ComboFix 08-04-04.1 - Lalala 2008-04-07 13:45:58.5 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.721 [GMT -6:00] Running from: C:\Documents and Settings\Lalala\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Lalala\Desktop\CFScript.txt * Created a new restore point [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] FILE :: C:\autorun.inf C:\diox3j.com C:\ermvu8.cmd C:\gicchk2s.exe C:\lhwdcgcb.bat C:\op.bat C:\u3dsc.com C:\u9.com C:\wkcay8u.cmd c:\wsusupd.exe H:\gicchk2s.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\autorun.inf C:\diox3j.com C:\ermvu8.cmd C:\gicchk2s.exe C:\lhwdcgcb.bat C:\op.bat C:\u3dsc.com C:\u9.com C:\wkcay8u.cmd . ((((((((((((((((((((((((( Files Created from 2008-03-07 to 2008-04-07 ))))))))))))))))))))))))))))))) . 2008-04-06 00:49 . 2008-04-06 00:49 d-------- C:\_OTMoveIt 2008-03-22 01:42 . 2008-03-22 01:42 d-------- C:\Program Files\Common Files\Ahead 2008-03-22 01:42 . 2004-07-26 18:16 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll 2008-03-22 01:42 . 2004-07-26 18:16 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll 2008-03-22 01:42 . 2004-07-26 18:16 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll 2008-03-22 01:42 . 2004-07-26 18:16 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll 2008-03-22 01:42 . 2001-07-09 12:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe 2008-03-22 01:42 . 2004-03-02 18:37 125,184 --------- C:\WINDOWS\system32\drivers\imagesrv.sys 2008-03-22 01:42 . 2000-06-26 12:45 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll 2008-03-22 01:42 . 2004-03-02 18:37 5,504 --------- C:\WINDOWS\system32\drivers\imagedrv.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-04-06 07:11 --------- d-----w C:\Documents and Settings\Lalala\Application Data\LimeWire 2008-03-25 08:51 --------- d-----w C:\Documents and Settings\Lalala\Application Data\Skype 2008-02-14 00:35 --------- d-----w C:\Documents and Settings\Lalala\Application Data\Apple Computer . [color=red] C:\WINDOWS\system32\drivers\tcpip.sys ... is infected !! (additional data below) [/color] 401,408 2007-10-08 07:10:22 C:\WINDOWS\system32\dllcache\tcpip.sys 401,408 2007-10-08 07:10:25 C:\WINDOWS\system32\drivers\tcpip.sys ------- Sigcheck ------- 2007-10-08 01:10 401408 4ee94d29d4688e21209e56e0312dbf04 C:\WINDOWS\system32\dllcache\tcpip.sys 2007-10-08 01:10 401408 4ee94d29d4688e21209e56e0312dbf04 C:\WINDOWS\system32\drivers\tcpip.sys . ((((((((((((((((((((((((((((( snapshot@2008-04-06_ 0.06.04.57 ))))))))))))))))))))))))))))))))))))))))) . - 2005-10-21 03:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\ERDNT.EXE + 2005-10-21 02:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\ERDNT.EXE - 2000-08-31 15:00:00 28,160 ----a-w C:\WINDOWS\nircmd.exe + 2000-08-31 14:00:00 28,160 ----a-w C:\WINDOWS\nircmd.exe - 2000-08-31 15:00:00 161,792 ----a-w C:\WINDOWS\swreg.exe + 2000-08-31 14:00:00 161,792 ----a-w C:\WINDOWS\swreg.exe - 2007-10-28 19:37:25 63,802 ----a-w C:\WINDOWS\system32\perfc009.dat + 2008-04-06 22:58:47 63,802 ----a-w C:\WINDOWS\system32\perfc009.dat - 2007-10-28 19:37:25 404,870 ----a-w C:\WINDOWS\system32\perfh009.dat + 2008-04-06 22:58:47 404,870 ----a-w C:\WINDOWS\system32\perfh009.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-12 16:58 68856] "msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 16:56 15360] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:06 1667584] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.ffds"= ffdshow.ax "vidc.tscc"= tsccvid.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^msn_0802_upd060053.exe] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\msn_0802_upd060053.exe backup=C:\WINDOWS\pss\msn_0802_upd060053.exeCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2004-08-03 16:56 15360 C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Firewall auto setup] C:\DOCUME~1\Lalala\LOCALS~1\Temp\winlogon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2007-07-10 09:18 270648 D:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSI Configuration] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --------- 2004-08-04 01:06 1667584 C:\Program Files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] --a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2001-07-09 12:50 155648 C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication] --a------ 2006-04-26 09:29 237568 D:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync] --a------ 2006-04-11 18:52 1409024 D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2007-06-29 06:24 286720 C:\Program Files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX] --a------ 2004-09-23 12:41 860160 C:\Program Files\Analog Devices\SoundMAX\Smax4.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP] --a------ 2004-10-14 09:11 1388544 C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer] --a------ 2007-08-31 16:46 1460560 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam] --a------ 2008-04-03 16:24 1271032 D:\Program Files\Valve\Steam\Steam.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2007-07-12 04:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] --a------ 2007-07-12 16:58 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "usnjsvc"=3 (0x3) "iPod Service"=3 (0x3) "gusvc"=3 (0x3) "Apple Mobile Device"=2 (0x2) "ose"=3 (0x3) "MDM"=2 (0x2) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "D:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"= "C:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "14803:TCP"= 14803:TCP:BitComet 14803 TCP "14803:UDP"= 14803:UDP:BitComet 14803 UDP . Contents of the 'Scheduled Tasks' folder "2008-03-13 05:14:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-07 13:47:42 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... ************************************************************************** . Completion time: 2008-04-07 13:49:06 ComboFix-quarantined-files.txt 2008-04-07 19:48:15 ComboFix2.txt 2008-04-06 07:06:53 ComboFix3.txt 2007-10-17 21:50:42 Pre-Run: 11,359,043,584 bytes free Post-Run: 11,345,604,608 bytes free