Tech Support Forum - View Single Post

AdamH · 08-11-2007, 05:43 AM

Hi thanks for helping me!

I ran hijackthis and put a check by the ones you said and clicked 'fix checked'

I then downloaded and ran the combofix.exe, below is the scan result:

ComboFix 07-08-11 - "Gerry Hill" 2007-08-11 12:24:33.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.290 [GMT 1:00]
Command switches used :: /killall
* Created a new restore point

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\ALLUSE~1\APPLIC~1.\vidmon
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\vidmon\vidmon.inf
C:\DOCUME~1\GERRYH~1\MYDOCU~1.\dobe~1
C:\DOCUME~1\GERRYH~1\MYDOCU~1.\dobe~1\?dobe\
C:\DOCUME~1\GERRYH~1\MYDOCU~1.\dobe~1\wuauclt.exe
C:\lswmv.ini
C:\Program Files\Common Files\{30CDC~1
C:\Program Files\Common Files\{30CDC~1\Bar888.dll
C:\Program Files\Common Files\{30CDC~1\UnInstall.exe
C:\Program Files\Common Files\{F0CDC~1
C:\Program Files\Common Files\{F0CDC~2
C:\Program Files\Common Files\system32.dll
C:\Program Files\Common Files\uninstall information
C:\Program Files\Common Files\uninstall information\RemoveWebDP.exe
C:\Program Files\inetget2
C:\Program Files\internet optimizer
C:\Program Files\msmovies
C:\Program Files\msmovies\p.zip
C:\Program Files\pedevice
C:\Program Files\pedevice\communication.xml
C:\Program Files\pedevice\Domain.Watchlist.txt
C:\Program Files\pedevice\pae-options.xml
C:\Program Files\pedevice\pae_url.xml
C:\Program Files\pedevice\pedevPS.dll
C:\Program Files\pedevice\search.watchlist.txt
C:\Program Files\pedevice\stat_archive\2007-03-25
C:\Program Files\pedevice\stat_archive\2007-03-26
C:\Program Files\pedevice\statistic.xml
C:\Program Files\pedevice\tmp\last_popup_content.html
C:\Program Files\pedevice\tmp\tmp.html
C:\Program Files\pedevice\watchlist.xml
C:\Program Files\winsupdater
C:\Program Files\winsupdater\a.zip
C:\Program Files\winupdates
C:\WINDOWS\system32\del.bat
C:\WINDOWS\system32\unsvchosts.exe
C:\WINDOWS\system32\vidmon
C:\WINDOWS\uninstall_nmon.vbs

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_CLIENT_IP-IPX
-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\cmdService

((((((((((((((((((((((((( Files Created from 2007-07-11 to 2007-08-11 )))))))))))))))))))))))))))))))

2007-08-11 12:21 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-10 19:19 <DIR> d-------- C:\Deckard
2007-08-10 19:16 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-08-10 17:53 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-07-25 18:59 <DIR> d-------- C:\Program Files\FileDeleter

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-11 12:20 --------- d-------- C:\Program Files\Hijack This
2007-08-10 18:24 --------- d-------- C:\Program Files\QuickTime
2007-08-10 18:18 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-07-27 19:35 384 --a------ C:\Program Files\LimeWire.lnk
2007-07-25 19:16 --------- d-------- C:\DOCUME~1\GERRYH~1\APPLIC~1\Google
2007-07-24 20:55 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-24 20:49 --------- d-------- C:\Program Files\Pool Station Classic
2007-07-24 20:48 --------- d-------- C:\Program Files\NoAdware4
2007-07-24 20:45 --------- d-------- C:\Program Files\Logitech
2007-07-24 18:56 --------- d-------- C:\Program Files\Canon
2007-05-16 16:12 86528 -----c--- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 16:12 85504 -----c--- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 16:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 16:12 683520 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 16:12 510976 -----c--- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 16:12 1314816 -----c--- C:\WINDOWS\system32\dllcache\msoe.dll
2006-03-05 17:33 774144 --a--c--- C:\Program Files\RngInterstitial.dll
2001-11-23 12:08 712704 --a--c--- C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
2005-07-29 16:24:26 472 -csha-r C:\WINDOWS\R2VycnkgSGlsbA\lZpVwB40m35PvE.vbs

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-12-18 03:28]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-08-13 20:17]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-09-28 13:07]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 01:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 09:15:54]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"=0 (0x0)
"Btn_Search"=0 (0x0)

R2 Belkin High-Speed Mode Wireless G USB Network Adapter Service;Belkin High-Speed Mode Wireless G USB Driver;C:\Program Files\Belkin\F5D7051\WLService.exe
R2 CdaC15BA;CdaC15BA;\??\C:\WINDOWS\system32\drivers\CdaC15BA.SYS
R2 enodpl;enodpl;C:\WINDOWS\system32\drivers\enodpl.sys
R2 JiaoCap;JiaoCap, WDM Video Capture for VCDCut;C:\WINDOWS\system32\DRIVERS\JiaoCap.sys
R2 JiaoIO;JiaoIO;\??\C:\WINDOWS\system32\drivers\JiaoIO.sys
R2 MASPINT;MASPINT;C:\WINDOWS\system32\drivers\MASPINT.sys
R2 tandpl;tandpl;C:\WINDOWS\system32\drivers\tandpl.sys
R3 NTIDrvr;Upper Class Filter Driver;C:\WINDOWS\system32\DRIVERS\NTIDrvr.sys
R3 SPLITCAM;Splitcam, WDM Camera Stream Splitter;C:\WINDOWS\system32\DRIVERS\splitcam.sys
R3 USB_RNDIS;Belkin High-Speed Mode Wireless G USB Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\usb8023.sys
R3 USR1806V;U.S. Robotics Voice Modem Driver 1806;C:\WINDOWS\system32\DRIVERS\USR1806V.SYS
S2 TTELL;TTell WDM Video Capture;C:\WINDOWS\system32\DRIVERS\TTell.sys
S2 VirtualCam;VirtualCamera;C:\WINDOWS\system32\DRIVERS\VirtualCam.sys
S3 adxapie;adxapie;\??\C:\DOCUME~1\GERRYH~1\LOCALS~1\Temp\adxapie.sys
S3 alcan5wn;Alcatel SpeedTouch USB ADSL PPP Networking Driver (NDISWAN);C:\WINDOWS\system32\DRIVERS\alcan5wn.sys
S3 autorun;autorun;\??\C:\huadio.tmp
S3 AVWLP_USB;WLAN PRISM USB Driver;C:\WINDOWS\system32\DRIVERS\AVWLPUSB.sys
S3 BRIDGE;MAC Bridge;C:\WINDOWS\system32\DRIVERS\bridge.sys
S3 BridgeMP;MAC Bridge Miniport;C:\WINDOWS\system32\DRIVERS\bridge.sys
S3 DCamUSBSQTECH;Dual-Mode DSC(2770);C:\WINDOWS\system32\Drivers\SQcaptur.sys
S3 dptrackerd;Tracker Driver;C:\WINDOWS\system32\drivers\dptrackerd.sys
S3 k750bus;Sony Ericsson 750 driver (WDM);C:\WINDOWS\system32\DRIVERS\k750bus.sys
S3 k750mdfl;Sony Ericsson 750 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\k750mdfl.sys
S3 k750mdm;Sony Ericsson 750 USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\k750mdm.sys
S3 k750mgmt;Sony Ericsson 750 USB WMC Device Management Drivers;C:\WINDOWS\system32\DRIVERS\k750mgmt.sys
S3 k750obex;Sony Ericsson 750 USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\k750obex.sys
S3 Nokia USB Generic;Nokia USB Generic;C:\WINDOWS\system32\drivers\nmwcdc.sys
S3 Nokia USB Modem;Nokia USB Modem;C:\WINDOWS\system32\drivers\nmwcdcm.sys
S3 Nokia USB Phone Parent;Nokia USB Phone Parent;C:\WINDOWS\system32\drivers\nmwcd.sys
S3 Nokia USB Port;Nokia USB Port;C:\WINDOWS\system32\drivers\nmwcdcj.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2a1db0f8-ffe1-11db-84f8-001150c32749}]
AutoRun\command- index.html

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a1e613aa-f8d1-11db-84e8-001150c32749}]
AutoRun\command- index.html

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-11 12:32:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-11 12:34:34 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-11 12:34

--- E O F ---

I then ran hijackthis and below are the fresh scan results:

Logfile of HijackThis v1.99.1
Scan saved at 12:41:28, on 11/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Belkin\F5D7051\WLService.exe
C:\Program Files\Belkin\F5D7051\WLanCfgG.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.bt.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2357B3CF-7F8D-4451-8D81-FD6097610AEE} - http://activex.camfrogweb.com/advanc...instmodule.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://mymusic80.spaces.msn.com//Pho...d/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Belkin High-Speed Mode Wireless G USB Driver (Belkin High-Speed Mode Wireless G USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\F5D7051\WLService.exe
O23 - Service: C-DillaCdaC11BA - Unknown owner - C:\WINDOWS\system32\drivers\CDAC11BA.EXE (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Please let me know if I need to do anything else? Thanks again!

Adam

08-11-2007, 05:43 AM	#3 (permalink)
AdamH Registered User Join Date: Aug 2007 Location: Hampshire Posts: 6 OS: XP	Re: Can't run cmd or taskmgr Hi thanks for helping me! I ran hijackthis and put a check by the ones you said and clicked 'fix checked' I then downloaded and ran the combofix.exe, below is the scan result: ComboFix 07-08-11 - "Gerry Hill" 2007-08-11 12:24:33.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.290 [GMT 1:00] Command switches used :: /killall * Created a new restore point ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\DOCUME~1\ALLUSE~1\APPLIC~1.\vidmon C:\DOCUME~1\ALLUSE~1\APPLIC~1.\vidmon\vidmon.inf C:\DOCUME~1\GERRYH~1\MYDOCU~1.\dobe~1 C:\DOCUME~1\GERRYH~1\MYDOCU~1.\dobe~1\?dobe\ C:\DOCUME~1\GERRYH~1\MYDOCU~1.\dobe~1\wuauclt.exe C:\lswmv.ini C:\Program Files\Common Files\{30CDC~1 C:\Program Files\Common Files\{30CDC~1\Bar888.dll C:\Program Files\Common Files\{30CDC~1\UnInstall.exe C:\Program Files\Common Files\{F0CDC~1 C:\Program Files\Common Files\{F0CDC~2 C:\Program Files\Common Files\system32.dll C:\Program Files\Common Files\uninstall information C:\Program Files\Common Files\uninstall information\RemoveWebDP.exe C:\Program Files\inetget2 C:\Program Files\internet optimizer C:\Program Files\msmovies C:\Program Files\msmovies\p.zip C:\Program Files\pedevice C:\Program Files\pedevice\communication.xml C:\Program Files\pedevice\Domain.Watchlist.txt C:\Program Files\pedevice\pae-options.xml C:\Program Files\pedevice\pae_url.xml C:\Program Files\pedevice\pedevPS.dll C:\Program Files\pedevice\search.watchlist.txt C:\Program Files\pedevice\stat_archive\2007-03-25 C:\Program Files\pedevice\stat_archive\2007-03-26 C:\Program Files\pedevice\statistic.xml C:\Program Files\pedevice\tmp\last_popup_content.html C:\Program Files\pedevice\tmp\tmp.html C:\Program Files\pedevice\watchlist.xml C:\Program Files\winsupdater C:\Program Files\winsupdater\a.zip C:\Program Files\winupdates C:\WINDOWS\system32\del.bat C:\WINDOWS\system32\unsvchosts.exe C:\WINDOWS\system32\vidmon C:\WINDOWS\uninstall_nmon.vbs ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_CLIENT_IP-IPX -------\LEGACY_CMDSERVICE -------\LEGACY_NETWORK_MONITOR -------\cmdService ((((((((((((((((((((((((( Files Created from 2007-07-11 to 2007-08-11 ))))))))))))))))))))))))))))))) 2007-08-11 12:21 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-08-10 19:19 <DIR> d-------- C:\Deckard 2007-08-10 19:16 <DIR> d-------- C:\Program Files\SpywareBlaster 2007-08-10 17:53 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-07-25 18:59 <DIR> d-------- C:\Program Files\FileDeleter (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-08-11 12:20 --------- d-------- C:\Program Files\Hijack This 2007-08-10 18:24 --------- d-------- C:\Program Files\QuickTime 2007-08-10 18:18 --------- d-------- C:\Program Files\Common Files\Symantec Shared 2007-07-27 19:35 384 --a------ C:\Program Files\LimeWire.lnk 2007-07-25 19:16 --------- d-------- C:\DOCUME~1\GERRYH~1\APPLIC~1\Google 2007-07-24 20:55 --------- d--h----- C:\Program Files\InstallShield Installation Information 2007-07-24 20:49 --------- d-------- C:\Program Files\Pool Station Classic 2007-07-24 20:48 --------- d-------- C:\Program Files\NoAdware4 2007-07-24 20:45 --------- d-------- C:\Program Files\Logitech 2007-07-24 18:56 --------- d-------- C:\Program Files\Canon 2007-05-16 16:12 86528 -----c--- C:\WINDOWS\system32\dllcache\directdb.dll 2007-05-16 16:12 85504 -----c--- C:\WINDOWS\system32\dllcache\wabimp.dll 2007-05-16 16:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll 2007-05-16 16:12 683520 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll 2007-05-16 16:12 510976 -----c--- C:\WINDOWS\system32\dllcache\wab32.dll 2007-05-16 16:12 1314816 -----c--- C:\WINDOWS\system32\dllcache\msoe.dll 2006-03-05 17:33 774144 --a--c--- C:\Program Files\RngInterstitial.dll 2001-11-23 12:08 712704 --a--c--- C:\WINDOWS\inf\OTHER\AUDIO3D.DLL 2005-07-29 16:24:26 472 -csha-r C:\WINDOWS\R2VycnkgSGlsbA\lZpVwB40m35PvE.vbs ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-12-18 03:28] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-08-13 20:17] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-09-28 13:07] "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 01:02] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56] [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce] "RunNarrator"=Narrator.exe [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe "MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 09:15:54] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "SpecifyDefaultButtons"=0 (0x0) "Btn_Search"=0 (0x0) R2 Belkin High-Speed Mode Wireless G USB Network Adapter Service;Belkin High-Speed Mode Wireless G USB Driver;C:\Program Files\Belkin\F5D7051\WLService.exe R2 CdaC15BA;CdaC15BA;\??\C:\WINDOWS\system32\drivers\CdaC15BA.SYS R2 enodpl;enodpl;C:\WINDOWS\system32\drivers\enodpl.sys R2 JiaoCap;JiaoCap, WDM Video Capture for VCDCut;C:\WINDOWS\system32\DRIVERS\JiaoCap.sys R2 JiaoIO;JiaoIO;\??\C:\WINDOWS\system32\drivers\JiaoIO.sys R2 MASPINT;MASPINT;C:\WINDOWS\system32\drivers\MASPINT.sys R2 tandpl;tandpl;C:\WINDOWS\system32\drivers\tandpl.sys R3 NTIDrvr;Upper Class Filter Driver;C:\WINDOWS\system32\DRIVERS\NTIDrvr.sys R3 SPLITCAM;Splitcam, WDM Camera Stream Splitter;C:\WINDOWS\system32\DRIVERS\splitcam.sys R3 USB_RNDIS;Belkin High-Speed Mode Wireless G USB Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\usb8023.sys R3 USR1806V;U.S. Robotics Voice Modem Driver 1806;C:\WINDOWS\system32\DRIVERS\USR1806V.SYS S2 TTELL;TTell WDM Video Capture;C:\WINDOWS\system32\DRIVERS\TTell.sys S2 VirtualCam;VirtualCamera;C:\WINDOWS\system32\DRIVERS\VirtualCam.sys S3 adxapie;adxapie;\??\C:\DOCUME~1\GERRYH~1\LOCALS~1\Temp\adxapie.sys S3 alcan5wn;Alcatel SpeedTouch USB ADSL PPP Networking Driver (NDISWAN);C:\WINDOWS\system32\DRIVERS\alcan5wn.sys S3 autorun;autorun;\??\C:\huadio.tmp S3 AVWLP_USB;WLAN PRISM USB Driver;C:\WINDOWS\system32\DRIVERS\AVWLPUSB.sys S3 BRIDGE;MAC Bridge;C:\WINDOWS\system32\DRIVERS\bridge.sys S3 BridgeMP;MAC Bridge Miniport;C:\WINDOWS\system32\DRIVERS\bridge.sys S3 DCamUSBSQTECH;Dual-Mode DSC(2770);C:\WINDOWS\system32\Drivers\SQcaptur.sys S3 dptrackerd;Tracker Driver;C:\WINDOWS\system32\drivers\dptrackerd.sys S3 k750bus;Sony Ericsson 750 driver (WDM);C:\WINDOWS\system32\DRIVERS\k750bus.sys S3 k750mdfl;Sony Ericsson 750 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\k750mdfl.sys S3 k750mdm;Sony Ericsson 750 USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\k750mdm.sys S3 k750mgmt;Sony Ericsson 750 USB WMC Device Management Drivers;C:\WINDOWS\system32\DRIVERS\k750mgmt.sys S3 k750obex;Sony Ericsson 750 USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\k750obex.sys S3 Nokia USB Generic;Nokia USB Generic;C:\WINDOWS\system32\drivers\nmwcdc.sys S3 Nokia USB Modem;Nokia USB Modem;C:\WINDOWS\system32\drivers\nmwcdcm.sys S3 Nokia USB Phone Parent;Nokia USB Phone Parent;C:\WINDOWS\system32\drivers\nmwcd.sys S3 Nokia USB Port;Nokia USB Port;C:\WINDOWS\system32\drivers\nmwcdcj.sys [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2a1db0f8-ffe1-11db-84f8-001150c32749}] AutoRun\command- index.html [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a1e613aa-f8d1-11db-84e8-001150c32749}] AutoRun\command- index.html ************************************************************************ catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-08-11 12:32:34 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ Completion time: 2007-08-11 12:34:34 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-08-11 12:34 --- E O F --- I then ran hijackthis and below are the fresh scan results: Logfile of HijackThis v1.99.1 Scan saved at 12:41:28, on 11/08/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Belkin\F5D7051\WLService.exe C:\Program Files\Belkin\F5D7051\WLanCfgG.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Hijack This\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.bt.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/ O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {2357B3CF-7F8D-4451-8D81-FD6097610AEE} - http://activex.camfrogweb.com/advanc...instmodule.exe O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://mymusic80.spaces.msn.com//Pho...d/MsnPUpld.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O23 - Service: Belkin High-Speed Mode Wireless G USB Driver (Belkin High-Speed Mode Wireless G USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\F5D7051\WLService.exe O23 - Service: C-DillaCdaC11BA - Unknown owner - C:\WINDOWS\system32\drivers\CDAC11BA.EXE (file missing) O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe Please let me know if I need to do anything else? Thanks again! Adam