Hi,
I will need you to help me clean it. We do not have the Windows CD. My brother bought the computer used from his college, and they did not supply the cds.
I ran combofix. The log had this statement at the top:
"
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!"
My computer had shown that the recovery console was installed before I ran combofix.
I wasn't sure what to do, so I ran it again. I've pasted both logs below along with the hijack this log:
****************************************************
ComboFix Log 1:
ComboFix 08-10-04.02 - IUSER_Admin 2008-10-04 17:46:10.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.630 [GMT -5:00]
Running from: C:\Documents and Settings\IUSER_Admin\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\Common Files\{525D3~1
C:\Program Files\Common Files\{525D3~1\slscp.log
C:\Program Files\Common Files\{525D3~1\SLZOOM(2)\Ivr.scp
C:\Program Files\Common Files\{525D3~1\SLZOOM(2)\readme.txt
C:\Program Files\Common Files\{525D3~1\SLZOOM(2)\Setup.scp
C:\Program Files\Common Files\{525D3~1\SLZOOM(2)\SLExtBU(2)\ivr.scp
C:\Program Files\Common Files\{525D3~1\SLZOOM(2)\SLExtBU(2)\Setup.scp
C:\Program Files\Common Files\{525D3~1\SLZOOM\autorun.inf
C:\Program Files\Common Files\{525D3~1\SLZOOM\Ivr.scp
C:\Program Files\Common Files\{525D3~1\SLZOOM\readme.txt
C:\Program Files\Common Files\{525D3~1\SLZOOM\scusbvip.cat
C:\Program Files\Common Files\{525D3~1\SLZOOM\scusbvip.inf
C:\Program Files\Common Files\{525D3~1\SLZOOM\scusbvip.sys
C:\Program Files\Common Files\{525D3~1\SLZOOM\Setup.exe
C:\Program Files\Common Files\{525D3~1\SLZOOM\Setup.MSI
C:\Program Files\Common Files\{525D3~1\SLZOOM\Setup.scp
C:\Program Files\Common Files\{525D3~1\SLZOOM\SLExtBU\ivr.scp
C:\Program Files\Common Files\{525D3~1\SLZOOM\SLExtBU\Setup.scp
C:\Program Files\Common Files\{525D3~1\SLZOOM\slvad.cat
C:\Program Files\Common Files\{525D3~1\SLZOOM\slvad.inf
C:\Program Files\Common Files\{525D3~1\SLZOOM\slvad.sys
C:\Program Files\Common Files\{525D3~1\SLZOOM\slvipco.dll
C:\Program Files\Common Files\{525D3~1\SLZOOM\slvipgx.dll
C:\Program Files\Common Files\{525D3~1\SLZOOM\TLRecAgent.sys
C:\test.txt
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\Install.txt
C:\WINDOWS\MSSqlServer.dll
C:\WINDOWS\system32\afisicx.exe
C:\WINDOWS\system32\atsxyzd.sys
C:\WINDOWS\system32\comsa32.sys
C:\WINDOWS\system32\directfileforexe.exe
C:\WINDOWS\system32\inf\svchoct.exe
C:\WINDOWS\system32\mabidwe.exe
C:\WINDOWS\system32\macidwe.exe
C:\WINDOWS\system32\mywfhit.ini
C:\WINDOWS\system32\mywfhit.ini.tmp
C:\WINDOWS\system32\noxtcyr.exe
C:\WINDOWS\system32\noytcyr.exe
C:\WINDOWS\system32\roxtctm.exe
C:\WINDOWS\system32\roytctm.exe
C:\WINDOWS\system32\rtl60.bpl
C:\WINDOWS\system32\sotpeca.exe
C:\WINDOWS\system32\soxpeca.exe
C:\WINDOWS\system32\syspilog.pil
C:\WINDOWS\system32\tdxdowkc.exe
C:\WINDOWS\system32\tdydowkc.exe
C:\WINDOWS\system32\tpszxyd.sys
C:\WINDOWS\system32\wsldoekd.exe
C:\WINDOWS\system32\zordisa.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_AFISICX
-------\Legacy_INTERNET_SERVICE
-------\Legacy_MABIDWE
-------\Legacy_MACIDWE
-------\Legacy_MCHINJDRV
-------\Legacy_NOXTCYR
-------\Legacy_NOYTCYR
-------\Legacy_ROXTCTM
-------\Legacy_ROYTCTM
-------\Legacy_SEIUCTOL
-------\Legacy_SOTPECA
-------\Legacy_SOXPECA
-------\Legacy_TDXDOWKC
-------\Legacy_TDYDOWKC
-------\Legacy_WSLDOEKD
-------\Service_afisicx
-------\Service_mabidwe
-------\Service_macidwe
-------\Service_noxtcyr
-------\Service_noytcyr
-------\Service_roxtctm
-------\Service_roytctm
-------\Service_seiuctol
-------\Service_sotpeca
-------\Service_soxpeca
-------\Service_tdxdowkc
-------\Service_tdydowkc
-------\Service_wsldoekd
((((((((((((((((((((((((( Files Created from 2008-09-04 to 2008-10-04 )))))))))))))))))))))))))))))))
.
2008-10-04 17:46 . 2008-10-04 17:46 <DIR> d-------- C:\quarantine
2008-10-02 15:38 . 2008-10-02 15:38 <DIR> d-------- C:\Program Files\VS Revo Group
2008-10-02 15:13 . 2008-10-02 15:13 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-02 14:44 . 2008-10-02 15:51 <DIR> d-------- C:\Program Files\Norton Security Scan
2008-10-02 14:44 . 2008-10-02 14:44 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-10-02 14:33 . 2008-10-02 14:33 <DIR> d-------- C:\Documents and Settings\IUSER_Admin\Application Data\Share-to-Web Upload Folder
2008-10-02 14:32 . 2007-07-13 12:30 <DIR> d---s---- C:\Documents and Settings\IUSER_Admin\UserData
2008-10-02 14:32 . 2008-10-02 14:32 <DIR> d-------- C:\Documents and Settings\IUSER_Admin
2008-09-06 23:35 . 2008-10-04 17:34 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-09-06 23:35 . 2008-09-06 23:35 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools
2008-09-06 23:35 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-09-06 23:35 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-09-06 23:35 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-09-06 23:35 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-04 22:51 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-04 22:50 --------- d-----w C:\Program Files\lg_fwupdate
2008-10-04 22:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-09-08 09:23 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Skype
2008-09-07 06:20 --------- d-----w C:\Documents and Settings\Administrator\Application Data\skypePM
2008-09-03 15:53 --------- d-----w C:\Program Files\Sun
2008-09-03 15:53 --------- d-----w C:\Program Files\Java
2008-08-30 17:54 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-08-29 18:01 --------- d-----w C:\Program Files\Yahoo!
2008-08-23 19:31 --------- d-----w C:\Program Files\NOS
2008-08-23 19:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\NOS
2008-08-23 19:28 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-08-23 01:41 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-14 23:23 --------- d-----w C:\Program Files\Microsoft Silverlight
2004-10-01 20:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2004-08-04 01:07 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-04 01:07 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 01:07 1,028,096 --sh--w C:\WINDOWS\system32\mfc42.dll
2004-08-04 01:07 54,784 --sh--w C:\WINDOWS\system32\msvcirt.dll
2004-08-04 01:07 413,696 --sh--w C:\WINDOWS\system32\msvcp60.dll
2004-08-04 01:07 343,040 --sh--w C:\WINDOWS\system32\msvcrt.dll
2007-05-17 11:28 549,376 --sh--w C:\WINDOWS\system32\oleaut32.dll
2004-08-04 01:07 83,456 --sh--w C:\WINDOWS\system32\olepro32.dll
2004-08-04 01:07 11,776 --sh--w C:\WINDOWS\system32\regsvr32.exe
.
C:\WINDOWS\system32\drivers\tcpip.sys ... is infected !! 360,576 2006-04-20 12:18:35 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
359,040 2004-08-04 01:07:00 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
375,168 2007-08-11 18:58:31 C:\WINDOWS\system32\dllcache\tcpip.sys
375,168 2007-08-11 18:58:34 C:\WINDOWS\system32\drivers\tcpip.sys
------- Sigcheck -------
2004-08-03 20:07 14336 a4f27dd224f1ca2e5ae2fa67636c7dd2 C:\WINDOWS\system32\svchost.exe
2006-04-20 07:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2004-08-03 20:07 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2007-08-11 13:58 375168 f4839bb5c227264c43637ab74c7d4f11 C:\WINDOWS\system32\dllcache\tcpip.sys
2007-08-11 13:58 375168 f4839bb5c227264c43637ab74c7d4f11 C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 114688]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 147514]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-07-31 286720]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2005-07-08 1397760]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"LGODDFU"="C:\Program Files\lg_fwupdate\fwupdate.exe" [2007-08-30 249856]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-13 185632]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 368706]
"EKIJ5000StatusMonitor"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2008-02-15 1052672]
"ZoomMonitor.exe"="C:\Program Files\Zoom\Zoom Phone Adaptor\ZoomMonitor.exe" [2008-01-22 801296]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-02-01 1103240]
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
ClearPlay Easy Updates.lnk - C:\Program Files\ClearPlay\ClearPlay Easy Updates\ClearPlayEasyUpdates.exe [2007-04-19 970752]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-07-27 125624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
R0 TLRecAgent;TLRecAgent;C:\WINDOWS\system32\DRIVERS\TLRecAgent.sys [2008-03-13 36976]
R2 KodakSvc;Kodak AiO Device Service;C:\Program Files\Kodak\printer\center\KodakSvc.exe [2008-02-28 18944]
R2 VService;VService;C:\Program Files\Zoom\Zoom Phone Adaptor\VServ.exe [2008-01-17 104976]
S3 scusbvip;VL1800 USB Driver;C:\WINDOWS\system32\DRIVERS\scusbvip.sys [2008-03-13 609936]
S3 SLVAD_simple;Zoom Virtual Audio Device;C:\WINDOWS\system32\drivers\slvad.sys [2008-03-13 84912]
*Newly Created Service* - MCHINJDRV
.
Contents of the 'Scheduled Tasks' folder
2008-08-28 C:\WINDOWS\Tasks\EasyShare Registration Task.job
- C:\WINDOWS\system32\rundll32.exe [2004-08-03 20:07]
2008-10-02 C:\WINDOWS\Tasks\Norton Security Scan for IUSER_Admin.job
- C:\Program Files\Norton Security Scan\Nss.exe [2008-09-19 04:18]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Explorer_Run-minyust - C:\WINDOWS\system32\inf\svchoct.exe
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\IUSER_Admin\Application Data\Mozilla\Firefox\Profiles\t9pi1a7f.default\
FF -: plugin - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - C:\Program Files\Google\Google Updater\2.2.1111.1511\npCIDetect11.dll
FF -: plugin - C:\Program Files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-10-04 17:51:14
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
.
**************************************************************************
.
Completion time: 2008-10-04 17:54:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-04 22:54:36
Pre-Run: 23,692,120,064 bytes free
Post-Run: 24,175,648,768 bytes free
241 --- E O F --- 2008-07-30 17:48:44
**************************************************
-----------------------------------------------------------------
ComboFix Log 2:
ComboFix 08-10-04.02 - IUSER_Admin 2008-10-04 18:24:35.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.635 [GMT -5:00]
Running from: C:\Documents and Settings\IUSER_Admin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\IUSER_Admin\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_MCHINJDRV
((((((((((((((((((((((((( Files Created from 2008-09-04 to 2008-10-04 )))))))))))))))))))))))))))))))
.
2008-10-04 17:46 . 2008-10-04 18:24 <DIR> d-------- C:\quarantine
2008-10-02 15:38 . 2008-10-02 15:38 <DIR> d-------- C:\Program Files\VS Revo Group
2008-10-02 15:13 . 2008-10-02 15:13 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-02 14:44 . 2008-10-02 15:51 <DIR> d-------- C:\Program Files\Norton Security Scan
2008-10-02 14:44 . 2008-10-02 14:44 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-10-02 14:33 . 2008-10-02 14:33 <DIR> d-------- C:\Documents and Settings\IUSER_Admin\Application Data\Share-to-Web Upload Folder
2008-10-02 14:32 . 2007-07-13 12:30 <DIR> d---s---- C:\Documents and Settings\IUSER_Admin\UserData
2008-10-02 14:32 . 2008-10-02 14:32 <DIR> d-------- C:\Documents and Settings\IUSER_Admin
2008-09-06 23:35 . 2008-10-04 17:34 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-09-06 23:35 . 2008-09-06 23:35 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools
2008-09-06 23:35 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-09-06 23:35 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-09-06 23:35 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-09-06 23:35 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-04 23:28 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-04 23:28 --------- d-----w C:\Program Files\lg_fwupdate
2008-10-04 22:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-09-08 09:23 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Skype
2008-09-07 06:20 --------- d-----w C:\Documents and Settings\Administrator\Application Data\skypePM
2008-09-03 15:53 --------- d-----w C:\Program Files\Sun
2008-09-03 15:53 --------- d-----w C:\Program Files\Java
2008-08-30 17:54 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-08-29 18:01 --------- d-----w C:\Program Files\Yahoo!
2008-08-23 19:31 --------- d-----w C:\Program Files\NOS
2008-08-23 19:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\NOS
2008-08-23 19:28 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-08-23 01:41 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-14 23:23 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 03:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 03:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 03:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 03:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 03:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2004-10-01 20:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2004-08-04 01:07 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-04 01:07 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 01:07 1,028,096 --sh--w C:\WINDOWS\system32\mfc42.dll
2004-08-04 01:07 54,784 --sh--w C:\WINDOWS\system32\msvcirt.dll
2004-08-04 01:07 413,696 --sh--w C:\WINDOWS\system32\msvcp60.dll
2004-08-04 01:07 343,040 --sh--w C:\WINDOWS\system32\msvcrt.dll
2007-05-17 11:28 549,376 --sh--w C:\WINDOWS\system32\oleaut32.dll
2004-08-04 01:07 83,456 --sh--w C:\WINDOWS\system32\olepro32.dll
2004-08-04 01:07 11,776 --sh--w C:\WINDOWS\system32\regsvr32.exe
.
C:\WINDOWS\system32\drivers\tcpip.sys ... is infected !! 360,576 2006-04-20 12:18:35 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
359,040 2004-08-04 01:07:00 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
375,168 2007-08-11 18:58:31 C:\WINDOWS\system32\dllcache\tcpip.sys
375,168 2007-08-11 18:58:34 C:\WINDOWS\system32\drivers\tcpip.sys
------- Sigcheck -------
2004-08-03 20:07 14336 a4f27dd224f1ca2e5ae2fa67636c7dd2 C:\WINDOWS\system32\svchost.exe
2006-04-20 07:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2004-08-03 20:07 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2007-08-11 13:58 375168 f4839bb5c227264c43637ab74c7d4f11 C:\WINDOWS\system32\dllcache\tcpip.sys
2007-08-11 13:58 375168 f4839bb5c227264c43637ab74c7d4f11 C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 114688]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 147514]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-07-31 286720]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2005-07-08 1397760]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"LGODDFU"="C:\Program Files\lg_fwupdate\fwupdate.exe" [2007-08-30 249856]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-13 185632]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 368706]
"EKIJ5000StatusMonitor"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2008-02-15 1052672]
"ZoomMonitor.exe"="C:\Program Files\Zoom\Zoom Phone Adaptor\ZoomMonitor.exe" [2008-01-22 801296]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-02-01 1103240]
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
ClearPlay Easy Updates.lnk - C:\Program Files\ClearPlay\ClearPlay Easy Updates\ClearPlayEasyUpdates.exe [2007-04-19 970752]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-07-27 125624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
R0 TLRecAgent;TLRecAgent;C:\WINDOWS\system32\DRIVERS\TLRecAgent.sys [2008-03-13 36976]
R2 KodakSvc;Kodak AiO Device Service;C:\Program Files\Kodak\printer\center\KodakSvc.exe [2008-02-28 18944]
R2 VService;VService;C:\Program Files\Zoom\Zoom Phone Adaptor\VServ.exe [2008-01-17 104976]
S3 scusbvip;VL1800 USB Driver;C:\WINDOWS\system32\DRIVERS\scusbvip.sys [2008-03-13 609936]
S3 SLVAD_simple;Zoom Virtual Audio Device;C:\WINDOWS\system32\drivers\slvad.sys [2008-03-13 84912]
*Newly Created Service* - MCHINJDRV
.
Contents of the 'Scheduled Tasks' folder
2008-08-28 C:\WINDOWS\Tasks\EasyShare Registration Task.job
- C:\WINDOWS\system32\rundll32.exe [2004-08-03 20:07]
2008-10-02 C:\WINDOWS\Tasks\Norton Security Scan for IUSER_Admin.job
- C:\Program Files\Norton Security Scan\Nss.exe [2008-09-19 04:18]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\IUSER_Admin\Application Data\Mozilla\Firefox\Profiles\t9pi1a7f.default\
FF -: plugin - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - C:\Program Files\Google\Google Updater\2.2.1111.1511\npCIDetect11.dll
FF -: plugin - C:\Program Files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-10-04 18:28:41
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
.
**************************************************************************
.
Completion time: 2008-10-04 18:31:56 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-04 23:31:50
ComboFix2.txt 2008-10-04 22:54:44
Pre-Run: 24,176,128,000 bytes free
Post-Run: 24,147,476,480 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
180 --- E O F --- 2008-07-30 17:48:44
**************************************************
----------------------------------------------------------------
HiJackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:45:39 PM, on 10/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Zoom\Zoom Phone Adaptor\VServ.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\Zoom\Zoom Phone Adaptor\ZoomMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [ZoomMonitor.exe] C:\Program Files\Zoom\Zoom Phone Adaptor\ZoomMonitor.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) -
http://support.dell.com/systemprofiler/SysPro.CABO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://www.update.microsoft.com/windows ... 4348352218O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) -
http://download.divx.com/player/DivXBrowserPlugin.cabO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://www.update.microsoft.com/microso ... 5585284843O16 - DPF: {FD7C00A9-E676-11D6-A08E-00E09878F0CF} -
https://vpn.uth.tmc.edu/vpns/scripts/nsload.ocxO18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Kodak AiO Device Service (KodakSvc) - Eastman Kodak Company - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: VService - Unknown owner - C:\Program Files\Zoom\Zoom Phone Adaptor\VServ.exe
--
End of file - 8126 bytes