL\mqdmcr.sys
2007-01-12 06:52 25,600 ----a-w C:\Documents and Settings\mstratman.RMGPL\usbsermptxp.sys
2007-01-12 06:52 22,768 ----a-w C:\Documents and Settings\mstratman.RMGPL\usbsermpt.sys
2006-06-13 08:29 1,023,486 ----a-w C:\Documents and Settings\mstratman.RMGPL\speakers.zip
2005-05-01 23:44 21,848,504 ----a-w C:\Program Files\iTunesSetup.exe
2002-06-19 05:00 271 ---h--w C:\Program Files\desktop.ini
2002-06-19 05:00 21,952 ---h--w C:\Program Files\folder.htt
2001-05-08 13:30 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
2004-10-25 03:30 56 --sh--r C:\WINNT\system32\C2095087DE.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B2DCA34E-9D1C-4EDA-A1BE-C24D1B4AAE55}]
08-03-24 10:41 249856 --a------ C:\WINNT\kdftlboepta.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [01-02-20 13:09 8192 C:\WINNT\system32\CTFMON.EXE]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [06-03-30 16:45 313472]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [05-11-15 19:44 1200128]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [08-01-28 11:43 2097488]
"pqpohocu"="C:\WINNT\system32\yvgnufaf.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 12:05 111376 C:\WINNT\system32\mobsync.exe]
"NeroCheck"="C:\WINNT\System32\\NeroCheck.exe" [01-07-09 20:20 155648]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [05-05-02 09:16 98304]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05-07-05 12:58 180269]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [05-06-24 15:16 278528]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [07-03-29 09:10 394952]
"IgfxTray"="C:\WINNT\system32\igfxtray.exe" [05-06-21 16:48 155648]
"HotKeysCmds"="C:\WINNT\system32\hkcmd.exe" [05-06-21 16:44 126976]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [01-05-08 23:00 20752 C:\WINNT\system32\internat.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 12:05 186640]
C:\Documents and Settings\mstratman.APG\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35 360448]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2002-07-16 17:25:05 106560]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"uJLNy1DPOi"= C:\Documents and Settings\All Users\Application Data\yfmrqhsn\qrivizyb.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisablePersonalDirChange"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\
0]
Source= file:///C:\WINNT\privacy_danger\index.htm
FriendlyName= Privacy Protection
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"DrvDrive"= {e56e9ea8-ae04-4f5d-b581-d8b783fc0a16} - C:\WINNT\Installer\{e56e9ea8-ae04-4f5d-b581-d8b783fc0a16}\DrvDrive.dll [08-03-24 11:39 14378]
"zip"= {dd76a9ab-b5d8-4f1d-94d6-20829530a33a} - C:\WINNT\Installer\{dd76a9ab-b5d8-4f1d-94d6-20829530a33a}\zip.dll [08-03-24 11:39 23202]
"vbgtorfd"= {3153A3B8-DF57-45DC-9A23-E0D23DC05913} - C:\WINNT\vbgtorfd.dll [08-03-24 10:41 270336]
"dwnrpofk"= {3F795C44-FCF6-4E4C-82F9-3D6D3257C006} - C:\WINNT\dwnrpofk.dll [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ActiveSync]
WcesWlgn.dll 05-11-15 19:44 7168 C:\WINNT\system32\WcesWlgn.dll
R3 usb_rndisy;USB RNDIS Adapter;C:\WINNT\system32\DRIVERS\usb8023y.sys [05-10-25 09:02 ]
R3 usbhub20;USB Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys [03-06-19 12:05 ]
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2008-04-01 11:47:33
Windows 5.0.2195 Service Pack 4 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-04-01 11:48:13
ComboFix-quarantined-files.txt 2008-04-01 02:18:12
.
2008-02-04 23:53:48 --- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:56, on 2008-04-01
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Documents and Settings\All Users\Application Data\yfmrqhsn\qrivizyb.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\hkcmd.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: GNX Bingo - {B2DCA34E-9D1C-4EDA-A1BE-C24D1B4AAE55} - C:\WINNT\kdftlboepta.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [pqpohocu] C:\WINNT\system32\yvgnufaf.exe
O4 - HKLM\..\Policies\Explorer\Run: [uJLNy1DPOi] C:\Documents and Settings\All Users\Application Data\yfmrqhsn\qrivizyb.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) -
http://www.boral.com.au/OutdoorDesignGuide/ScriptX.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {A1B8A30B-8AAA-4A3E-8869-1DA509E8A011} (Crystal ActiveX Report Viewer Control 10.0) -
http://www.cit.org.au/crystalreportv...iveXViewer.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) -
http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rmgpl.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = rmgpl.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = rmgpl.local
O21 - SSODL: DrvDrive - {e56e9ea8-ae04-4f5d-b581-d8b783fc0a16} - C:\WINNT\Installer\{e56e9ea8-ae04-4f5d-b581-d8b783fc0a16}\DrvDrive.dll
O21 - SSODL: zip - {dd76a9ab-b5d8-4f1d-94d6-20829530a33a} - C:\WINNT\Installer\{dd76a9ab-b5d8-4f1d-94d6-20829530a33a}\zip.dll
O21 - SSODL: vbgtorfd - {3153A3B8-DF57-45DC-9A23-E0D23DC05913} - C:\WINNT\vbgtorfd.dll
O21 - SSODL: dwnrpofk - {3F795C44-FCF6-4E4C-82F9-3D6D3257C006} - C:\WINNT\dwnrpofk.dll (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINNT\privacy_danger\index.htm
--
End of file - 6758 bytes