Tech Support Forum - View Single Post

scunow · 11-30-2007, 04:48 PM

I did the next step and my combofix and hijackthis logs are pasted below.

Also, FYI: while I was running combofix my Symantec AntiVirus popped up and warned me about a threat called Trojan Vundo. It listed a file name:
c:/WINDOWS/system32/rqrrqnl.dll.

Thanks again.

ComboFix 07-11-19.4C - Mr. Cunow 2007-11-30 12:10:36.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.507 [GMT -8:00]
Running from: C:\Documents and Settings\Mr. Cunow\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mr. Cunow\Desktop\CFScript.txt

FILE
C:\WINDOWS\system32\cpnprt2.cid
C:\WINDOWS\system32\jkkifeb.dll
C:\WINDOWS\system32\khfdeca.dll
C:\WINDOWS\system32\rqrrqnl.dll
C:\WINDOWS\system32\uhesgkue.exe
C:\WINDOWS\system32\urqrpqr.dll
C:\WINDOWS\system32\vybeg.ini
C:\WINDOWS\system32\vybeg.ini2
C:\WINDOWS\system32\xxyaxut.dll
C:\WINDOWS\uccspecc.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Coupons
C:\Program Files\Coupons\Coupons.com.url
C:\Program Files\Coupons\uninstall.exe
C:\Program Files\Coupons\Uninstall\IRIMG1.JPG
C:\Program Files\Coupons\Uninstall\IRIMG2.JPG
C:\Program Files\Coupons\Uninstall\IRIMG3.JPG
C:\Program Files\Coupons\Uninstall\IRIMG4.JPG
C:\Program Files\Coupons\Uninstall\IRIMG5.JPG
C:\Program Files\Coupons\Uninstall\IRIMG6.JPG
C:\Program Files\Coupons\Uninstall\IRIMG7.JPG
C:\Program Files\Coupons\Uninstall\IRIMG8.JPG
C:\Program Files\Coupons\Uninstall\uninstall.dat
C:\Program Files\Coupons\Uninstall\uninstall.xml
C:\Program Files\Viewpoint
C:\Program Files\Viewpoint\Viewpoint Media Player\AolInstantInstallMMX_Win.mtj
C:\Program Files\Viewpoint\Viewpoint Media Player\AxMetaStream.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\AxMetaStream_0302021C.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\AxMetaStream_0305000D.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\ClassIDs.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\ComponentMgr_0305000D.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\ComponentRegistry.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\AOLUserShell.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\Cursors.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\JpegReader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\Mts3Reader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SceneComponent.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SreeDMMX.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SWFView.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMgr.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMPVideo.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMPVideo2.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\WaveletReader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\DownLoadHist.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\HostRegistry.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\MetaStreamConfig.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\MetaStreamID.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\MtsAxInstaller.exe
C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.xpt
C:\WINDOWS\system32\cpnprt2.cid
C:\WINDOWS\system32\gebyv.dll
C:\WINDOWS\system32\rqrrqnl.dll
C:\WINDOWS\system32\uhesgkue.exe
C:\WINDOWS\system32\vybeg.ini
C:\WINDOWS\system32\vybeg.ini2
C:\WINDOWS\TXIuIEN1bm93
C:\WINDOWS\uccspecc.sys

.
((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-30 )))))))))))))))))))))))))))))))
.

2007-11-29 20:50 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-29 20:21 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-11-29 09:30 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-11-28 00:39 <DIR> d-------- C:\Deckard
2007-11-28 00:36 <DIR> d-------- C:\Program Files\ZonedOut
2007-11-27 15:57 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-11-27 15:57 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-11-27 15:57 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-11-27 15:56 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-11-27 10:48 6,058,496 --a------ C:\WINDOWS\system32\dllcache\ieframe.dll
2007-11-27 10:48 2,455,488 --a------ C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-11-27 10:48 991,232 --a------ C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-11-27 10:48 459,264 --a------ C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-11-27 10:48 383,488 --a------ C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-11-27 10:48 267,776 --a------ C:\WINDOWS\system32\dllcache\iertutil.dll
2007-11-27 10:48 63,488 --a------ C:\WINDOWS\system32\dllcache\icardie.dll
2007-11-27 10:48 52,224 --a------ C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-11-27 10:48 13,824 --a------ C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-14 09:15 <DIR> d-------- C:\Program Files\Pando Networks
2007-10-13 10:40 <DIR> d-------- C:\WINDOWS\Cache
2007-10-11 17:38 178 --a------ C:\handle.dat
2007-10-10 15:30 584,192 --a------ C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-09 09:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2007-10-09 09:31 675,840 -ra------ C:\WINDOWS\system32\hpowiax3.dll
2007-10-09 09:31 569,344 -ra------ C:\WINDOWS\system32\hpotscl3.dll
2007-10-09 09:31 364,544 -ra------ C:\WINDOWS\system32\hppldcoi.dll
2007-10-09 09:31 309,760 -ra------ C:\WINDOWS\system32\difxapi.dll
2007-10-09 09:31 294,912 -ra------ C:\WINDOWS\system32\hpovst10.dll
2007-10-09 09:31 258,048 -ra------ C:\WINDOWS\system32\hpzids01.dll
2007-10-09 09:31 117,760 --a------ C:\WINDOWS\system32\hpzll4v2.dll
2007-10-09 09:30 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-10-09 09:26 116,092 --a------ C:\WINDOWS\hpoins12.dat
2007-10-09 09:26 1,470 --------- C:\WINDOWS\hpomdl12.dat
2007-10-09 09:22 <DIR> d-------- C:\temp\HP_WebRelease

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-30 20:37 --------- d-----w C:\Program Files\Symantec Antivirus
2007-11-30 20:07 --------- d-----w C:\Documents and Settings\Mr. Cunow\Application Data\Skype
2007-11-30 04:21 --------- d-----w C:\Program Files\Java
2007-11-28 07:58 --------- d-----w C:\Program Files\TagRename
2007-11-28 07:58 --------- d-----w C:\Program Files\SpywareGuard
2007-11-28 07:55 --------- d-----w C:\Program Files\NZSearch
2007-11-28 07:51 --------- d-----w C:\Program Files\Linksys Wireless-G Music Bridge
2007-11-28 07:50 --------- d-----w C:\Program Files\iTunes
2007-11-28 07:43 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-28 07:40 --------- d-----w C:\Program Files\Apoint2K
2007-11-28 00:15 --------- d-----w C:\Documents and Settings\Mr. Cunow\Application Data\Viewpoint
2007-11-28 00:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-27 19:03 --------- d-----w C:\Program Files\SpywareBlaster
2007-11-02 07:05 --------- d-----w C:\Documents and Settings\Mr. Cunow\Application Data\ZoomBrowser EX
2007-11-02 07:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2007-10-24 17:12 --------- d-----w C:\Program Files\AIM6
2007-10-24 17:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-10-23 23:02 --------- d-----w C:\Documents and Settings\Mr. Cunow\Application Data\Apple Computer
2007-10-12 06:11 --------- d-----w C:\Program Files\Soulseek
2007-04-01 23:22 73,728 ----a-w C:\Documents and Settings\Mr. Cunow\SetupNI.dll
2006-02-14 18:31 184,808 ----a-w C:\Documents and Settings\Mr. Cunow\Application Data\shb.dat
2005-11-03 04:36 48,504 ----a-w C:\Documents and Settings\Mr. Cunow\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"spc_w"="C:\Program Files\NZSearch\nzspc.exe" [2004-11-09 00:29]
"Aim6"="" []
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 13:45]
"Pando"="C:\Program Files\Pando Networks\Pando\Pando.exe" [2007-10-05 11:33]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-07 19:40]
"AGRSMMSG"="AGRSMMSG.exe" [2003-10-30 05:40 C:\WINDOWS\AGRSMMSG.exe]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-03-01 09:05]
"CamMonitor"="C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe" [2002-10-06 23:23]
"Share-to-Web Namespace Daemon"="C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 09:42]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-01-13 08:21]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 00:01]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" []
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-05-22 18:55]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-06-09 16:31]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-08-02 15:36]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 10:54]
"ATIModeChange"="Ati2mdxx.exe" [2004-04-01 23:16 C:\WINDOWS\system32\Ati2mdxx.exe]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-16 19:11]
"CmFlywaveName"="C:\WINDOWS\System\CmFlywav.exe" [2005-10-05 10:38]
"Linksys WMB54G Utility"="C:\Program Files\Linksys Wireless-G Music Bridge\WMB54G.exe" [2005-11-22 22:26]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 15:58]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 06:36]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

C:\Documents and Settings\Mr. Cunow\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 15:05:35]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 19:05:26]
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2004-12-04 11:08:28]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 15:28:24]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 15:50:52]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2003-07-29 20:49:48]
C:\WINDOWS\System32\NavLogon.dll 2004-08-02 15:36 83272 C:\WINDOWS\system32\NavLogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\gebyv.dll

R3 cmvad;C-Media Wi-Sonic Wireless Audio Interface;C:\WINDOWS\system32\drivers\cmudaxv.sys
R3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys
S3 CE3;Xircom Ethernet Adapter 10/100 Service;C:\WINDOWS\system32\DRIVERS\ce3n5.sys
S3 PhDebug32;PhDebug32;\??\c:\bios\hr60\debug32.sys
S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\system32\Drivers\StMp3Rec.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt hpqcxs08

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{03804255-705b-11dc-9a6e-000fb009b67c}]
\Shell\1\Command - .\System\Memory\autorun.exe
\Shell\2\Command - .\System\Memory\autorun.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\System\Memory\autorun.exe

.
Contents of the 'Scheduled Tasks' folder
"2005-06-27 21:31:07 C:\WINDOWS\Tasks\Ad-Aware SE Personal.job"
- C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe
"2007-11-18 18:03:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2005-07-01 13:44:20 C:\WINDOWS\Tasks\iRadio 1.2 task 3.job"
- C:\PROGRA~1\3aLab\iRadio\iRadio.exe
"2005-04-19 13:47:48 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-30 12:38:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????3?6?0?5??????? ???B???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-30 12:41:33 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-29 21:59
.
--- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 3:44:51 PM, on 11/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System\CmFlywav.exe
C:\Program Files\Linksys Wireless-G Music Bridge\WMB54G.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Pando Networks\Pando\Pando.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
C:\HijackThis\Mr. Cunow.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/radio/aod/mainf...d/radio1.shtml
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...lion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TY...lion&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.nyu.edu:8000
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\Mr. Cunow\Application Data\Mozilla\Profiles\default\bj26lb4b.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Mr. Cunow\Application Data\Mozilla\Profiles\default\bj26lb4b.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CInterceptor Object - {38D3FE60-3D53-4F37-BB0E-C7A97A26A156} - C:\Program Files\Pando Networks\Pando\PandoIEPlugin.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CmFlywaveName] C:\WINDOWS\System\CmFlywav.exe
O4 - HKLM\..\Run: [Linksys WMB54G Utility] C:\Program Files\Linksys Wireless-G Music Bridge\WMB54G.exe -R
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093672044250
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{451478F6-D9D9-40CF-8E57-EE621B7344BD}: NameServer = 128.122.253.92,128.122.253.37
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = nyu.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = nyu.edu
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

11-30-2007, 04:48 PM	#5 (permalink)
scunow Registered User Join Date: Nov 2007 Posts: 5 OS: XP	Re: DSS Logs I did the next step and my combofix and hijackthis logs are pasted below. Also, FYI: while I was running combofix my Symantec AntiVirus popped up and warned me about a threat called Trojan Vundo. It listed a file name: c:/WINDOWS/system32/rqrrqnl.dll. Thanks again. ComboFix 07-11-19.4C - Mr. Cunow 2007-11-30 12:10:36.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.507 [GMT -8:00] Running from: C:\Documents and Settings\Mr. Cunow\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Mr. Cunow\Desktop\CFScript.txt FILE C:\WINDOWS\system32\cpnprt2.cid C:\WINDOWS\system32\jkkifeb.dll C:\WINDOWS\system32\khfdeca.dll C:\WINDOWS\system32\rqrrqnl.dll C:\WINDOWS\system32\uhesgkue.exe C:\WINDOWS\system32\urqrpqr.dll C:\WINDOWS\system32\vybeg.ini C:\WINDOWS\system32\vybeg.ini2 C:\WINDOWS\system32\xxyaxut.dll C:\WINDOWS\uccspecc.sys . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Program Files\Coupons C:\Program Files\Coupons\Coupons.com.url C:\Program Files\Coupons\uninstall.exe C:\Program Files\Coupons\Uninstall\IRIMG1.JPG C:\Program Files\Coupons\Uninstall\IRIMG2.JPG C:\Program Files\Coupons\Uninstall\IRIMG3.JPG C:\Program Files\Coupons\Uninstall\IRIMG4.JPG C:\Program Files\Coupons\Uninstall\IRIMG5.JPG C:\Program Files\Coupons\Uninstall\IRIMG6.JPG C:\Program Files\Coupons\Uninstall\IRIMG7.JPG C:\Program Files\Coupons\Uninstall\IRIMG8.JPG C:\Program Files\Coupons\Uninstall\uninstall.dat C:\Program Files\Coupons\Uninstall\uninstall.xml C:\Program Files\Viewpoint C:\Program Files\Viewpoint\Viewpoint Media Player\AolInstantInstallMMX_Win.mtj C:\Program Files\Viewpoint\Viewpoint Media Player\AxMetaStream.dll C:\Program Files\Viewpoint\Viewpoint Media Player\AxMetaStream_0302021C.dll C:\Program Files\Viewpoint\Viewpoint Media Player\AxMetaStream_0305000D.dll C:\Program Files\Viewpoint\Viewpoint Media Player\ClassIDs.ini C:\Program Files\Viewpoint\Viewpoint Media Player\ComponentMgr_0305000D.dll C:\Program Files\Viewpoint\Viewpoint Media Player\ComponentRegistry.ini C:\Program Files\Viewpoint\Viewpoint Media Player\Components\AOLUserShell.dll C:\Program Files\Viewpoint\Viewpoint Media Player\Components\Cursors.dll C:\Program Files\Viewpoint\Viewpoint Media Player\Components\JpegReader.dll C:\Program Files\Viewpoint\Viewpoint Media Player\Components\Mts3Reader.dll C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SceneComponent.dll C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SreeDMMX.dll C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SWFView.dll C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMgr.dll C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMPVideo.dll C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMPVideo2.dll C:\Program Files\Viewpoint\Viewpoint Media Player\Components\WaveletReader.dll C:\Program Files\Viewpoint\Viewpoint Media Player\DownLoadHist.ini C:\Program Files\Viewpoint\Viewpoint Media Player\HostRegistry.ini C:\Program Files\Viewpoint\Viewpoint Media Player\MetaStreamConfig.ini C:\Program Files\Viewpoint\Viewpoint Media Player\MetaStreamID.ini C:\Program Files\Viewpoint\Viewpoint Media Player\MtsAxInstaller.exe C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.xpt C:\WINDOWS\system32\cpnprt2.cid C:\WINDOWS\system32\gebyv.dll C:\WINDOWS\system32\rqrrqnl.dll C:\WINDOWS\system32\uhesgkue.exe C:\WINDOWS\system32\vybeg.ini C:\WINDOWS\system32\vybeg.ini2 C:\WINDOWS\TXIuIEN1bm93 C:\WINDOWS\uccspecc.sys . ((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-30 ))))))))))))))))))))))))))))))) . 2007-11-29 20:50 <DIR> d-------- C:\WINDOWS\ERUNT 2007-11-29 20:21 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl 2007-11-29 09:30 143 --a------ C:\WINDOWS\system32\mcrh.tmp 2007-11-28 00:39 <DIR> d-------- C:\Deckard 2007-11-28 00:36 <DIR> d-------- C:\Program Files\ZonedOut 2007-11-27 15:57 30,590 --a------ C:\WINDOWS\system32\pavas.ico 2007-11-27 15:57 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico 2007-11-27 15:57 1,406 --a------ C:\WINDOWS\system32\Help.ico 2007-11-27 15:56 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-11-27 10:48 6,058,496 --a------ C:\WINDOWS\system32\dllcache\ieframe.dll 2007-11-27 10:48 2,455,488 --a------ C:\WINDOWS\system32\dllcache\ieapfltr.dat 2007-11-27 10:48 991,232 --a------ C:\WINDOWS\system32\dllcache\ieframe.dll.mui 2007-11-27 10:48 459,264 --a------ C:\WINDOWS\system32\dllcache\msfeeds.dll 2007-11-27 10:48 383,488 --a------ C:\WINDOWS\system32\dllcache\ieapfltr.dll 2007-11-27 10:48 267,776 --a------ C:\WINDOWS\system32\dllcache\iertutil.dll 2007-11-27 10:48 63,488 --a------ C:\WINDOWS\system32\dllcache\icardie.dll 2007-11-27 10:48 52,224 --a------ C:\WINDOWS\system32\dllcache\msfeedsbs.dll 2007-11-27 10:48 13,824 --a------ C:\WINDOWS\system32\dllcache\ieudinit.exe 2007-10-14 09:15 <DIR> d-------- C:\Program Files\Pando Networks 2007-10-13 10:40 <DIR> d-------- C:\WINDOWS\Cache 2007-10-11 17:38 178 --a------ C:\handle.dat 2007-10-10 15:30 584,192 --a------ C:\WINDOWS\system32\dllcache\rpcrt4.dll 2007-10-09 09:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard 2007-10-09 09:31 675,840 -ra------ C:\WINDOWS\system32\hpowiax3.dll 2007-10-09 09:31 569,344 -ra------ C:\WINDOWS\system32\hpotscl3.dll 2007-10-09 09:31 364,544 -ra------ C:\WINDOWS\system32\hppldcoi.dll 2007-10-09 09:31 309,760 -ra------ C:\WINDOWS\system32\difxapi.dll 2007-10-09 09:31 294,912 -ra------ C:\WINDOWS\system32\hpovst10.dll 2007-10-09 09:31 258,048 -ra------ C:\WINDOWS\system32\hpzids01.dll 2007-10-09 09:31 117,760 --a------ C:\WINDOWS\system32\hpzll4v2.dll 2007-10-09 09:30 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE 2007-10-09 09:26 116,092 --a------ C:\WINDOWS\hpoins12.dat 2007-10-09 09:26 1,470 --------- C:\WINDOWS\hpomdl12.dat 2007-10-09 09:22 <DIR> d-------- C:\temp\HP_WebRelease . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-30 20:37 --------- d-----w C:\Program Files\Symantec Antivirus 2007-11-30 20:07 --------- d-----w C:\Documents and Settings\Mr. Cunow\Application Data\Skype 2007-11-30 04:21 --------- d-----w C:\Program Files\Java 2007-11-28 07:58 --------- d-----w C:\Program Files\TagRename 2007-11-28 07:58 --------- d-----w C:\Program Files\SpywareGuard 2007-11-28 07:55 --------- d-----w C:\Program Files\NZSearch 2007-11-28 07:51 --------- d-----w C:\Program Files\Linksys Wireless-G Music Bridge 2007-11-28 07:50 --------- d-----w C:\Program Files\iTunes 2007-11-28 07:43 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2007-11-28 07:40 --------- d-----w C:\Program Files\Apoint2K 2007-11-28 00:15 --------- d-----w C:\Documents and Settings\Mr. Cunow\Application Data\Viewpoint 2007-11-28 00:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint 2007-11-27 19:03 --------- d-----w C:\Program Files\SpywareBlaster 2007-11-02 07:05 --------- d-----w C:\Documents and Settings\Mr. Cunow\Application Data\ZoomBrowser EX 2007-11-02 07:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser 2007-10-24 17:12 --------- d-----w C:\Program Files\AIM6 2007-10-24 17:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads 2007-10-23 23:02 --------- d-----w C:\Documents and Settings\Mr. Cunow\Application Data\Apple Computer 2007-10-12 06:11 --------- d-----w C:\Program Files\Soulseek 2007-04-01 23:22 73,728 ----a-w C:\Documents and Settings\Mr. Cunow\SetupNI.dll 2006-02-14 18:31 184,808 ----a-w C:\Documents and Settings\Mr. Cunow\Application Data\shb.dat 2005-11-03 04:36 48,504 ----a-w C:\Documents and Settings\Mr. Cunow\Application Data\GDIPFONTCACHEV1.DAT . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "spc_w"="C:\Program Files\NZSearch\nzspc.exe" [2004-11-09 00:29] "Aim6"="" [] "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 13:45] "Pando"="C:\Program Files\Pando Networks\Pando\Pando.exe" [2007-10-05 11:33] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-07 19:40] "AGRSMMSG"="AGRSMMSG.exe" [2003-10-30 05:40 C:\WINDOWS\AGRSMMSG.exe] "Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-03-01 09:05] "CamMonitor"="C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe" [2002-10-06 23:23] "Share-to-Web Namespace Daemon"="C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 09:42] "eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-01-13 08:21] "UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 00:01] "HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [] "HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-05-22 18:55] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-06-09 16:31] "vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-08-02 15:36] "HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 10:54] "ATIModeChange"="Ati2mdxx.exe" [2004-04-01 23:16 C:\WINDOWS\system32\Ati2mdxx.exe] "HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-16 19:11] "CmFlywaveName"="C:\WINDOWS\System\CmFlywav.exe" [2005-10-05 10:38] "Linksys WMB54G Utility"="C:\Program Files\Linksys Wireless-G Music Bridge\WMB54G.exe" [2005-11-22 22:26] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 15:58] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 06:36] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11] C:\Documents and Settings\Mr. Cunow\Start Menu\Programs\Startup\ SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 15:05:35] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 19:05:26] Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2004-12-04 11:08:28] HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 15:28:24] HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 15:50:52] Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2003-07-29 20:49:48] C:\WINDOWS\System32\NavLogon.dll 2004-08-02 15:36 83272 C:\WINDOWS\system32\NavLogon.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] "Authentication Packages"= msv1_0 C:\WINDOWS\system32\gebyv.dll R3 cmvad;C-Media Wi-Sonic Wireless Audio Interface;C:\WINDOWS\system32\drivers\cmudaxv.sys R3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys S3 CE3;Xircom Ethernet Adapter 10/100 Service;C:\WINDOWS\system32\DRIVERS\ce3n5.sys S3 PhDebug32;PhDebug32;\??\c:\bios\hr60\debug32.sys S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\system32\Drivers\StMp3Rec.sys [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt hpqcxs08 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{03804255-705b-11dc-9a6e-000fb009b67c}] \Shell\1\Command - .\System\Memory\autorun.exe \Shell\2\Command - .\System\Memory\autorun.exe \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\System\Memory\autorun.exe . Contents of the 'Scheduled Tasks' folder "2005-06-27 21:31:07 C:\WINDOWS\Tasks\Ad-Aware SE Personal.job" - C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe "2007-11-18 18:03:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2005-07-01 13:44:20 C:\WINDOWS\Tasks\iRadio 1.2 task 3.job" - C:\PROGRA~1\3aLab\iRadio\iRadio.exe "2005-04-19 13:47:48 C:\WINDOWS\Tasks\Symantec NetDetect.job" - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE . ************************************************************************ catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-30 12:38:37 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????3?6?0?5??????? ???B???????????????B? ?????? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2007-11-30 12:41:33 - machine was rebooted C:\ComboFix2.txt ... 2007-11-29 21:59 . --- E O F --- Logfile of HijackThis v1.99.1 Scan saved at 3:44:51 PM, on 11/30/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16544) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Canon\CAL\CALMAIN.exe C:\Program Files\Apoint2K\Apoint.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe C:\WINDOWS\System32\hphmon05.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe C:\WINDOWS\System\CmFlywav.exe C:\Program Files\Linksys Wireless-G Music Bridge\WMB54G.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Apoint2K\Apntex.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Pando Networks\Pando\Pando.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\HP\hpcoretech\comp\hpdarc.exe C:\HijackThis\Mr. Cunow.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/radio/aod/mainf...d/radio1.shtml R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...lion&pf=laptop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TY...lion&pf=laptop R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.nyu.edu:8000 R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\Mr. Cunow\Application Data\Mozilla\Profiles\default\bj26lb4b.slt\prefs.js) N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Mr. Cunow\Application Data\Mozilla\Profiles\default\bj26lb4b.slt\prefs.js) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: CInterceptor Object - {38D3FE60-3D53-4F37-BB0E-C7A97A26A156} - C:\Program Files\Pando Networks\Pando\PandoIEPlugin.dll O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [CmFlywaveName] C:\WINDOWS\System\CmFlywav.exe O4 - HKLM\..\Run: [Linksys WMB54G Utility] C:\Program Files\Linksys Wireless-G Music Bridge\WMB54G.exe -R O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 O4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228 O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093672044250 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{451478F6-D9D9-40CF-8E57-EE621B7344BD}: NameServer = 128.122.253.92,128.122.253.37 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = nyu.edu O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = nyu.edu O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe