smartbizsearch problems, combofix and hijack log

gibbonuk · 04-23-2009, 04:48 AM

HI all, picked up the smartbizsearch virus, ive ran combofix and it has fixed alot of problems, but... im still randomly being directoed to "relative" websites when clicking links.

Got the combofix log here:

Any help much appriciated. Thanks

ComboFix 09-04-23.06 - AndyG 23/04/2009 10:55.1 - NTFSx86
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.44.1033.18.3062.2169 [GMT 1:00]
Running from: c:\users\andyg.HQ\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-2-6-91-100010520-100002727-100010054-3463.com
c:\windows\system32\drivers\gxvxcrcpvjffcxevvydpiodnsppuicxwxtkww.sys
c:\windows\system32\gxvxccounter
c:\windows\system32\gxvxcswywysjrooemiemmeptpvnshdehnfran.dll
c:\windows\Temp\log.txt
D:\Autorun.inf
d:\recycler\S-2-6-91-100010520-100002727-100010054-3463.com

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_GXVXCSERV.SYS
-------\Service_GXVXCSERV.SYS

((((((((((((((((((((((((( Files Created from 2009-05-23 to 2009-4-23 )))))))))))))))))))))))))))))))
.

2009-04-23 08:38 . 2009-04-23 08:39 -------- d-----w c:\users\All Users\Lavasoft
2009-04-23 08:38 . 2009-04-23 08:39 -------- d-----w c:\programdata\Lavasoft
2009-04-22 13:27 . 2009-04-22 13:27 36864 --sh--r c:\windows\system32\rundll71.exe
2009-04-15 17:54 . 2008-12-06 04:42 376832 ----a-w c:\windows\system32\winhttp.dll
2009-04-15 17:54 . 2008-06-06 03:27 38912 ----a-w c:\windows\system32\xolehlp.dll
2009-04-15 17:54 . 2008-06-06 03:27 562176 ----a-w c:\windows\system32\msdtcprx.dll
2009-04-15 17:54 . 2009-03-03 04:46 3599328 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-04-15 17:54 . 2009-03-03 04:46 3547632 ----a-w c:\windows\system32\ntoskrnl.exe
2009-04-15 17:54 . 2009-03-03 04:39 551424 ----a-w c:\windows\system32\rpcss.dll
2009-04-15 17:54 . 2009-03-03 03:04 666624 ----a-w c:\windows\system32\printfilterpipelinesvc.exe
2009-04-15 17:54 . 2009-03-03 04:39 26112 ----a-w c:\windows\system32\printfilterpipelineprxy.dll
2009-04-14 15:11 . 2009-04-14 15:11 -------- d-----w c:\users\Public\CyberLink
2009-04-14 15:11 . 2009-04-14 15:11 -------- d-----w c:\users\All Users\CyberLink
2009-04-14 15:11 . 2009-04-14 15:11 -------- d-----w c:\programdata\CyberLink
2009-04-14 15:11 . 2009-04-14 15:11 -------- d-----w c:\users\andyg.HQ\AppData\Roaming\CyberLink
2009-04-06 15:29 . 2009-04-06 15:33 13030 ----a-w C:\PDOXUSRS.NET
2009-04-06 14:43 . 2009-04-06 14:43 -------- d-----w c:\users\andyg.HQ\AppData\Roaming\tmssoftware
2009-04-06 10:44 . 2009-04-23 09:49 -------- d-----w c:\users\All Users\Babylon
2009-04-06 10:44 . 2009-04-23 09:49 -------- d-----w c:\programdata\Babylon
2009-04-06 10:44 . 2009-04-16 02:15 -------- d-----w c:\users\andyg.HQ\AppData\Roaming\Babylon
2009-04-06 09:49 . 2006-12-11 20:12 176235 ----a-w c:\windows\system32\Primomonnt.dll
2009-04-06 09:49 . 2009-04-06 09:49 -------- d-----w c:\windows\PrimoPDF4
2009-04-02 11:23 . 2009-04-02 11:23 -------- d-----w C:\Tools
2009-04-02 11:11 . 2009-04-02 11:11 -------- d-----w c:\users\andyg.HQ\AppData\Roaming\QualityCentral
2009-04-02 08:02 . 2009-04-02 08:02 -------- d-----w c:\users\andyg.HQ\AppData\Roaming\GExperts
2009-04-02 07:58 . 2009-04-02 07:58 425472 ----a-w c:\windows\system32\vclZipForged11.bpl
2009-04-02 07:58 . 2009-04-02 07:58 432640 ----a-w c:\windows\system32\vclZipForged9.bpl
2009-04-02 07:58 . 2009-04-02 07:58 425472 ----a-w c:\windows\system32\vclZipForged10.bpl
2009-04-02 07:58 . 2009-04-02 07:58 446976 ----a-w c:\windows\system32\vclZipForged6.bpl
2009-04-02 07:58 . 2009-04-02 07:58 438784 ----a-w c:\windows\system32\vclZipForged7.bpl
2009-04-02 07:58 . 2009-04-02 07:58 432640 ----a-w c:\windows\system32\vclZipForged5.bpl
2009-04-02 07:58 . 2009-04-02 07:58 431616 ----a-w c:\windows\system32\vclZipForged4.bpl
2009-04-02 07:58 . 2009-04-02 07:58 465408 ----a-w c:\windows\system32\vclZipForgeb6.bpl
2009-04-02 07:58 . 2009-04-02 07:58 354304 ----a-w c:\windows\system32\vclZipForgeb5.bpl
2009-04-02 07:58 . 2009-04-02 07:58 354304 ----a-w c:\windows\system32\vclZipForgeb4.bpl
2009-04-02 07:56 . 2009-02-17 11:13 419640 ----a-w c:\windows\system32\TsiLang_Common.dll
2009-04-02 07:56 . 2009-02-19 16:17 600064 ----a-w c:\windows\system32\TsiLang_2009r.bpl
2009-04-02 07:56 . 2009-02-19 16:17 586752 ----a-w c:\windows\system32\TsiLang_2007r.bpl
2009-04-02 07:56 . 2009-02-19 16:17 583680 ----a-w c:\windows\system32\TsiLang_BDS2006r.bpl
2009-04-02 07:56 . 2009-02-19 16:17 582144 ----a-w c:\windows\system32\TsiLang_D2005r.bpl
2009-04-01 15:26 . 2009-04-23 09:49 -------- d-----w c:\users\andyg.HQ\AppData\Roaming\Skype
2009-04-01 15:25 . 2009-04-01 15:25 -------- d-----w c:\users\All Users\Skype
2009-04-01 15:25 . 2009-04-01 15:25 -------- d-----w c:\programdata\Skype
2009-04-01 14:52 . 2009-04-01 14:55 -------- d--h--w c:\users\All Users\{BB9698C8-6CDB-4A48-90AB-23351A9EB3D0}
2009-04-01 14:52 . 2009-04-01 14:55 -------- d--h--w c:\programdata\{BB9698C8-6CDB-4A48-90AB-23351A9EB3D0}
2009-04-01 14:46 . 2009-04-01 14:46 -------- d-----w c:\users\andyg.HQ\AppData\Roaming\Borland
2009-04-01 14:39 . 2009-04-17 14:07 -------- d-----w c:\users\All Users\CodeGear
2009-04-01 14:39 . 2009-04-17 14:07 -------- d-----w c:\programdata\CodeGear
2009-04-01 14:25 . 2009-04-01 14:25 -------- d-----w c:\windows\system32\1033
2009-04-01 14:21 . 2009-04-01 14:52 -------- d--h--w c:\users\All Users\{B59CE2E6-B15A-4F23-BD0E-72BF2ADDC3C7}
2009-04-01 14:21 . 2009-04-01 14:52 -------- d--h--w c:\programdata\{B59CE2E6-B15A-4F23-BD0E-72BF2ADDC3C7}
2009-03-26 13:31 . 2009-03-26 13:32 -------- d-----w c:\users\andyg.HQ\NTI-Shadow
2009-03-26 08:42 . 2009-03-26 08:42 -------- d-----w c:\users\andyg.HQ\AppData\Roaming\HDRsoft
2009-03-26 08:41 . 2009-04-01 14:52 -------- d-----w c:\users\andyg.HQ\AppData\Local\ApplicationHistory

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-23 09:54 . 2009-02-06 11:57 -------- d-----w c:\programdata\AM
2009-04-23 08:38 . 2009-04-23 08:38 -------- d-----w c:\program files\Lavasoft
2009-04-23 08:37 . 2009-04-23 08:37 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-23 08:33 . 2009-01-27 08:43 -------- d-----w c:\users\andyg.HQ\AppData\Roaming\CoreFTP
2009-04-22 14:29 . 2009-01-07 09:59 2828 --sha-w c:\users\All Users\KGyGaAvL.sys
2009-04-22 14:29 . 2009-01-07 09:59 2828 --sha-w c:\programdata\KGyGaAvL.sys
2009-04-22 11:23 . 2009-02-06 09:15 -------- d-----w c:\users\andyg.HQ\AppData\Roaming\LPC
2009-04-22 11:22 . 2009-02-06 09:15 -------- d-----w c:\program files\Link Popularity Check
2009-04-22 07:33 . 2009-01-08 11:43 2828 --sha-w c:\windows\System32\KGyGaAvL.sys
2009-04-21 07:30 . 2006-11-02 10:25 86016 ----a-w c:\windows\Inf\infstrng.dat
2009-04-21 07:30 . 2006-11-02 10:25 51200 ----a-w c:\windows\Inf\infpub.dat
2009-04-16 02:15 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail
2009-04-16 02:04 . 2008-03-27 11:52 -------- d-----w c:\programdata\Microsoft Help
2009-04-09 13:36 . 2008-08-19 18:03 -------- d-----w c:\program files\Launch Manager
2009-04-06 09:49 . 2009-04-06 09:49 -------- d-----w c:\program files\activePDF
2009-04-03 02:00 . 2009-04-03 02:00 -------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2
2009-04-02 07:58 . 2009-04-02 07:58 -------- d-----w c:\program files\ComponentAce
2009-04-02 07:55 . 2009-04-02 07:55 -------- d-----w c:\program files\SiComponents
2009-04-02 07:53 . 2009-04-02 07:53 -------- d-----w c:\program files\ProLib
2009-04-02 07:52 . 2009-04-02 07:52 -------- d-----w c:\program files\GExperts for Delphi 2007
2009-04-01 15:25 . 2009-04-01 15:25 -------- d-----r c:\program files\Skype
2009-04-01 14:46 . 2009-04-01 14:46 -------- d-----w c:\program files\Common Files\CodeGear Shared
2009-04-01 14:46 . 2009-04-01 14:46 -------- d-----w c:\program files\CodeGear
2009-04-01 14:45 . 2009-04-01 14:45 -------- d-----w c:\program files\Common Files\Borland Shared
2009-04-01 14:28 . 2009-01-06 15:48 -------- d-----w c:\program files\Microsoft Visual Studio 8
2009-04-01 13:03 . 2009-04-01 13:03 -------- d-----w c:\program files\Babylon
2009-03-26 08:37 . 2009-03-26 08:36 -------- d-----w c:\program files\PhotomatixPro3
2009-03-20 03:06 . 2008-03-27 11:58 -------- d-----w c:\program files\Microsoft SQL Server
2009-03-17 03:38 . 2009-04-15 17:53 40960 ----a-w c:\windows\AppPatch\apihex86.dll
2009-03-17 03:38 . 2009-04-15 17:53 13824 ----a-w c:\windows\System32\apilogen.dll
2009-03-17 03:38 . 2009-04-15 17:53 24064 ----a-w c:\windows\System32\amxread.dll
2009-03-16 13:40 . 2009-01-23 08:49 -------- d-----w c:\programdata\PC Suite
2009-03-03 04:40 . 2009-04-15 17:53 827392 ----a-w c:\windows\System32\wininet.dll
2009-03-03 04:39 . 2009-04-15 17:53 183296 ----a-w c:\windows\System32\sdohlp.dll
2009-03-03 04:37 . 2009-04-15 17:53 78336 ----a-w c:\windows\System32\ieencode.dll
2009-03-03 04:37 . 2009-04-15 17:53 98304 ----a-w c:\windows\System32\iasrecst.dll
2009-03-03 04:37 . 2009-04-15 17:53 54784 ----a-w c:\windows\System32\iasads.dll
2009-03-03 04:37 . 2009-04-15 17:53 44032 ----a-w c:\windows\System32\iasdatastore.dll
2009-03-03 02:38 . 2009-04-15 17:53 17408 ----a-w c:\windows\System32\iashost.exe
2009-03-03 02:28 . 2009-04-15 17:53 26624 ----a-w c:\windows\System32\ieUnatt.exe
2009-02-19 10:24 . 2009-02-19 10:24 410984 ----a-w c:\windows\System32\deploytk.dll
2009-02-13 08:49 . 2009-04-15 17:53 72704 ----a-w c:\windows\System32\secur32.dll
2009-02-13 08:49 . 2009-04-15 17:53 1255936 ----a-w c:\windows\System32\lsasrv.dll
2009-02-12 14:30 . 2009-02-06 11:57 56320 ----a-w c:\windows\System32\dpexsvc.exe
2009-02-09 03:10 . 2009-03-11 05:27 2033152 ----a-w c:\windows\System32\win32k.sys
2009-02-06 15:14 . 2009-02-06 11:58 1588 ---ha-w c:\users\All Users\amprm.dat
2009-02-06 15:14 . 2009-02-06 11:58 1588 ---ha-w c:\programdata\amprm.dat
2009-02-06 11:58 . 2009-02-06 11:58 16 ----a-w c:\users\All Users\amguid.dat
2009-02-06 11:58 . 2009-02-06 11:58 16 ----a-w c:\programdata\amguid.dat
2009-01-28 15:09 . 2006-11-02 10:25 86016 ----a-w c:\windows\Inf\infstor.dat
2009-01-07 09:59 . 2009-01-07 09:59 8 --sh--r c:\users\All Users\F172C249AA.sys
2009-01-07 09:59 . 2009-01-07 09:59 8 --sh--r c:\programdata\F172C249AA.sys
2009-01-06 14:50 . 2009-01-06 14:50 8224 ----a-w c:\users\andyg.HQ\AppData\Local\GDIPFONTCACHEV1.DAT
2009-01-06 14:16 . 2009-01-06 14:16 99864 ---ha-w c:\users\andyg\AppData\Local\GDIPFONTCACHEV1.DAT
2008-08-20 08:31 . 2009-02-06 11:58 674 ----a-w c:\users\All Users\awmsg.dat
2008-08-20 08:31 . 2009-02-06 11:58 674 ----a-w c:\programdata\awmsg.dat
2008-01-21 02:43 . 2006-11-02 12:50 174 --sha-w c:\program files\desktop.ini
2009-01-08 11:43 . 2009-01-08 11:43 8 --sh--r c:\windows\System32\F172C249AA.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-01-03 09:00 39472 ----a-w c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-12-03 1205760]
"ISUSPM"="c:\programdata\Macrovision\FLEXnet Connect\6\ISUSPM.exe" [2007-03-29 222128]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2009-02-20 4608]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-03-27 24103720]
"Hotfix-KB5504305"="c:\windows\system32\rundll71.exe" [2009-04-22 36864]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Hotfix-KB5504305"="c:\windows\system32\rundll71.exe" [2009-04-22 36864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-07 102400]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2008-01-22 81920]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-10-11 62760]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-01-03 521776]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-01-07 858632]
"WarReg_PopUp"="c:\program files\Acer\WR_PopUp\WarReg_PopUp.exe" [2008-01-29 303104]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-05-22 111952]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"Corel File Shell Monitor"="c:\program files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe" [2008-08-18 16712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-12-02 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-12-02 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-12-02 150552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-19 148888]
"Babylon Client"="c:\program files\Babylon\Babylon-Pro\Babylon.exe" [2009-03-17 3959696]
"Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2008-08-18 532808]
"Hotfix-KB5504305"="c:\windows\system32\rundll71.exe" [2009-04-22 36864]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-01-08 4853760]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-8-29 739880]
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2008-3-27 535336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Hotfix-KB5504305 REG_SZ c:\windows\system32\rundll71.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3614102300-1172673286-3776432725-1138]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{2A6E9F01-30AE-4C9A-B18B-885213A4DAB3}"= c:\program files\CyberLink\PowerDVD\PowerDVD.EXE:CyberLink PowerDVD
"{9EE9E4DE-2CED-441A-9223-D0B1B8B6A916}"= UDP:c:\program files\McAfee\Common Framework\FrameworkService.exe:McAfee Framework Service
"{EEED4CD2-4F5B-4691-A0DF-986D30A2C8CC}"= TCP:c:\program files\McAfee\Common Framework\FrameworkService.exe:McAfee Framework Service
"{E2281A54-CFB6-434F-B355-06877E6925C7}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{65A1C94D-5485-42C0-BA5F-EC02C6C2305A}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{245BC6E6-8710-4B72-A7FB-628785E5EDB2}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{32626552-EA87-4A1D-A824-7156CE99CC59}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{0DD2A3A6-A7B9-474E-9149-A820CE7EEA7C}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{D67DA225-3C47-487C-9626-1ADD3157304E}"= UDP:5353:Adobe CSI CS4
"{DDC8BBA1-E741-466D-BDDB-4ABA86339D4D}"= UDP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"{63468399-B48F-40EC-8D7A-5F7366F7E275}"= TCP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"{9BFE7655-FF23-4F89-A05A-03FB3233B9C5}"= TCP:15164:AM Agent
"{0148B915-C116-421F-951A-56C9849CA780}"= TCP:15164:AM Agent
"TCP Query User{0DDADF07-8856-47BE-824E-8F4D1A4AB2F6}c:\\program files\\microsoft office\\office12\\outlook.exe"= UDP:c:\program files\microsoft office\office12\outlook.exe:Microsoft Office Outlook
"UDP Query User{519F5EAF-E8C8-4043-A26F-6273D01C27A7}c:\\program files\\microsoft office\\office12\\outlook.exe"= TCP:c:\program files\microsoft office\office12\outlook.exe:Microsoft Office Outlook
"{223C8D69-EAF4-44D7-A41E-87DA94B920B1}"= c:\program files\Skype\Phone\Skype.exe:Skype

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Acer\\Empowering Technology\\eDataSecurity\\x86\\eDSfsu.exe"= c:\acer\Empowering Technology\eDataSecurity\x86\eDSfsu.exe:*:Enabled:eDSfsu
"c:\\Acer\\Empowering Technology\\eDataSecurity\\x86\\encryption.exe"= c:\acer\Empowering Technology\eDataSecurity\x86\encryption.exe:*:Enabled:encryption
"c:\\Acer\\Empowering Technology\\eDataSecurity\\x86\\decryption.exe"= c:\acer\Empowering Technology\eDataSecurity\x86\decryption.exe:*:Enabled:decryption
"c:\\Acer\\Empowering Technology\\eDataSecurity\\x86\\eDSMgr.exe"= c:\acer\Empowering Technology\eDataSecurity\x86\eDSMgr.exe:*:Enabled:eDSMgr
"c:\\Acer\\Empowering Technology\\eDataSecurity\\x86\\eDStbmngr.exe"= c:\acer\Empowering Technology\eDataSecurity\x86\eDStbmngr.exe:*:Enabled:eDStbmngr
"c:\\Acer\\Empowering Technology\\eDataSecurity\\x64\\eDSfsu.exe"= c:\acer\Empowering Technology\eDataSecurity\x64\eDSfsu.exe:*:Enabled:eDSfsu
"c:\\Acer\\Empowering Technology\\eDataSecurity\\x64\\encryption.exe"= c:\acer\Empowering Technology\eDataSecurity\x64\encryption.exe:*:Enabled:encryption
"c:\\Acer\\Empowering Technology\\eDataSecurity\\x64\\decryption.exe"= c:\acer\Empowering Technology\eDataSecurity\x64\decryption.exe:*:Enabled:decryption
"c:\\Acer\\Empowering Technology\\eDataSecurity\\x64\\eDSMgr.exe"= c:\acer\Empowering Technology\eDataSecurity\x64\eDSMgr.exe:*:Enabled:eDSMgr
"c:\\Acer\\Empowering Technology\\eDataSecurity\\x64\\eDStbmngr.exe"= c:\acer\Empowering Technology\eDataSecurity\x64\eDStbmngr.exe:*:Enabled:eDStbmngr

R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2007-05-18 28464]
R3 WisINT15;WisINT15; [x]
S2 BlackfishSQL;BlackfishSQL;c:\program files\CodeGear\RAD Studio\5.0\bin\BSQLServer.exe [2007-12-11 65536]
S2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-11-24 29263712]
S2 Samsvc;Samsvc;c:\program files\SoftActivity\AMSys\amsvc.exe [2008-12-22 144248]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-07-22 180736]
S3 SAgentDriver;SAgent Driver;c:\program files\SoftActivity\AMSys\sagendrv.sys [2008-11-26 31088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4902cc74-1eca-11de-b292-000000000000}]
\shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fe17ae92-e85f-11dd-82ee-001d72c8ac74}]
\shell\AutoRun\command - F:\StartVMCLite.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fe17ae9a-e85f-11dd-82ee-001d72c8ac74}]
\shell\AutoRun\command - F:\StartVMCLite.exe
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-eRecoveryService - (no file)

.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Translate with &Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\CoreFTP\pftpns.dll
DPF: {79D6214F-CFCE-480F-9901-27950E78F1E6} - hxxps://gate.codel.co.uk/MLWebCacheCleaner.cab
DPF: {DD5E6739-FDD6-4542-8940-4A4B8AB5276E} - hxxps://gate.codel.co.uk/NGVPNTunnel.cab
FF - ProfilePath - c:\users\andyg.HQ\AppData\Roaming\Mozilla\Firefox\Profiles\875otthy.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch
FF - prefs.js: browser.search.selectedEngine - Search the web
FF - prefs.js: browser.startup.homepage - hxxp://search.babylon.com/home
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\program files\Nokia\Nokia PC Suite 7\bkmrksync\components\BkMrkExt.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-23 10:59
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\system32\drivers\ovfsthxlxivtpwx.sys 83456 bytes executable
c:\users\andyg.HQ\AppData\Local\Temp\gxvxc000 0 bytes
c:\windows\system32\ovfsthxgedcppnv.dll 18432 bytes executable
c:\windows\system32\ovfsthxiumvqjbt.dat 225425 bytes
c:\windows\system32\ovfsthxknxlahdl.dll 18432 bytes executable
c:\windows\system32\ovfsthxpterjntq.dll 60928 bytes executable

scan completed successfully
hidden files: 6

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gxvxcserv.sys]
"imagepath"="\systemroot\system32\drivers\gxvxcdcsgbpcbpqmgqibdwwjvosoeybdysspw.sys"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ovfsthximuiobex]
"imagepath"="\systemroot\system32\drivers\ovfsthxlxivtpwx.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gxvxcserv.sys]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\gxvxcdcsgbpcbpqmgqibdwwjvosoeybdysspw.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(864)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2009-04-23 11:01
ComboFix-quarantined-files.txt 2009-04-23 10:01

Pre-Run: 30,513,373,184 bytes free
Post-Run: 30,445,379,584 bytes free

309 --- E O F --- 2009-04-16 02:09

And this is the hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:41:58, on 23/04/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18226)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Users\andyg.HQ\AppData\Local\Temp\RtkBtMnt.exe
C:\Windows\system32\igfxext.exe
C:\Program Files\PC Connectivity Solution\Transports\NclIrSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Program Files\Acer\WR_PopUp\WarReg_PopUp.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Corel File Shell Monitor] C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
O4 - HKLM\..\Run: [Hotfix-KB5504305] C:\Windows\system32\rundll71.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [ISUSPM] "C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Hotfix-KB5504305] C:\Windows\system32\rundll71.exe
O4 - HKCU\..\RunServices: [Hotfix-KB5504305] C:\Windows\system32\rundll71.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O16 - DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_ind.cab
O16 - DPF: {79D6214F-CFCE-480F-9901-27950E78F1E6} (WebCacheCleaner Class) - https://gate.codel.co.uk/MLWebCacheCleaner.cab
O16 - DPF: {DD5E6739-FDD6-4542-8940-4A4B8AB5276E} (NGVPLaunch Class) - https://gate.codel.co.uk/NGVPNTunnel.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hq.local
O17 - HKLM\Software\..\Telephony: DomainName = hq.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hq.local
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: BlackfishSQL - CodeGear - C:\Program Files\CodeGear\RAD Studio\5.0\bin\BSQLServer.exe
O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: Samsvc - Unknown owner - C:\Program Files\SoftActivity\AMSys\amsvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10554 bytes

gibbonuk · 04-24-2009, 01:47 AM

"We are offering computer support for everyone...... sometimes "

C'mon, surely someone knows how to resolve this?

04-23-2009, 04:48 AM	#1 (permalink)
gibbonuk Registered User Join Date: Apr 2009 Posts: 2 OS: vista business	smartbizsearch problems, combofix and hijack log HI all, picked up the smartbizsearch virus, ive ran combofix and it has fixed alot of problems, but... im still randomly being directoed to "relative" websites when clicking links. Got the combofix log here: Any help much appriciated. Thanks ComboFix 09-04-23.06 - AndyG 23/04/2009 10:55.1 - NTFSx86 Microsoft® Windows Vista™ Business 6.0.6001.1.1252.44.1033.18.3062.2169 [GMT 1:00] Running from: c:\users\andyg.HQ\Desktop\ComboFix.exe AV: McAfee VirusScan Enterprise On-access scanning disabled (Updated) * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\recycler\S-2-6-91-100010520-100002727-100010054-3463.com c:\windows\system32\drivers\gxvxcrcpvjffcxevvydpiodnsppuicxwxtkww.sys c:\windows\system32\gxvxccounter c:\windows\system32\gxvxcswywysjrooemiemmeptpvnshdehnfran.dll c:\windows\Temp\log.txt D:\Autorun.inf d:\recycler\S-2-6-91-100010520-100002727-100010054-3463.com . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_GXVXCSERV.SYS -------\Service_GXVXCSERV.SYS ((((((((((((((((((((((((( Files Created from 2009-05-23 to 2009-4-23 ))))))))))))))))))))))))))))))) . 2009-04-23 08:38 . 2009-04-23 08:39 -------- d-----w c:\users\All Users\Lavasoft 2009-04-23 08:38 . 2009-04-23 08:39 -------- d-----w c:\programdata\Lavasoft 2009-04-22 13:27 . 2009-04-22 13:27 36864 --sh--r c:\windows\system32\rundll71.exe 2009-04-15 17:54 . 2008-12-06 04:42 376832 ----a-w c:\windows\system32\winhttp.dll 2009-04-15 17:54 . 2008-06-06 03:27 38912 ----a-w c:\windows\system32\xolehlp.dll 2009-04-15 17:54 . 2008-06-06 03:27 562176 ----a-w c:\windows\system32\msdtcprx.dll 2009-04-15 17:54 . 2009-03-03 04:46 3599328 ----a-w c:\windows\system32\ntkrnlpa.exe 2009-04-15 17:54 . 2009-03-03 04:46 3547632 ----a-w c:\windows\system32\ntoskrnl.exe 2009-04-15 17:54 . 2009-03-03 04:39 551424 ----a-w c:\windows\system32\rpcss.dll 2009-04-15 17:54 . 2009-03-03 03:04 666624 ----a-w c:\windows\system32\printfilterpipelinesvc.exe 2009-04-15 17:54 . 2009-03-03 04:39 26112 ----a-w c:\windows\system32\printfilterpipelineprxy.dll 2009-04-14 15:11 . 2009-04-14 15:11 -------- d-----w c:\users\Public\CyberLink 2009-04-14 15:11 . 2009-04-14 15:11 -------- d-----w c:\users\All Users\CyberLink 2009-04-14 15:11 . 2009-04-14 15:11 -------- d-----w c:\programdata\CyberLink 2009-04-14 15:11 . 2009-04-14 15:11 -------- d-----w c:\users\andyg.HQ\AppData\Roaming\CyberLink 2009-04-06 15:29 . 2009-04-06 15:33 13030 ----a-w C:\PDOXUSRS.NET 2009-04-06 14:43 . 2009-04-06 14:43 -------- d-----w c:\users\andyg.HQ\AppData\Roaming\tmssoftware 2009-04-06 10:44 . 2009-04-23 09:49 -------- d-----w c:\users\All Users\Babylon 2009-04-06 10:44 . 2009-04-23 09:49 -------- d-----w c:\programdata\Babylon 2009-04-06 10:44 . 2009-04-16 02:15 -------- d-----w c:\users\andyg.HQ\AppData\Roaming\Babylon 2009-04-06 09:49 . 2006-12-11 20:12 176235 ----a-w c:\windows\system32\Primomonnt.dll 2009-04-06 09:49 . 2009-04-06 09:49 -------- d-----w c:\windows\PrimoPDF4 2009-04-02 11:23 . 2009-04-02 11:23 -------- d-----w C:\Tools 2009-04-02 11:11 . 2009-04-02 11:11 -------- d-----w c:\users\andyg.HQ\AppData\Roaming\QualityCentral 2009-04-02 08:02 . 2009-04-02 08:02 -------- d-----w c:\users\andyg.HQ\AppData\Roaming\GExperts 2009-04-02 07:58 . 2009-04-02 07:58 425472 ----a-w c:\windows\system32\vclZipForged11.bpl 2009-04-02 07:58 . 2009-04-02 07:58 432640 ----a-w c:\windows\system32\vclZipForged9.bpl 2009-04-02 07:58 . 2009-04-02 07:58 425472 ----a-w c:\windows\system32\vclZipForged10.bpl 2009-04-02 07:58 . 2009-04-02 07:58 446976 ----a-w c:\windows\system32\vclZipForged6.bpl 2009-04-02 07:58 . 2009-04-02 07:58 438784 ----a-w c:\windows\system32\vclZipForged7.bpl 2009-04-02 07:58 . 2009-04-02 07:58 432640 ----a-w c:\windows\system32\vclZipForged5.bpl 2009-04-02 07:58 . 2009-04-02 07:58 431616 ----a-w c:\windows\system32\vclZipForged4.bpl 2009-04-02 07:58 . 2009-04-02 07:58 465408 ----a-w c:\windows\system32\vclZipForgeb6.bpl 2009-04-02 07:58 . 2009-04-02 07:58 354304 ----a-w c:\windows\system32\vclZipForgeb5.bpl 2009-04-02 07:58 . 2009-04-02 07:58 354304 ----a-w c:\windows\system32\vclZipForgeb4.bpl 2009-04-02 07:56 . 2009-02-17 11:13 419640 ----a-w c:\windows\system32\TsiLang_Common.dll 2009-04-02 07:56 . 2009-02-19 16:17 600064 ----a-w c:\windows\system32\TsiLang_2009r.bpl 2009-04-02 07:56 . 2009-02-19 16:17 586752 ----a-w c:\windows\system32\TsiLang_2007r.bpl 2009-04-02 07:56 . 2009-02-19 16:17 583680 ----a-w c:\windows\system32\TsiLang_BDS2006r.bpl 2009-04-02 07:56 . 2009-02-19 16:17 582144 ----a-w c:\windows\system32\TsiLang_D2005r.bpl 2009-04-01 15:26 . 2009-04-23 09:49 -------- d-----w c:\users\andyg.HQ\AppData\Roaming\Skype 2009-04-01 15:25 . 2009-04-01 15:25 -------- d-----w c:\users\All Users\Skype 2009-04-01 15:25 . 2009-04-01 15:25 -------- d-----w c:\programdata\Skype 2009-04-01 14:52 . 2009-04-01 14:55 -------- d--h--w c:\users\All Users\{BB9698C8-6CDB-4A48-90AB-23351A9EB3D0} 2009-04-01 14:52 . 2009-04-01 14:55 -------- d--h--w c:\programdata\{BB9698C8-6CDB-4A48-90AB-23351A9EB3D0} 2009-04-01 14:46 . 2009-04-01 14:46 -------- d-----w c:\users\andyg.HQ\AppData\Roaming\Borland 2009-04-01 14:39 . 2009-04-17 14:07 -------- d-----w c:\users\All Users\CodeGear 2009-04-01 14:39 . 2009-04-17 14:07 -------- d-----w c:\programdata\CodeGear 2009-04-01 14:25 . 2009-04-01 14:25 -------- d-----w c:\windows\system32\1033 2009-04-01 14:21 . 2009-04-01 14:52 -------- d--h--w c:\users\All Users\{B59CE2E6-B15A-4F23-BD0E-72BF2ADDC3C7} 2009-04-01 14:21 . 2009-04-01 14:52 -------- d--h--w c:\programdata\{B59CE2E6-B15A-4F23-BD0E-72BF2ADDC3C7} 2009-03-26 13:31 . 2009-03-26 13:32 -------- d-----w c:\users\andyg.HQ\NTI-Shadow 2009-03-26 08:42 . 2009-03-26 08:42 -------- d-----w c:\users\andyg.HQ\AppData\Roaming\HDRsoft 2009-03-26 08:41 . 2009-04-01 14:52 -------- d-----w c:\users\andyg.HQ\AppData\Local\ApplicationHistory . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-04-23 09:54 . 2009-02-06 11:57 -------- d-----w c:\programdata\AM 2009-04-23 08:38 . 2009-04-23 08:38 -------- d-----w c:\program files\Lavasoft 2009-04-23 08:37 . 2009-04-23 08:37 -------- d-----w c:\program files\Common Files\Wise Installation Wizard 2009-04-23 08:33 . 2009-01-27 08:43 -------- d-----w c:\users\andyg.HQ\AppData\Roaming\CoreFTP 2009-04-22 14:29 . 2009-01-07 09:59 2828 --sha-w c:\users\All Users\KGyGaAvL.sys 2009-04-22 14:29 . 2009-01-07 09:59 2828 --sha-w c:\programdata\KGyGaAvL.sys 2009-04-22 11:23 . 2009-02-06 09:15 -------- d-----w c:\users\andyg.HQ\AppData\Roaming\LPC 2009-04-22 11:22 . 2009-02-06 09:15 -------- d-----w c:\program files\Link Popularity Check 2009-04-22 07:33 . 2009-01-08 11:43 2828 --sha-w c:\windows\System32\KGyGaAvL.sys 2009-04-21 07:30 . 2006-11-02 10:25 86016 ----a-w c:\windows\Inf\infstrng.dat 2009-04-21 07:30 . 2006-11-02 10:25 51200 ----a-w c:\windows\Inf\infpub.dat 2009-04-16 02:15 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail 2009-04-16 02:04 . 2008-03-27 11:52 -------- d-----w c:\programdata\Microsoft Help 2009-04-09 13:36 . 2008-08-19 18:03 -------- d-----w c:\program files\Launch Manager 2009-04-06 09:49 . 2009-04-06 09:49 -------- d-----w c:\program files\activePDF 2009-04-03 02:00 . 2009-04-03 02:00 -------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2 2009-04-02 07:58 . 2009-04-02 07:58 -------- d-----w c:\program files\ComponentAce 2009-04-02 07:55 . 2009-04-02 07:55 -------- d-----w c:\program files\SiComponents 2009-04-02 07:53 . 2009-04-02 07:53 -------- d-----w c:\program files\ProLib 2009-04-02 07:52 . 2009-04-02 07:52 -------- d-----w c:\program files\GExperts for Delphi 2007 2009-04-01 15:25 . 2009-04-01 15:25 -------- d-----r c:\program files\Skype 2009-04-01 14:46 . 2009-04-01 14:46 -------- d-----w c:\program files\Common Files\CodeGear Shared 2009-04-01 14:46 . 2009-04-01 14:46 -------- d-----w c:\program files\CodeGear 2009-04-01 14:45 . 2009-04-01 14:45 -------- d-----w c:\program files\Common Files\Borland Shared 2009-04-01 14:28 . 2009-01-06 15:48 -------- d-----w c:\program files\Microsoft Visual Studio 8 2009-04-01 13:03 . 2009-04-01 13:03 -------- d-----w c:\program files\Babylon 2009-03-26 08:37 . 2009-03-26 08:36 -------- d-----w c:\program files\PhotomatixPro3 2009-03-20 03:06 . 2008-03-27 11:58 -------- d-----w c:\program files\Microsoft SQL Server 2009-03-17 03:38 . 2009-04-15 17:53 40960 ----a-w c:\windows\AppPatch\apihex86.dll 2009-03-17 03:38 . 2009-04-15 17:53 13824 ----a-w c:\windows\System32\apilogen.dll 2009-03-17 03:38 . 2009-04-15 17:53 24064 ----a-w c:\windows\System32\amxread.dll 2009-03-16 13:40 . 2009-01-23 08:49 -------- d-----w c:\programdata\PC Suite 2009-03-03 04:40 . 2009-04-15 17:53 827392 ----a-w c:\windows\System32\wininet.dll 2009-03-03 04:39 . 2009-04-15 17:53 183296 ----a-w c:\windows\System32\sdohlp.dll 2009-03-03 04:37 . 2009-04-15 17:53 78336 ----a-w c:\windows\System32\ieencode.dll 2009-03-03 04:37 . 2009-04-15 17:53 98304 ----a-w c:\windows\System32\iasrecst.dll 2009-03-03 04:37 . 2009-04-15 17:53 54784 ----a-w c:\windows\System32\iasads.dll 2009-03-03 04:37 . 2009-04-15 17:53 44032 ----a-w c:\windows\System32\iasdatastore.dll 2009-03-03 02:38 . 2009-04-15 17:53 17408 ----a-w c:\windows\System32\iashost.exe 2009-03-03 02:28 . 2009-04-15 17:53 26624 ----a-w c:\windows\System32\ieUnatt.exe 2009-02-19 10:24 . 2009-02-19 10:24 410984 ----a-w c:\windows\System32\deploytk.dll 2009-02-13 08:49 . 2009-04-15 17:53 72704 ----a-w c:\windows\System32\secur32.dll 2009-02-13 08:49 . 2009-04-15 17:53 1255936 ----a-w c:\windows\System32\lsasrv.dll 2009-02-12 14:30 . 2009-02-06 11:57 56320 ----a-w c:\windows\System32\dpexsvc.exe 2009-02-09 03:10 . 2009-03-11 05:27 2033152 ----a-w c:\windows\System32\win32k.sys 2009-02-06 15:14 . 2009-02-06 11:58 1588 ---ha-w c:\users\All Users\amprm.dat 2009-02-06 15:14 . 2009-02-06 11:58 1588 ---ha-w c:\programdata\amprm.dat 2009-02-06 11:58 . 2009-02-06 11:58 16 ----a-w c:\users\All Users\amguid.dat 2009-02-06 11:58 . 2009-02-06 11:58 16 ----a-w c:\programdata\amguid.dat 2009-01-28 15:09 . 2006-11-02 10:25 86016 ----a-w c:\windows\Inf\infstor.dat 2009-01-07 09:59 . 2009-01-07 09:59 8 --sh--r c:\users\All Users\F172C249AA.sys 2009-01-07 09:59 . 2009-01-07 09:59 8 --sh--r c:\programdata\F172C249AA.sys 2009-01-06 14:50 . 2009-01-06 14:50 8224 ----a-w c:\users\andyg.HQ\AppData\Local\GDIPFONTCACHEV1.DAT 2009-01-06 14:16 . 2009-01-06 14:16 99864 ---ha-w c:\users\andyg\AppData\Local\GDIPFONTCACHEV1.DAT 2008-08-20 08:31 . 2009-02-06 11:58 674 ----a-w c:\users\All Users\awmsg.dat 2008-08-20 08:31 . 2009-02-06 11:58 674 ----a-w c:\programdata\awmsg.dat 2008-01-21 02:43 . 2006-11-02 12:50 174 --sha-w c:\program files\desktop.ini 2009-01-08 11:43 . 2009-01-08 11:43 8 --sh--r c:\windows\System32\F172C249AA.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP] @="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}" [HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}] 2008-01-03 09:00 39472 ----a-w c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920] "PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-12-03 1205760] "ISUSPM"="c:\programdata\Macrovision\FLEXnet Connect\6\ISUSPM.exe" [2007-03-29 222128] "AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2009-02-20 4608] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-03-27 24103720] "Hotfix-KB5504305"="c:\windows\system32\rundll71.exe" [2009-04-22 36864] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] "Hotfix-KB5504305"="c:\windows\system32\rundll71.exe" [2009-04-22 36864] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712] "SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-07 102400] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2008-01-22 81920] "LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-10-11 62760] "eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-01-03 521776] "LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-01-07 858632] "WarReg_PopUp"="c:\program files\Acer\WR_PopUp\WarReg_PopUp.exe" [2008-01-29 303104] "ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-05-22 111952] "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648] "Corel File Shell Monitor"="c:\program files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe" [2008-08-18 16712] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-12-02 141848] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-12-02 173592] "Persistence"="c:\windows\system32\igfxpers.exe" [2008-12-02 150552] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696] "AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-19 148888] "Babylon Client"="c:\program files\Babylon\Babylon-Pro\Babylon.exe" [2009-03-17 3959696] "Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2008-08-18 532808] "Hotfix-KB5504305"="c:\windows\system32\rundll71.exe" [2009-04-22 36864] "RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-01-08 4853760] c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-8-29 739880] Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2008-3-27 535336] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoWelcomeScreen"= 1 (0x1) [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Hotfix-KB5504305 REG_SZ c:\windows\system32\rundll71.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3614102300-1172673286-3776432725-1138] "EnableNotificationsRef"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules] "{2A6E9F01-30AE-4C9A-B18B-885213A4DAB3}"= c:\program files\CyberLink\PowerDVD\PowerDVD.EXE:CyberLink PowerDVD "{9EE9E4DE-2CED-441A-9223-D0B1B8B6A916}"= UDP:c:\program files\McAfee\Common Framework\FrameworkService.exe:McAfee Framework Service "{EEED4CD2-4F5B-4691-A0DF-986D30A2C8CC}"= TCP:c:\program files\McAfee\Common Framework\FrameworkService.exe:McAfee Framework Service "{E2281A54-CFB6-434F-B355-06877E6925C7}"= TCP:6004\|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook "{65A1C94D-5485-42C0-BA5F-EC02C6C2305A}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove "{245BC6E6-8710-4B72-A7FB-628785E5EDB2}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove "{32626552-EA87-4A1D-A824-7156CE99CC59}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote "{0DD2A3A6-A7B9-474E-9149-A820CE7EEA7C}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote "{D67DA225-3C47-487C-9626-1ADD3157304E}"= UDP:5353:Adobe CSI CS4 "{DDC8BBA1-E741-466D-BDDB-4ABA86339D4D}"= UDP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4 "{63468399-B48F-40EC-8D7A-5F7366F7E275}"= TCP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4 "{9BFE7655-FF23-4F89-A05A-03FB3233B9C5}"= TCP:15164:AM Agent "{0148B915-C116-421F-951A-56C9849CA780}"= TCP:15164:AM Agent "TCP Query User{0DDADF07-8856-47BE-824E-8F4D1A4AB2F6}c:\\program files\\microsoft office\\office12\\outlook.exe"= UDP:c:\program files\microsoft office\office12\outlook.exe:Microsoft Office Outlook "UDP Query User{519F5EAF-E8C8-4043-A26F-6273D01C27A7}c:\\program files\\microsoft office\\office12\\outlook.exe"= TCP:c:\program files\microsoft office\office12\outlook.exe:Microsoft Office Outlook "{223C8D69-EAF4-44D7-A41E-87DA94B920B1}"= c:\program files\Skype\Phone\Skype.exe:Skype [HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List] "c:\\Acer\\Empowering Technology\\eDataSecurity\\x86\\eDSfsu.exe"= c:\acer\Empowering Technology\eDataSecurity\x86\eDSfsu.exe::Enabled:eDSfsu "c:\\Acer\\Empowering Technology\\eDataSecurity\\x86\\encryption.exe"= c:\acer\Empowering Technology\eDataSecurity\x86\encryption.exe::Enabled:encryption "c:\\Acer\\Empowering Technology\\eDataSecurity\\x86\\decryption.exe"= c:\acer\Empowering Technology\eDataSecurity\x86\decryption.exe::Enabled:decryption "c:\\Acer\\Empowering Technology\\eDataSecurity\\x86\\eDSMgr.exe"= c:\acer\Empowering Technology\eDataSecurity\x86\eDSMgr.exe::Enabled:eDSMgr "c:\\Acer\\Empowering Technology\\eDataSecurity\\x86\\eDStbmngr.exe"= c:\acer\Empowering Technology\eDataSecurity\x86\eDStbmngr.exe::Enabled:eDStbmngr "c:\\Acer\\Empowering Technology\\eDataSecurity\\x64\\eDSfsu.exe"= c:\acer\Empowering Technology\eDataSecurity\x64\eDSfsu.exe::Enabled:eDSfsu "c:\\Acer\\Empowering Technology\\eDataSecurity\\x64\\encryption.exe"= c:\acer\Empowering Technology\eDataSecurity\x64\encryption.exe::Enabled:encryption "c:\\Acer\\Empowering Technology\\eDataSecurity\\x64\\decryption.exe"= c:\acer\Empowering Technology\eDataSecurity\x64\decryption.exe::Enabled:decryption "c:\\Acer\\Empowering Technology\\eDataSecurity\\x64\\eDSMgr.exe"= c:\acer\Empowering Technology\eDataSecurity\x64\eDSMgr.exe::Enabled:eDSMgr "c:\\Acer\\Empowering Technology\\eDataSecurity\\x64\\eDStbmngr.exe"= c:\acer\Empowering Technology\eDataSecurity\x64\eDStbmngr.exe::Enabled:eDStbmngr R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2007-05-18 28464] R3 WisINT15;WisINT15; [x] S2 BlackfishSQL;BlackfishSQL;c:\program files\CodeGear\RAD Studio\5.0\bin\BSQLServer.exe [2007-12-11 65536] S2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-11-24 29263712] S2 Samsvc;Samsvc;c:\program files\SoftActivity\AMSys\amsvc.exe [2008-12-22 144248] S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-07-22 180736] S3 SAgentDriver;SAgent Driver;c:\program files\SoftActivity\AMSys\sagendrv.sys [2008-11-26 31088] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc bthsvcs REG_MULTI_SZ BthServ [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4902cc74-1eca-11de-b292-000000000000}] \shell\AutoRun\command - G:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fe17ae92-e85f-11dd-82ee-001d72c8ac74}] \shell\AutoRun\command - F:\StartVMCLite.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fe17ae9a-e85f-11dd-82ee-001d72c8ac74}] \shell\AutoRun\command - F:\StartVMCLite.exe . - - - - ORPHANS REMOVED - - - - HKLM-Run-eRecoveryService - (no file) . ------- Supplementary Scan ------- . uInternet Settings,ProxyOverride = .local IE: Translate with &Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm Name-Space Handler: ftp\ - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\CoreFTP\pftpns.dll DPF: {79D6214F-CFCE-480F-9901-27950E78F1E6} - hxxps://gate.codel.co.uk/MLWebCacheCleaner.cab DPF: {DD5E6739-FDD6-4542-8940-4A4B8AB5276E} - hxxps://gate.codel.co.uk/NGVPNTunnel.cab FF - ProfilePath - c:\users\andyg.HQ\AppData\Roaming\Mozilla\Firefox\Profiles\875otthy.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch FF - prefs.js: browser.search.selectedEngine - Search the web FF - prefs.js: browser.startup.homepage - hxxp://search.babylon.com/home FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll FF - component: c:\program files\Nokia\Nokia PC Suite 7\bkmrksync\components\BkMrkExt.dll ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - true. ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-23 10:59 Windows 6.0.6001 Service Pack 1 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... c:\windows\system32\drivers\ovfsthxlxivtpwx.sys 83456 bytes executable c:\users\andyg.HQ\AppData\Local\Temp\gxvxc000 0 bytes c:\windows\system32\ovfsthxgedcppnv.dll 18432 bytes executable c:\windows\system32\ovfsthxiumvqjbt.dat 225425 bytes c:\windows\system32\ovfsthxknxlahdl.dll 18432 bytes executable c:\windows\system32\ovfsthxpterjntq.dll 60928 bytes executable scan completed successfully hidden files: 6 ************************************************************************ [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gxvxcserv.sys] "imagepath"="\systemroot\system32\drivers\gxvxcdcsgbpcbpqmgqibdwwjvosoeybdysspw.sys" -- [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ovfsthximuiobex] "imagepath"="\systemroot\system32\drivers\ovfsthxlxivtpwx.sys" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 [HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 [HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gxvxcserv.sys] @DACL=(02 0000) "start"=dword:00000001 "type"=dword:00000001 "group"="file system" "imagepath"=expand:"\\systemroot\\system32\\drivers\\gxvxcdcsgbpcbpqmgqibdwwjvosoeybdysspw.sys" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(864) c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll . Completion time: 2009-04-23 11:01 ComboFix-quarantined-files.txt 2009-04-23 10:01 Pre-Run: 30,513,373,184 bytes free Post-Run: 30,445,379,584 bytes free 309 --- E O F --- 2009-04-16 02:09 And this is the hijackthis log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:41:58, on 23/04/2009 Platform: Windows Vista SP1 (WinNT 6.00.1905) MSIE: Internet Explorer v7.00 (7.00.6001.18226) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\system32\taskeng.exe C:\Windows\Explorer.EXE C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe C:\Program Files\Synaptics\SynTP\SynTPStart.exe C:\Windows\RtHDVCpl.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe C:\Program Files\Launch Manager\LManager.exe C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe C:\Program Files\McAfee\Common Framework\UdaterUI.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe C:\Windows\System32\igfxtray.exe C:\Windows\System32\hkcmd.exe C:\Windows\System32\igfxpers.exe C:\Windows\system32\igfxsrvc.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Babylon\Babylon-Pro\Babylon.exe C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\McAfee\Common Framework\McTray.exe C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE C:\Users\andyg.HQ\AppData\Local\Temp\RtkBtMnt.exe C:\Windows\system32\igfxext.exe C:\Program Files\PC Connectivity Solution\Transports\NclIrSrv.exe C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe O4 - HKLM\..\Run: [WarReg_PopUp] C:\Program Files\Acer\WR_PopUp\WarReg_PopUp.exe O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [Corel File Shell Monitor] C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup O4 - HKLM\..\Run: [Hotfix-KB5504305] C:\Windows\system32\rundll71.exe O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray O4 - HKCU\..\Run: [ISUSPM] "C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [Hotfix-KB5504305] C:\Windows\system32\rundll71.exe O4 - HKCU\..\RunServices: [Hotfix-KB5504305] C:\Windows\system32\rundll71.exe O4 - Global Startup: Bluetooth.lnk = ? O4 - Global Startup: Empowering Technology Launcher.lnk = ? O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O13 - Gopher Prefix: O16 - DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_ind.cab O16 - DPF: {79D6214F-CFCE-480F-9901-27950E78F1E6} (WebCacheCleaner Class) - https://gate.codel.co.uk/MLWebCacheCleaner.cab O16 - DPF: {DD5E6739-FDD6-4542-8940-4A4B8AB5276E} (NGVPLaunch Class) - https://gate.codel.co.uk/NGVPNTunnel.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hq.local O17 - HKLM\Software\..\Telephony: DomainName = hq.local O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hq.local O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: BlackfishSQL - CodeGear - C:\Program Files\CodeGear\RAD Studio\5.0\bin\BSQLServer.exe O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe O23 - Service: Samsvc - Unknown owner - C:\Program Files\SoftActivity\AMSys\amsvc.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe -- End of file - 10554 bytes

04-24-2009, 01:47 AM	#2 (permalink)
gibbonuk Registered User Join Date: Apr 2009 Posts: 2 OS: vista business	Re: smartbizsearch problems, combofix and hijack log "We are offering computer support for everyone...... sometimes " C'mon, surely someone knows how to resolve this?