Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

IUSER_ADMIN has hijacked my computer

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

IUSER_ADMIN has hijacked my computer

Unread postby oh2knowhim » October 2nd, 2008, 5:09 pm

Here is my hijack this log. However, when I downloaded the program and ran it, I was not aware that I was signed into the IUSER_ADMIN account. I cannot delete this account or get into my account on the computer. I am extremely frustrated. I am in college and need this computer for school.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:15:00 PM, on 10/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\afisicx.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\mabidwe.exe
C:\WINDOWS\system32\macidwe.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\noxtcyr.exe
C:\WINDOWS\system32\noytcyr.exe
C:\WINDOWS\system32\roxtctm.exe
C:\WINDOWS\system32\roytctm.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\sotpeca.exe
C:\WINDOWS\system32\soxpeca.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\tdxdowkc.exe
C:\WINDOWS\system32\tdydowkc.exe
C:\Program Files\Zoom\Zoom Phone Adaptor\VServ.exe
C:\WINDOWS\system32\wsldoekd.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\Zoom\Zoom Phone Adaptor\ZoomMonitor.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Zoom\Zoom Phone Adaptor\ZoomAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [ZoomMonitor.exe] C:\Program Files\Zoom\Zoom Phone Adaptor\ZoomMonitor.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [minyust] C:\WINDOWS\system32\inf\svchoct.exe C:\WINDOWS\wftadfi16_080906a.dll tan16d
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 4348352218
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 5585284843
O16 - DPF: {FD7C00A9-E676-11D6-A08E-00E09878F0CF} - https://vpn.uth.tmc.edu/vpns/scripts/nsload.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: afisicx Event propagation service (afisicx) - Unknown owner - C:\WINDOWS\system32\afisicx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Kodak AiO Device Service (KodakSvc) - Eastman Kodak Company - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: mabidwe Service (mabidwe) - Unknown owner - C:\WINDOWS\system32\mabidwe.exe
O23 - Service: macidwe Manages messages (macidwe) - Unknown owner - C:\WINDOWS\system32\macidwe.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: noxtcyr Co. Ltd. (noxtcyr) - Unknown owner - C:\WINDOWS\system32\noxtcyr.exe
O23 - Service: noytcyr Service (noytcyr) - Unknown owner - C:\WINDOWS\system32\noytcyr.exe
O23 - Service: roxtctm Corporation inc. (roxtctm) - Unknown owner - C:\WINDOWS\system32\roxtctm.exe
O23 - Service: roytctm Service (roytctm) - Unknown owner - C:\WINDOWS\system32\roytctm.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: sotpeca Portable Media Serial Service (sotpeca) - Unknown owner - C:\WINDOWS\system32\sotpeca.exe
O23 - Service: soxpeca Service (soxpeca) - Unknown owner - C:\WINDOWS\system32\soxpeca.exe
O23 - Service: tdxdowkc Corporation inc. (tdxdowkc) - Unknown owner - C:\WINDOWS\system32\tdxdowkc.exe
O23 - Service: tdydowkc Service (tdydowkc) - Unknown owner - C:\WINDOWS\system32\tdydowkc.exe
O23 - Service: VService - Unknown owner - C:\Program Files\Zoom\Zoom Phone Adaptor\VServ.exe
O23 - Service: wsldoekd Corporation inc. (wsldoekd) - Unknown owner - C:\WINDOWS\system32\wsldoekd.exe

--
End of file - 9678 bytes
oh2knowhim
Regular Member
 
Posts: 21
Joined: September 7th, 2008, 6:11 pm
Advertisement
Register to Remove

Re: IUSER_ADMIN has hijacked my computer

Unread postby Bio-Hazard » October 2nd, 2008, 6:40 pm

Welcome to the MWR forums. My name is Bio-Hazard. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research. Please be patient and I'd be grateful if you would note the following:

  • I will be working on your Malware issues this may or may not solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear.
  • Absence of symptoms does not mean that everything is clear.
  • I f you don't know or understand something please don't hesitate to ask.
  • It is important that you reply to this thread. Do not start a new topic.

Note: I am still in training here at Malware Removal, however I will be working under the direct supervision of one of our Malware Experts. Any recommendations will first be approved before being given to you. Because of this, there may be a short delay in getting our responses to you, however be assured that we will be working diligently on your problem.

Uninstall list

Make an uninstall list using HijackThis. To access the Uninstall Manager you would do the following:

  • Start HijackThis
  • Click on the Config button
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
  • Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: IUSER_ADMIN has hijacked my computer

Unread postby Bio-Hazard » October 3rd, 2008, 5:04 am

BACKDOOR TROJAN

I'm afraid I have some bad news for you. Your computer has multiple infections, including a BACKDOOR TROJAN. A backdoor gives intruders complete control of your computer, logs your keystrokes, steal personal information, etc.

You are strongly advised to do the following:

  • Disconnect the computer from the Internet and from any networked computers until it is cleaned.
  • Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.
  • Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts. If you don't mind the hassle, change all youraccount numbers.
  • From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password).

Do NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.

Due to its backdoor functionality, your computer is very likely to have been compromised and there is no way that it can be trusted again. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be to do a reformat and reinstallation of the operating system (OS). However, if you do not have the resources to reinstall your OS and would like me to attempt to clean your machine, I will be happy to do so.

To help you understand more, please take some time to read the following articles:

What are Remote Access Trojans and why are they dangerous
How do I respond to a possible identity theft and how do I prevent it
When should do a reformat and reinstallation of my OS
Where to backup your files
How to backup your files in Windows XP
Restoring your backups

Should you have any questions please feel free to ask.

Please let us know what you have decided to do in your next post.
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: IUSER_ADMIN has hijacked my computer

Unread postby oh2knowhim » October 3rd, 2008, 5:01 pm

Ok. I have no idea how to back up my files or reformat my computer. I have the desktop computer disconnected from everything, so what is me next step?
oh2knowhim
Regular Member
 
Posts: 21
Joined: September 7th, 2008, 6:11 pm

Re: IUSER_ADMIN has hijacked my computer

Unread postby oh2knowhim » October 3rd, 2008, 5:55 pm

Here is the uninstall list that hijackthis made.

Acrobat.com
Acrobat.com
Adobe Acrobat 5.0
Adobe AIR
Adobe AIR
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 9
Adobe Shockwave Player
aiofw
aioocr
aioprnt
aioscnnr
AT&T Yahoo! Applications
BroadJump Client Foundation
center
ClearPlay Easy Updates
DivX Content Uploader
DivX Web Player
DVD Solution
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Updater
Help_CTR
helptut
helpug
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB926239)
HP Share-to-Web
InCD
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Connections Drivers
Java(TM) 6 Update 2
Java(TM) 6 Update 7
KODAK All-in-One Printer Software
ksdip
LG ODD Auto Firmware Update
McAfee VirusScan Enterprise
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Professional Edition 2003
Microsoft Office XP Standard for Students and Teachers
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (3.0.1)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
Multimedia Launcher
Nero OEM
netbrdg
Norton Security Scan
Norton Security Scan (Symantec Corporation)
OpenOffice.org Installer 1.0
PowerDVD
PowerProducer
QuickTime
RealPlayer
Revo Uninstaller 1.71
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB943460)
SFR
Skype™ 3.8
SoundMAX
Spyware Doctor 5.5
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB925876)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
URGE
Viewpoint Media Player
Windows Communication Foundation
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Zoom Phone Adaptor
Zoom Phone Adaptor
Zoom Skype Adaptor
oh2knowhim
Regular Member
 
Posts: 21
Joined: September 7th, 2008, 6:11 pm

Re: IUSER_ADMIN has hijacked my computer

Unread postby Bio-Hazard » October 4th, 2008, 4:07 am

Ok. I have no idea how to back up my files or reformat my computer. I have the desktop computer disconnected from everything, so what is me next step?


I can give you instructions how to do that or we can try to clean your computer. As long as you understand that I cant guarantee that the computer is 100% safe. Here is a quote from the the earlier speech that I gave you to read:

Due to its backdoor functionality, your computer is very likely to have been compromised and there is no way that it can be trusted again. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be to do a reformat and reinstallation of the operating system (OS). However, if you do not have the resources to reinstall your OS and would like me to attempt to clean your machine, I will be happy to do so.


If you want to reformat your computer, you will need either a Windows CD or the recovery disks that came with your computer or you need to know how to access the computer's recovery partition. Check your computer's user manual, if it has one. If you want me to attempt to clean your computer we will start by running this tool:

Download and Run ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

How To Use Combofix

IMPORTANT: combofix.exe MUST be on your Desktop for us to proceed.

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says: The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware. When the tool is finished, it will produce a report for you.
  • Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Combofix should never take more that 20 minutes including the reboot if malware is detected.


Next Reply

Please reply with:
  • ComboFix log (found at C:\Combofix.txt)
  • New HijackThis log
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: IUSER_ADMIN has hijacked my computer

Unread postby oh2knowhim » October 4th, 2008, 7:58 pm

Hi,
I will need you to help me clean it. We do not have the Windows CD. My brother bought the computer used from his college, and they did not supply the cds.

I ran combofix. The log had this statement at the top:

"WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!"

My computer had shown that the recovery console was installed before I ran combofix.

I wasn't sure what to do, so I ran it again. I've pasted both logs below along with the hijack this log:
****************************************************
ComboFix Log 1:

ComboFix 08-10-04.02 - IUSER_Admin 2008-10-04 17:46:10.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.630 [GMT -5:00]
Running from: C:\Documents and Settings\IUSER_Admin\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\{525D3~1
C:\Program Files\Common Files\{525D3~1\slscp.log
C:\Program Files\Common Files\{525D3~1\SLZOOM(2)\Ivr.scp
C:\Program Files\Common Files\{525D3~1\SLZOOM(2)\readme.txt
C:\Program Files\Common Files\{525D3~1\SLZOOM(2)\Setup.scp
C:\Program Files\Common Files\{525D3~1\SLZOOM(2)\SLExtBU(2)\ivr.scp
C:\Program Files\Common Files\{525D3~1\SLZOOM(2)\SLExtBU(2)\Setup.scp
C:\Program Files\Common Files\{525D3~1\SLZOOM\autorun.inf
C:\Program Files\Common Files\{525D3~1\SLZOOM\Ivr.scp
C:\Program Files\Common Files\{525D3~1\SLZOOM\readme.txt
C:\Program Files\Common Files\{525D3~1\SLZOOM\scusbvip.cat
C:\Program Files\Common Files\{525D3~1\SLZOOM\scusbvip.inf
C:\Program Files\Common Files\{525D3~1\SLZOOM\scusbvip.sys
C:\Program Files\Common Files\{525D3~1\SLZOOM\Setup.exe
C:\Program Files\Common Files\{525D3~1\SLZOOM\Setup.MSI
C:\Program Files\Common Files\{525D3~1\SLZOOM\Setup.scp
C:\Program Files\Common Files\{525D3~1\SLZOOM\SLExtBU\ivr.scp
C:\Program Files\Common Files\{525D3~1\SLZOOM\SLExtBU\Setup.scp
C:\Program Files\Common Files\{525D3~1\SLZOOM\slvad.cat
C:\Program Files\Common Files\{525D3~1\SLZOOM\slvad.inf
C:\Program Files\Common Files\{525D3~1\SLZOOM\slvad.sys
C:\Program Files\Common Files\{525D3~1\SLZOOM\slvipco.dll
C:\Program Files\Common Files\{525D3~1\SLZOOM\slvipgx.dll
C:\Program Files\Common Files\{525D3~1\SLZOOM\TLRecAgent.sys
C:\test.txt
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\Install.txt
C:\WINDOWS\MSSqlServer.dll
C:\WINDOWS\system32\afisicx.exe
C:\WINDOWS\system32\atsxyzd.sys
C:\WINDOWS\system32\comsa32.sys
C:\WINDOWS\system32\directfileforexe.exe
C:\WINDOWS\system32\inf\svchoct.exe
C:\WINDOWS\system32\mabidwe.exe
C:\WINDOWS\system32\macidwe.exe
C:\WINDOWS\system32\mywfhit.ini
C:\WINDOWS\system32\mywfhit.ini.tmp
C:\WINDOWS\system32\noxtcyr.exe
C:\WINDOWS\system32\noytcyr.exe
C:\WINDOWS\system32\roxtctm.exe
C:\WINDOWS\system32\roytctm.exe
C:\WINDOWS\system32\rtl60.bpl
C:\WINDOWS\system32\sotpeca.exe
C:\WINDOWS\system32\soxpeca.exe
C:\WINDOWS\system32\syspilog.pil
C:\WINDOWS\system32\tdxdowkc.exe
C:\WINDOWS\system32\tdydowkc.exe
C:\WINDOWS\system32\tpszxyd.sys
C:\WINDOWS\system32\wsldoekd.exe
C:\WINDOWS\system32\zordisa.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AFISICX
-------\Legacy_INTERNET_SERVICE
-------\Legacy_MABIDWE
-------\Legacy_MACIDWE
-------\Legacy_MCHINJDRV
-------\Legacy_NOXTCYR
-------\Legacy_NOYTCYR
-------\Legacy_ROXTCTM
-------\Legacy_ROYTCTM
-------\Legacy_SEIUCTOL
-------\Legacy_SOTPECA
-------\Legacy_SOXPECA
-------\Legacy_TDXDOWKC
-------\Legacy_TDYDOWKC
-------\Legacy_WSLDOEKD
-------\Service_afisicx
-------\Service_mabidwe
-------\Service_macidwe
-------\Service_noxtcyr
-------\Service_noytcyr
-------\Service_roxtctm
-------\Service_roytctm
-------\Service_seiuctol
-------\Service_sotpeca
-------\Service_soxpeca
-------\Service_tdxdowkc
-------\Service_tdydowkc
-------\Service_wsldoekd


((((((((((((((((((((((((( Files Created from 2008-09-04 to 2008-10-04 )))))))))))))))))))))))))))))))
.

2008-10-04 17:46 . 2008-10-04 17:46 <DIR> d-------- C:\quarantine
2008-10-02 15:38 . 2008-10-02 15:38 <DIR> d-------- C:\Program Files\VS Revo Group
2008-10-02 15:13 . 2008-10-02 15:13 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-02 14:44 . 2008-10-02 15:51 <DIR> d-------- C:\Program Files\Norton Security Scan
2008-10-02 14:44 . 2008-10-02 14:44 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-10-02 14:33 . 2008-10-02 14:33 <DIR> d-------- C:\Documents and Settings\IUSER_Admin\Application Data\Share-to-Web Upload Folder
2008-10-02 14:32 . 2007-07-13 12:30 <DIR> d---s---- C:\Documents and Settings\IUSER_Admin\UserData
2008-10-02 14:32 . 2008-10-02 14:32 <DIR> d-------- C:\Documents and Settings\IUSER_Admin
2008-09-06 23:35 . 2008-10-04 17:34 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-09-06 23:35 . 2008-09-06 23:35 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools
2008-09-06 23:35 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-09-06 23:35 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-09-06 23:35 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-09-06 23:35 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-04 22:51 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-04 22:50 --------- d-----w C:\Program Files\lg_fwupdate
2008-10-04 22:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-09-08 09:23 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Skype
2008-09-07 06:20 --------- d-----w C:\Documents and Settings\Administrator\Application Data\skypePM
2008-09-03 15:53 --------- d-----w C:\Program Files\Sun
2008-09-03 15:53 --------- d-----w C:\Program Files\Java
2008-08-30 17:54 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-08-29 18:01 --------- d-----w C:\Program Files\Yahoo!
2008-08-23 19:31 --------- d-----w C:\Program Files\NOS
2008-08-23 19:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\NOS
2008-08-23 19:28 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-08-23 01:41 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-14 23:23 --------- d-----w C:\Program Files\Microsoft Silverlight
2004-10-01 20:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2004-08-04 01:07 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-04 01:07 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 01:07 1,028,096 --sh--w C:\WINDOWS\system32\mfc42.dll
2004-08-04 01:07 54,784 --sh--w C:\WINDOWS\system32\msvcirt.dll
2004-08-04 01:07 413,696 --sh--w C:\WINDOWS\system32\msvcp60.dll
2004-08-04 01:07 343,040 --sh--w C:\WINDOWS\system32\msvcrt.dll
2007-05-17 11:28 549,376 --sh--w C:\WINDOWS\system32\oleaut32.dll
2004-08-04 01:07 83,456 --sh--w C:\WINDOWS\system32\olepro32.dll
2004-08-04 01:07 11,776 --sh--w C:\WINDOWS\system32\regsvr32.exe
.
C:\WINDOWS\system32\drivers\tcpip.sys ... is infected !!
360,576 2006-04-20 12:18:35 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
359,040 2004-08-04 01:07:00 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
375,168 2007-08-11 18:58:31 C:\WINDOWS\system32\dllcache\tcpip.sys
375,168 2007-08-11 18:58:34 C:\WINDOWS\system32\drivers\tcpip.sys


------- Sigcheck -------

2004-08-03 20:07 14336 a4f27dd224f1ca2e5ae2fa67636c7dd2 C:\WINDOWS\system32\svchost.exe

2006-04-20 07:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2004-08-03 20:07 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2007-08-11 13:58 375168 f4839bb5c227264c43637ab74c7d4f11 C:\WINDOWS\system32\dllcache\tcpip.sys
2007-08-11 13:58 375168 f4839bb5c227264c43637ab74c7d4f11 C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 114688]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 147514]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-07-31 286720]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2005-07-08 1397760]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"LGODDFU"="C:\Program Files\lg_fwupdate\fwupdate.exe" [2007-08-30 249856]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-13 185632]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 368706]
"EKIJ5000StatusMonitor"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2008-02-15 1052672]
"ZoomMonitor.exe"="C:\Program Files\Zoom\Zoom Phone Adaptor\ZoomMonitor.exe" [2008-01-22 801296]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-02-01 1103240]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
ClearPlay Easy Updates.lnk - C:\Program Files\ClearPlay\ClearPlay Easy Updates\ClearPlayEasyUpdates.exe [2007-04-19 970752]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-07-27 125624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 TLRecAgent;TLRecAgent;C:\WINDOWS\system32\DRIVERS\TLRecAgent.sys [2008-03-13 36976]
R2 KodakSvc;Kodak AiO Device Service;C:\Program Files\Kodak\printer\center\KodakSvc.exe [2008-02-28 18944]
R2 VService;VService;C:\Program Files\Zoom\Zoom Phone Adaptor\VServ.exe [2008-01-17 104976]
S3 scusbvip;VL1800 USB Driver;C:\WINDOWS\system32\DRIVERS\scusbvip.sys [2008-03-13 609936]
S3 SLVAD_simple;Zoom Virtual Audio Device;C:\WINDOWS\system32\drivers\slvad.sys [2008-03-13 84912]

*Newly Created Service* - MCHINJDRV
.
Contents of the 'Scheduled Tasks' folder

2008-08-28 C:\WINDOWS\Tasks\EasyShare Registration Task.job
- C:\WINDOWS\system32\rundll32.exe [2004-08-03 20:07]

2008-10-02 C:\WINDOWS\Tasks\Norton Security Scan for IUSER_Admin.job
- C:\Program Files\Norton Security Scan\Nss.exe [2008-09-19 04:18]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Explorer_Run-minyust - C:\WINDOWS\system32\inf\svchoct.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\IUSER_Admin\Application Data\Mozilla\Firefox\Profiles\t9pi1a7f.default\
FF -: plugin - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - C:\Program Files\Google\Google Updater\2.2.1111.1511\npCIDetect11.dll
FF -: plugin - C:\Program Files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-04 17:51:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
.
**************************************************************************
.
Completion time: 2008-10-04 17:54:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-04 22:54:36

Pre-Run: 23,692,120,064 bytes free
Post-Run: 24,175,648,768 bytes free

241 --- E O F --- 2008-07-30 17:48:44
**************************************************
-----------------------------------------------------------------
ComboFix Log 2:

ComboFix 08-10-04.02 - IUSER_Admin 2008-10-04 18:24:35.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.635 [GMT -5:00]
Running from: C:\Documents and Settings\IUSER_Admin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\IUSER_Admin\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MCHINJDRV


((((((((((((((((((((((((( Files Created from 2008-09-04 to 2008-10-04 )))))))))))))))))))))))))))))))
.

2008-10-04 17:46 . 2008-10-04 18:24 <DIR> d-------- C:\quarantine
2008-10-02 15:38 . 2008-10-02 15:38 <DIR> d-------- C:\Program Files\VS Revo Group
2008-10-02 15:13 . 2008-10-02 15:13 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-02 14:44 . 2008-10-02 15:51 <DIR> d-------- C:\Program Files\Norton Security Scan
2008-10-02 14:44 . 2008-10-02 14:44 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-10-02 14:33 . 2008-10-02 14:33 <DIR> d-------- C:\Documents and Settings\IUSER_Admin\Application Data\Share-to-Web Upload Folder
2008-10-02 14:32 . 2007-07-13 12:30 <DIR> d---s---- C:\Documents and Settings\IUSER_Admin\UserData
2008-10-02 14:32 . 2008-10-02 14:32 <DIR> d-------- C:\Documents and Settings\IUSER_Admin
2008-09-06 23:35 . 2008-10-04 17:34 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-09-06 23:35 . 2008-09-06 23:35 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools
2008-09-06 23:35 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-09-06 23:35 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-09-06 23:35 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-09-06 23:35 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-04 23:28 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-04 23:28 --------- d-----w C:\Program Files\lg_fwupdate
2008-10-04 22:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-09-08 09:23 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Skype
2008-09-07 06:20 --------- d-----w C:\Documents and Settings\Administrator\Application Data\skypePM
2008-09-03 15:53 --------- d-----w C:\Program Files\Sun
2008-09-03 15:53 --------- d-----w C:\Program Files\Java
2008-08-30 17:54 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-08-29 18:01 --------- d-----w C:\Program Files\Yahoo!
2008-08-23 19:31 --------- d-----w C:\Program Files\NOS
2008-08-23 19:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\NOS
2008-08-23 19:28 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-08-23 01:41 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-14 23:23 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 03:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 03:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 03:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 03:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 03:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2004-10-01 20:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2004-08-04 01:07 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-04 01:07 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 01:07 1,028,096 --sh--w C:\WINDOWS\system32\mfc42.dll
2004-08-04 01:07 54,784 --sh--w C:\WINDOWS\system32\msvcirt.dll
2004-08-04 01:07 413,696 --sh--w C:\WINDOWS\system32\msvcp60.dll
2004-08-04 01:07 343,040 --sh--w C:\WINDOWS\system32\msvcrt.dll
2007-05-17 11:28 549,376 --sh--w C:\WINDOWS\system32\oleaut32.dll
2004-08-04 01:07 83,456 --sh--w C:\WINDOWS\system32\olepro32.dll
2004-08-04 01:07 11,776 --sh--w C:\WINDOWS\system32\regsvr32.exe
.
C:\WINDOWS\system32\drivers\tcpip.sys ... is infected !!
360,576 2006-04-20 12:18:35 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
359,040 2004-08-04 01:07:00 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
375,168 2007-08-11 18:58:31 C:\WINDOWS\system32\dllcache\tcpip.sys
375,168 2007-08-11 18:58:34 C:\WINDOWS\system32\drivers\tcpip.sys


------- Sigcheck -------

2004-08-03 20:07 14336 a4f27dd224f1ca2e5ae2fa67636c7dd2 C:\WINDOWS\system32\svchost.exe

2006-04-20 07:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2004-08-03 20:07 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2007-08-11 13:58 375168 f4839bb5c227264c43637ab74c7d4f11 C:\WINDOWS\system32\dllcache\tcpip.sys
2007-08-11 13:58 375168 f4839bb5c227264c43637ab74c7d4f11 C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 114688]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 147514]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-07-31 286720]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2005-07-08 1397760]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"LGODDFU"="C:\Program Files\lg_fwupdate\fwupdate.exe" [2007-08-30 249856]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-13 185632]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 368706]
"EKIJ5000StatusMonitor"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2008-02-15 1052672]
"ZoomMonitor.exe"="C:\Program Files\Zoom\Zoom Phone Adaptor\ZoomMonitor.exe" [2008-01-22 801296]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-02-01 1103240]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
ClearPlay Easy Updates.lnk - C:\Program Files\ClearPlay\ClearPlay Easy Updates\ClearPlayEasyUpdates.exe [2007-04-19 970752]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-07-27 125624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 TLRecAgent;TLRecAgent;C:\WINDOWS\system32\DRIVERS\TLRecAgent.sys [2008-03-13 36976]
R2 KodakSvc;Kodak AiO Device Service;C:\Program Files\Kodak\printer\center\KodakSvc.exe [2008-02-28 18944]
R2 VService;VService;C:\Program Files\Zoom\Zoom Phone Adaptor\VServ.exe [2008-01-17 104976]
S3 scusbvip;VL1800 USB Driver;C:\WINDOWS\system32\DRIVERS\scusbvip.sys [2008-03-13 609936]
S3 SLVAD_simple;Zoom Virtual Audio Device;C:\WINDOWS\system32\drivers\slvad.sys [2008-03-13 84912]

*Newly Created Service* - MCHINJDRV
.
Contents of the 'Scheduled Tasks' folder

2008-08-28 C:\WINDOWS\Tasks\EasyShare Registration Task.job
- C:\WINDOWS\system32\rundll32.exe [2004-08-03 20:07]

2008-10-02 C:\WINDOWS\Tasks\Norton Security Scan for IUSER_Admin.job
- C:\Program Files\Norton Security Scan\Nss.exe [2008-09-19 04:18]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\IUSER_Admin\Application Data\Mozilla\Firefox\Profiles\t9pi1a7f.default\
FF -: plugin - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - C:\Program Files\Google\Google Updater\2.2.1111.1511\npCIDetect11.dll
FF -: plugin - C:\Program Files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-04 18:28:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
.
**************************************************************************
.
Completion time: 2008-10-04 18:31:56 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-04 23:31:50
ComboFix2.txt 2008-10-04 22:54:44

Pre-Run: 24,176,128,000 bytes free
Post-Run: 24,147,476,480 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

180 --- E O F --- 2008-07-30 17:48:44
**************************************************
----------------------------------------------------------------

HiJackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:45:39 PM, on 10/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Zoom\Zoom Phone Adaptor\VServ.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\Zoom\Zoom Phone Adaptor\ZoomMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [ZoomMonitor.exe] C:\Program Files\Zoom\Zoom Phone Adaptor\ZoomMonitor.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 4348352218
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 5585284843
O16 - DPF: {FD7C00A9-E676-11D6-A08E-00E09878F0CF} - https://vpn.uth.tmc.edu/vpns/scripts/nsload.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Kodak AiO Device Service (KodakSvc) - Eastman Kodak Company - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: VService - Unknown owner - C:\Program Files\Zoom\Zoom Phone Adaptor\VServ.exe

--
End of file - 8126 bytes
oh2knowhim
Regular Member
 
Posts: 21
Joined: September 7th, 2008, 6:11 pm

Re: IUSER_ADMIN has hijacked my computer

Unread postby Bio-Hazard » October 5th, 2008, 8:46 am

I'd like you to check (a file/some files) for Viruses.
C:\WINDOWS\system32\svchost.exe

  • Copy/Paste file into the white Upload a file box.
  • Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
  • After a while, a window will open, with details of what the scans found.
  • Copy and Paste results in your next reply.

Run CFScript

  • Close any open browsers.
  • Open Notepad by click start
  • Click Run
  • Type notepad into the box and click enter
  • Notepad will open
  • Copy and Paste everything from the Quote box into Notepad:

Code: Select all
FCOPY::
C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys | C:\WINDOWS\system32\drivers\tcpip.sys


Save this as CFScript.txt, in the same location as ComboFix.exe (on your desktop)


Image


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at
C:\ComboFix.txt


NOTE: Do not mouseclick combofix's window whilst it's running. That may cause it to stall it.

ATF-Cleaner

Please download ATF Cleaner by Atribune.

  • Save it to your desktop
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

Kaspersky Online Scan

Please go to Kaspersky website and perform an online antivirus scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply along with a fresh HijackThis log.

Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:
  • Virustotal or Jotti results
  • Kaspersky Log
  • A fresh HijackThis Log ( after all the above has been done)
  • How are things running now ?
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: IUSER_ADMIN has hijacked my computer

Unread postby oh2knowhim » October 5th, 2008, 3:10 pm

Here are the three logs you asked for. The computer is still only running under the user IUSER_ADMIN. I still cannot delete it. I cannot access any of my stuff on the computer.


VirusTotal:

Antivirus Version Last Update Result
AhnLab-V3 2008.10.3.2 2008.10.03 -
AntiVir 7.8.1.34 2008.10.04 -
Authentium 5.1.0.4 2008.10.05 -
Avast 4.8.1248.0 2008.10.04 -
AVG 8.0.0.161 2008.10.05 Win32/Patched.D
BitDefender 7.2 2008.10.05 Trojan.Loader.AK
CAT-QuickHeal 9.50 2008.10.04 -
ClamAV 0.93.1 2008.10.05 -
DrWeb 4.44.0.09170 2008.10.05 -
eSafe 7.0.17.0 2008.10.05 -
eTrust-Vet 31.6.6129 2008.10.04 Win32/Proscks.B
Ewido 4.0 2008.10.05 -
F-Prot 4.4.4.56 2008.10.05 -
F-Secure 8.0.14332.0 2008.10.05 -
Fortinet 3.113.0.0 2008.10.04 -
GData 19 2008.10.05 Trojan.Loader.AK
Ikarus T3.1.1.34.0 2008.10.05 Trojan.Loader.AK
K7AntiVirus 7.10.484 2008.10.04 -
Kaspersky 7.0.0.125 2008.10.05 -
McAfee 5398 2008.10.04 -
Microsoft 1.4005 2008.10.05 -
NOD32 3495 2008.10.04 Win32/Patched.K
Norman 5.80.02 2008.10.03 -
Panda 9.0.0.4 2008.10.05 Suspicious file
PCTools 4.4.2.0 2008.10.05 -
Prevx1 V2 2008.10.05 -
Rising 20.63.62.00 2008.09.28 -
SecureWeb-Gateway 6.7.6 2008.10.05 Virus.Win32.FileInfector.gen (suspicious)
Sophos 4.34.0 2008.10.05 -
Sunbelt 3.1.1675.1 2008.09.27 -
Symantec 10 2008.10.05 Trojan.Proscks!inf
TheHacker 6.3.1.0.101 2008.10.04 -
TrendMicro 8.700.0.1004 2008.10.03 -
VBA32 3.12.8.6 2008.10.05 -
ViRobot 2008.10.4.1406 2008.10.04 -
VirusBuster 4.5.11.0 2008.10.05 -
Additional information
File size: 14336 bytes
MD5...: a4f27dd224f1ca2e5ae2fa67636c7dd2
SHA1..: 0e2797968cf2692068005224bf830c04688e8376
SHA256: 339cd04839bd3b6fb306e157c2247d2b1c4c19dc7250389b5d0132ad4a636d25
SHA512: 06cb55d627d287c57da6388a05215e6c8ce75fe81d1729f504d978f17f6515b6
9760c0d9ac62cc3c191c532890bc0db5473a35d7c7acdf3f25815fcf80920dd5
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1002509
timedatestamp.....: 0x41107ed6 (Wed Aug 04 06:14:46 2004)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x2c00 0x2c00 6.29 578436208a3b4b9b4ee1faf3d0c5f81c
.data 0x4000 0x1f0 0x200 1.61 553c0ebbbc67abab785f2065a062b522
.rsrc 0x5000 0x418 0x600 3.09 ad310e03279123237e93169928f32f18

( 4 imports )
> ADVAPI32.dll: RegQueryValueExW, SetSecurityDescriptorDacl, SetEntriesInAclW, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, InitializeSecurityDescriptor, GetTokenInformation, OpenProcessToken, OpenThreadToken, SetServiceStatus, RegisterServiceCtrlHandlerW, RegCloseKey, RegOpenKeyExW, StartServiceCtrlDispatcherW
> KERNEL32.dll: HeapFree, GetLastError, WideCharToMultiByte, lstrlenW, LocalFree, GetCurrentProcess, GetCurrentThread, GetProcAddress, LoadLibraryExW, LeaveCriticalSection, HeapAlloc, EnterCriticalSection, LCMapStringW, FreeLibrary, lstrcpyW, ExpandEnvironmentStringsW, lstrcmpiW, ExitProcess, GetCommandLineW, InitializeCriticalSection, GetProcessHeap, SetErrorMode, SetUnhandledExceptionFilter, RegisterWaitForSingleObject, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, UnhandledExceptionFilter, LocalAlloc, lstrcmpW, DelayLoadFailureHook
> ntdll.dll: NtQuerySecurityObject, RtlFreeHeap, NtOpenKey, wcscat, wcscpy, RtlAllocateHeap, RtlCompareUnicodeString, RtlInitUnicodeString, RtlInitializeSid, RtlLengthRequiredSid, RtlSubAuthoritySid, NtClose, RtlSubAuthorityCountSid, RtlGetDaclSecurityDescriptor, RtlQueryInformationAcl, RtlGetAce, RtlImageNtHeader, wcslen, RtlUnhandledExceptionFilter, RtlCopySid
> RPCRT4.dll: RpcServerUnregisterIfEx, RpcMgmtWaitServerListen, RpcMgmtSetServerStackSize, RpcServerUnregisterIf, RpcServerListen, RpcServerUseProtseqEpW, RpcServerRegisterIf, I_RpcMapWin32Status, RpcMgmtStopServerListening

( 0 exports )

**************************************************
-----------------------------------------------------------------

Kaspersky log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, October 5, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, October 05, 2008 16:40:34
Records in database: 1292718
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
F:\

Scan statistics:
Files scanned: 37984
Threat name: 18
Infected objects: 18
Suspicious objects: 0
Duration of the scan: 01:15:25


File name / Threat name / Threats count
C:\QooBox\Quarantine\C\WINDOWS\MSSqlServer.dll.vir Infected: Trojan-Downloader.Win32.Delf.npi 1
C:\QooBox\Quarantine\C\WINDOWS\system32\afisicx.exe.vir Infected: Trojan.Win32.Agent.actt 1
C:\QooBox\Quarantine\C\WINDOWS\system32\atsxyzd.sys.vir Infected: Trojan.Win32.DNSChanger.ijw 1
C:\QooBox\Quarantine\C\WINDOWS\system32\directfileforexe.exe.vir Infected: Backdoor.Win32.PcClient.mcm 1
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\tcpip.sys.vir Infected: Trojan.Win32.Patched.ad 1
C:\QooBox\Quarantine\C\WINDOWS\system32\macidwe.exe.vir Infected: Trojan.Win32.Agent.acnb 1
C:\QooBox\Quarantine\C\WINDOWS\system32\noxtcyr.exe.vir Infected: Trojan.Win32.Agent.acnc 1
C:\QooBox\Quarantine\C\WINDOWS\system32\noytcyr.exe.vir Infected: Trojan.Win32.Agent.acku 1
C:\QooBox\Quarantine\C\WINDOWS\system32\roxtctm.exe.vir Infected: Trojan.Win32.Agent.acnj 1
C:\QooBox\Quarantine\C\WINDOWS\system32\roytctm.exe.vir Infected: Trojan.Win32.Agent.aclf 1
C:\QooBox\Quarantine\C\WINDOWS\system32\sotpeca.exe.vir Infected: Trojan.Win32.Agent.actu 1
C:\QooBox\Quarantine\C\WINDOWS\system32\tdxdowkc.exe.vir Infected: Trojan.Win32.Agent.acnh 1
C:\QooBox\Quarantine\C\WINDOWS\system32\tdydowkc.exe.vir Infected: Trojan.Win32.Agent.acid 1
C:\QooBox\Quarantine\C\WINDOWS\system32\wsldoekd.exe.vir Infected: Trojan.Win32.Agent.afmx 1
C:\QooBox\Quarantine\C\WINDOWS\system32\zordisa.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.tdtr 1
C:\WINDOWS\system32\tmp0_173781512124.bk.old Infected: Trojan-Clicker.Win32.VB.cam 1
C:\WINDOWS\system32\tmp0_383479292051.bk.old Infected: Trojan.Win32.DNSChanger.iox 1
C:\WINDOWS\system32\xdufytw.sys Infected: Trojan-Clicker.Win32.VB.bzj 1

The selected area was scanned.

**************************************************
-----------------------------------------------------------------

HiJackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:44:09 PM, on 10/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\Zoom\Zoom Phone Adaptor\ZoomMonitor.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Zoom\Zoom Phone Adaptor\VServ.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\IUSER_Admin\Local Settings\Temp\jkos-IUSER_Admin\binaries\ScanningProcess.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [ZoomMonitor.exe] C:\Program Files\Zoom\Zoom Phone Adaptor\ZoomMonitor.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 4348352218
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 5585284843
O16 - DPF: {FD7C00A9-E676-11D6-A08E-00E09878F0CF} - https://vpn.uth.tmc.edu/vpns/scripts/nsload.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Kodak AiO Device Service (KodakSvc) - Eastman Kodak Company - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: VService - Unknown owner - C:\Program Files\Zoom\Zoom Phone Adaptor\VServ.exe

--
End of file - 8277 bytes
oh2knowhim
Regular Member
 
Posts: 21
Joined: September 7th, 2008, 6:11 pm

Re: IUSER_ADMIN has hijacked my computer

Unread postby Bio-Hazard » October 5th, 2008, 3:13 pm

Hello!

Could you please post the Combofix log as well?

Thank you.
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: IUSER_ADMIN has hijacked my computer

Unread postby oh2knowhim » October 5th, 2008, 3:27 pm

Here is the combofix log. I apologize. I wasn't aware that you needed it.

ComboFix:

ComboFix 08-10-04.02 - IUSER_Admin 2008-10-05 11:49:32.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.661 [GMT -5:00]
Running from: C:\Documents and Settings\IUSER_Admin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\IUSER_Admin\Desktop\CFscript.txt
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys --> C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MCHINJDRV


((((((((((((((((((((((((( Files Created from 2008-09-05 to 2008-10-05 )))))))))))))))))))))))))))))))
.

2008-10-04 17:46 . 2008-10-05 11:49 <DIR> d-------- C:\quarantine
2008-10-02 15:38 . 2008-10-02 15:38 <DIR> d-------- C:\Program Files\VS Revo Group
2008-10-02 15:13 . 2008-10-02 15:13 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-02 14:44 . 2008-10-02 15:51 <DIR> d-------- C:\Program Files\Norton Security Scan
2008-10-02 14:44 . 2008-10-02 14:44 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-10-02 14:33 . 2008-10-02 14:33 <DIR> d-------- C:\Documents and Settings\IUSER_Admin\Application Data\Share-to-Web Upload Folder
2008-10-02 14:32 . 2007-07-13 12:30 <DIR> d---s---- C:\Documents and Settings\IUSER_Admin\UserData
2008-10-02 14:32 . 2008-10-02 14:32 <DIR> d-------- C:\Documents and Settings\IUSER_Admin
2008-09-06 23:35 . 2008-10-04 17:34 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-09-06 23:35 . 2008-09-06 23:35 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools
2008-09-06 23:35 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-09-06 23:35 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-09-06 23:35 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-09-06 23:35 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-05 16:54 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-05 16:53 --------- d-----w C:\Program Files\lg_fwupdate
2008-10-04 22:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-09-08 09:23 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Skype
2008-09-07 06:20 --------- d-----w C:\Documents and Settings\Administrator\Application Data\skypePM
2008-09-03 15:53 --------- d-----w C:\Program Files\Sun
2008-09-03 15:53 --------- d-----w C:\Program Files\Java
2008-08-30 17:54 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-08-29 18:01 --------- d-----w C:\Program Files\Yahoo!
2008-08-23 19:31 --------- d-----w C:\Program Files\NOS
2008-08-23 19:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\NOS
2008-08-23 19:28 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-08-23 01:41 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-14 23:23 --------- d-----w C:\Program Files\Microsoft Silverlight
2004-10-01 20:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2004-08-04 01:07 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-04 01:07 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 01:07 1,028,096 --sh--w C:\WINDOWS\system32\mfc42.dll
2004-08-04 01:07 54,784 --sh--w C:\WINDOWS\system32\msvcirt.dll
2004-08-04 01:07 413,696 --sh--w C:\WINDOWS\system32\msvcp60.dll
2004-08-04 01:07 343,040 --sh--w C:\WINDOWS\system32\msvcrt.dll
2007-05-17 11:28 549,376 --sh--w C:\WINDOWS\system32\oleaut32.dll
2004-08-04 01:07 83,456 --sh--w C:\WINDOWS\system32\olepro32.dll
2004-08-04 01:07 11,776 --sh--w C:\WINDOWS\system32\regsvr32.exe
.

------- Sigcheck -------

2004-08-03 20:07 14336 a4f27dd224f1ca2e5ae2fa67636c7dd2 C:\WINDOWS\system32\svchost.exe
.
((((((((((((((((((((((((((((( snapshot@2008-10-04_17.54.01.75 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-08-11 18:58:31 375,168 -c--a-w C:\WINDOWS\system32\dllcache\tcpip.sys
+ 2006-04-20 12:18:35 360,576 -c--a-w C:\WINDOWS\system32\dllcache\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 114688]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 147514]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-07-31 286720]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2005-07-08 1397760]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"LGODDFU"="C:\Program Files\lg_fwupdate\fwupdate.exe" [2007-08-30 249856]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-13 185632]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 368706]
"EKIJ5000StatusMonitor"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2008-02-15 1052672]
"ZoomMonitor.exe"="C:\Program Files\Zoom\Zoom Phone Adaptor\ZoomMonitor.exe" [2008-01-22 801296]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-02-01 1103240]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
ClearPlay Easy Updates.lnk - C:\Program Files\ClearPlay\ClearPlay Easy Updates\ClearPlayEasyUpdates.exe [2007-04-19 970752]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-07-27 125624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 TLRecAgent;TLRecAgent;C:\WINDOWS\system32\DRIVERS\TLRecAgent.sys [2008-03-13 36976]
R2 KodakSvc;Kodak AiO Device Service;C:\Program Files\Kodak\printer\center\KodakSvc.exe [2008-02-28 18944]
R2 VService;VService;C:\Program Files\Zoom\Zoom Phone Adaptor\VServ.exe [2008-01-17 104976]
S3 scusbvip;VL1800 USB Driver;C:\WINDOWS\system32\DRIVERS\scusbvip.sys [2008-03-13 609936]
S3 SLVAD_simple;Zoom Virtual Audio Device;C:\WINDOWS\system32\drivers\slvad.sys [2008-03-13 84912]

*Newly Created Service* - MCHINJDRV
.
Contents of the 'Scheduled Tasks' folder

2008-08-28 C:\WINDOWS\Tasks\EasyShare Registration Task.job
- C:\WINDOWS\system32\rundll32.exe [2004-08-03 20:07]

2008-10-02 C:\WINDOWS\Tasks\Norton Security Scan for IUSER_Admin.job
- C:\Program Files\Norton Security Scan\Nss.exe [2008-09-19 04:18]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-05 11:54:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
.
**************************************************************************
.
Completion time: 2008-10-05 11:57:43 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-05 16:57:36
ComboFix2.txt 2008-10-04 23:31:58
ComboFix3.txt 2008-10-04 22:54:44

Pre-Run: 24,161,730,560 bytes free
Post-Run: 24,150,630,400 bytes free

154 --- E O F --- 2008-07-30 17:48:44
oh2knowhim
Regular Member
 
Posts: 21
Joined: September 7th, 2008, 6:11 pm

Re: IUSER_ADMIN has hijacked my computer

Unread postby Bio-Hazard » October 5th, 2008, 5:08 pm

Here is the combofix log. I apologize. I wasn't aware that you needed it.


You don't have to apologize it was my mistake. I forgot to put that on my list of logs to post. You did everything correctly.

I still cannot delete it. I cannot access any of my stuff on the computer.


Could you please tell me bit more about this?
What can you not access?



OTMoveIt3
  • Double-click OTMoveIt3.exe to run it.
  • Copy the lines in the codebox below.
Code: Select all
:files
C:\WINDOWS\system32\tmp0_173781512124.bk.old
C:\WINDOWS\system32\tmp0_383479292051.bk.old
C:\WINDOWS\system32\xdufytw.sys

  • Return to OTMoveIt3, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTMoveIt3


Malwarebytes' Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the Perform Full Scan option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and Scan in progress will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say The scan completed successfully. Click 'Show Results' to display all objects found.
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:
  • Malwarebytes' Anti-Malware
  • OTMoveIt3 Log
  • A fresh HijackThis Log ( after all the above has been done)
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: IUSER_ADMIN has hijacked my computer

Unread postby oh2knowhim » October 5th, 2008, 5:27 pm

The OTMoveIt3 was not hyperlinked and I did a google search, but couldn't find it. Could you give me the link for it?
oh2knowhim
Regular Member
 
Posts: 21
Joined: September 7th, 2008, 6:11 pm

Re: IUSER_ADMIN has hijacked my computer

Unread postby oh2knowhim » October 5th, 2008, 7:05 pm

This started when I turned my computer on one day about a month ago and found IUSER_ADMIN was the user/administrator on my computer and required a password for me to log onto it. A google search indicated that IUSER_ADMIN was a virus and gave steps for removing it. The steps were:

1. Turn on computer in safe mode.
2. Delete IUSER_ADMIN out of your user accounts.

I did this and it seemed to fix the problem. Two days later, however, IUSER_ADMIN was back. I removed it again. Next day it was back. I removed it again. I also googled it again and found others were having the same problem, and that it was much more dangerous than originally thought. About this time, I became very ill, so we turned the computer off and disconnected it from internet.

I was in the hospital for two weeks. When we returned home after my hospital stay last week and I tried to delete IUSER_ADMIN, it no longer allowed me to delete the account. I was able to change the settings so you didn't need a password to log into this user. When this user first appeared, it locked down my computer where I could no longer access MY user account.

Since last week, the only way I can log into my computer is by logging in as IUSER_ADMIN. When I do this, none of my documents, pictures, music, etc. are there. The Start menu is different. The desktop is not the same. Everything is different.

Here are the three logs you asked for.

OTMoveIt Log:

========== FILES ==========
C:\WINDOWS\system32\tmp0_173781512124.bk.old moved successfully.
C:\WINDOWS\system32\tmp0_383479292051.bk.old moved successfully.
C:\WINDOWS\system32\xdufytw.sys moved successfully.

OTMoveIt3 by OldTimer - Version 1.0.4.1 log created on 10052008_163520
*******************************************************
----------------------------------------------------------------------------------------

MBAM log:

Malwarebytes' Anti-Malware 1.28
Database version: 1230
Windows 5.1.2600 Service Pack 2

10/5/2008 5:22:08 PM
mbam-log-2008-10-05 (17-22-08).txt

Scan type: Full Scan (C:\|D:\|F:\|)
Objects scanned: 83253
Time elapsed: 38 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 30

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\QooBox\Quarantine\C\WINDOWS\system32\noxtcyr.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\afisicx.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\macidwe.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\noytcyr.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\roxtctm.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\roytctm.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\sotpeca.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\tdxdowkc.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\tdydowkc.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\wsldoekd.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP333\A0056473.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP333\A0056489.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP336\A0057629.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP338\A0057654.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP338\A0057677.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP341\A0057729.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP341\A0057751.exe (Trojan.Proxy) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP341\A0057756.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP343\A0059979.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP343\A0059980.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP344\A0060024.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP344\A0060030.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP344\A0060032.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP344\A0060033.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP344\A0060034.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP344\A0060035.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP344\A0060036.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP344\A0060038.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP344\A0060041.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5F4FB6B3-215B-49B2-9F5A-71D03C12310C}\RP344\A0060039.exe (Trojan.Agent) -> Quarantined and deleted successfully.
***************************************************************************************************************
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:31:51 PM, on 10/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\Zoom\Zoom Phone Adaptor\ZoomMonitor.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Zoom\Zoom Phone Adaptor\VServ.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [ZoomMonitor.exe] C:\Program Files\Zoom\Zoom Phone Adaptor\ZoomMonitor.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 4348352218
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 5585284843
O16 - DPF: {FD7C00A9-E676-11D6-A08E-00E09878F0CF} - https://vpn.uth.tmc.edu/vpns/scripts/nsload.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Kodak AiO Device Service (KodakSvc) - Eastman Kodak Company - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: VService - Unknown owner - C:\Program Files\Zoom\Zoom Phone Adaptor\VServ.exe

--
End of file - 8172 bytes
oh2knowhim
Regular Member
 
Posts: 21
Joined: September 7th, 2008, 6:11 pm

Re: IUSER_ADMIN has hijacked my computer

Unread postby Bio-Hazard » October 8th, 2008, 1:08 am

Hello!

Sorry for the delay.

Are you able to get hold of a installation CD from friend or relative?

Have you tried deleting the account after we had run these tools? If not then please do that.
How many accounts do you have on this computer?
Have you tried deleting this account in safe mode or normal mode?


Run CFScript

  • Close any open browsers.
  • Open Notepad by click start
  • Click Run
  • Type notepad into the box and click enter
  • Notepad will open
  • Copy and Paste everything from the Quote box into Notepad:

Code: Select all
SysRst::
FileLook::
C:\WINDOWS\system32\svchost.exe


Save this as CFScript.txt, in the same location as ComboFix.exe (on your desktop)


Image


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt

NOTE: Do not mouseclick combofix's window whilst it's running. That may cause it to stall it.

Next Reply

Please reply with:
  • ComboFix log (found at C:\Combofix.txt)
  • New HijackThis log
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 198 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware