dybvig1969
2008-08-13, 00:06
I have a PC that I am having diffculty removeing malware. I have included the log files from ComboFix and HiJackthis. Can you help?
ComboFix 08-08-11.01 - thsystem 2008-08-12 15:28:37.1 - NTFSx86
Running from: C:\Documents and Settings\thsystem\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\frh.auto\Application Data\macromedia\Flash Player\#SharedObjects\LDLK5VFC\interclick.com
C:\Documents and Settings\frh.auto\Application Data\macromedia\Flash Player\#SharedObjects\LDLK5VFC\interclick.com\ud.sol
C:\Documents and Settings\frh.auto\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\frh.auto\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\system32\vtUmJCRl.dll
----- BITS: Possible infected sites -----
http://tenfrhthwsus01.tenethealth.net:8530
.
((((((((((((((((((((((((( Files Created from 2008-07-12 to 2008-08-12 )))))))))))))))))))))))))))))))
.
2008-08-12 15:45 . 2007-10-17 10:24 70,976 --a------ C:\WINDOWS\system32\HIPIS0e00150.dll
2008-08-12 15:45 . 2008-08-12 15:45 37,622 --a------ C:\WINDOWS\system32\api_hook_list.dat
2008-08-12 14:55 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-08-12 14:55 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-08-11 15:56 . 2008-08-11 15:56 91 --a------ C:\WINDOWS\wininit.ini
2008-08-11 09:31 . 2008-08-11 09:31 <DIR> d-------- C:\Documents and Settings\nicholas.dybvig
2008-08-11 08:46 . 2008-08-11 08:56 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-11 08:46 . 2008-08-11 08:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-30 17:08 . 2008-06-13 08:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-07-30 17:08 . 2008-06-13 08:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-07-30 15:31 . 2008-07-30 15:31 <DIR> d-a------ C:\Temp
2008-07-16 01:56 . 2008-07-08 13:15 192,512 --a------ C:\WINDOWS\system32\KevlarSigs.dll
2008-07-16 01:56 . 2007-10-17 10:43 61,440 --a------ C:\WINDOWS\system32\HcSql.dll
2008-07-16 01:56 . 2008-03-26 12:33 58,688 --a------ C:\WINDOWS\system32\HcApi.dll
2008-07-16 01:56 . 2007-10-17 10:43 12,800 --a------ C:\WINDOWS\system32\HcSvc.dll
2008-07-16 01:53 . 2007-10-17 10:26 201,320 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-07-16 01:53 . 2007-10-17 10:24 100,104 --a------ C:\WINDOWS\system32\drivers\HIPK.sys
2008-07-16 01:53 . 2007-10-17 10:27 55,016 --a------ C:\WINDOWS\system32\drivers\mfetdik.sys
2008-07-16 01:53 . 2007-10-17 10:24 42,304 --a------ C:\WINDOWS\system32\hipqa.dll
2008-07-16 01:53 . 2007-10-17 10:24 30,856 --a------ C:\WINDOWS\system32\drivers\HIPPSK.sys
2008-07-16 01:53 . 2007-10-17 10:25 27,976 --a------ C:\WINDOWS\system32\drivers\HIPQK.sys
2008-07-16 01:53 . 2007-10-17 10:26 18,752 --a------ C:\WINDOWS\system32\mfehida.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-12 02:58 --------- d-----w C:\Program Files\OCS Inventory Agent
2008-07-16 06:50 --------- d-----w C:\Program Files\McAfee
2008-07-15 06:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{56C0293C-6D2C-470C-9D98-1EC32138C47B}]
2008-07-09 14:12 318208 --a------ C:\DOCUME~1\FRH~1.AUT\LOCALS~1\Temp\urqQiHwt.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\udaterui.exe" [2008-03-14 04:00 136512]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36 114688]
"LastBootTime"="C:\Install\PCboottime.vbs" [2008-06-25 12:42 1089]
"McAfee Host Intrusion Prevention Tray"="C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe" [2008-03-26 12:33 963904]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 02:48:20 40048]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=FRHLocalAdmin.cmd
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-484763869-1708537768-1177238915-368618\Scripts\Logon\0\0]
"Script"=FRHLogon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-484763869-1708537768-1177238915-391220\Scripts\Logon\0\0]
"Script"=FRHLogon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-484763869-1708537768-1177238915-606584\Scripts\Logon\0\0]
"Script"=FRHLogon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-484763869-1708537768-1177238915-765731\Scripts\Logon\0\0]
"Script"=FRHLogon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-484763869-1708537768-1177238915-789778\Scripts\Logon\0\0]
"Script"=FRHLogon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-484763869-1708537768-1177238915-821522\Scripts\Logon\0\0]
"Script"=FRHLogon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-484763869-1708537768-1177238915-902231\Scripts\Logon\0\0]
"Script"=FRHLogon.bat
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Sentillion\\DesktopComponents\\COMAdapters\\C2W_CM.exe"=
R2 enterceptAgent;McAfee Host Intrusion Prevention Service;C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe [2008-03-26 12:33]
R2 OCS INVENTORY;OCS INVENTORY SERVICE;C:\Program Files\OCS Inventory Agent\ocsservice.exe [2007-02-27 14:32]
R2 VergenceLocatorSvc;Vergence Locator Service;C:\Program Files\Sentillion\DesktopComponents\VergenceLocator.exe [2006-05-23 14:56]
R3 FirehkMP;FirehkMP;C:\WINDOWS\system32\DRIVERS\firehk.sys [2008-02-29 11:09]
R3 HIPK;McAfee Inc. HIPK;C:\WINDOWS\system32\drivers\HIPK.sys [2007-10-17 10:24]
R3 HIPPSK;McAfee Inc. HIPPSK;C:\WINDOWS\system32\drivers\HIPPSK.sys [2007-10-17 10:24]
R3 HIPQK;McAfee Inc. HIPQK;C:\WINDOWS\system32\drivers\HIPQK.sys [2007-10-17 10:25]
R3 hips;McAfee HIPSCore Service;C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe [2007-10-17 10:25]
S3 Firehk;McAfee NDIS Intermediate Filter;C:\WINDOWS\system32\DRIVERS\firehk.sys [2008-02-29 11:09]
.
Contents of the 'Scheduled Tasks' folder
2008-08-12 C:\WINDOWS\Tasks\shutdown.job
- c:\windows\system32\shutdown.exe [2004-08-04 07:00]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-ShStatEXE - C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
HKLM-Run-Network Associates Error Reporting Service - C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
MSConfigStartUp-fc04326b - C:\DOCUME~1\FRH~1.AUT\LOCALS~1\Temp\yahyiqtv.dll
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = about:blank
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-12 15:47:30
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\DWRCS.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZIPM12.EXE
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Sentillion\Vergence Authenticator\Authenticator.exe
C:\Program Files\Network Associates\Common Framework\Mctray.exe
C:\WINDOWS\system32\DWRCST.EXE
.
**************************************************************************
.
Completion time: 2008-08-12 15:51:35 - machine was rebooted [thsystem]
ComboFix-quarantined-files.txt 2008-08-12 20:51:23
Pre-Run: 12,083,593,216 bytes free
Post-Run: 12,040,679,424 bytes free
136 --- E O F --- 2008-07-31 10:24:05
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:56:50 PM, on 8/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\OCS Inventory Agent\ocsservice.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Sentillion\DesktopComponents\VergenceLocator.exe
C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe
C:\Program Files\Sentillion\Vergence Authenticator\Authenticator.exe
C:\Program Files\Network Associates\Common Framework\udaterui.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe
C:\WINDOWS\SYSTEM32\DWRCST.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {56C0293C-6D2C-470C-9D98-1EC32138C47B} - C:\DOCUME~1\FRH~1.AUT\LOCALS~1\Temp\urqQiHwt.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [LastBootTime] C:\Install\PCboottime.vbs
O4 - HKLM\..\Run: [McAfee Host Intrusion Prevention Tray] "C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.etenet.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1173286747484
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tenethealth.net
O17 - HKLM\Software\..\Telephony: DomainName = tenethealth.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tenethealth.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = tenethealth.net
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: McAfee Host Intrusion Prevention Service (enterceptAgent) - McAfee, Inc. - C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
O23 - Service: McAfee HIPSCore Service (hips) - McAfee, Inc. - C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Mcshield.exe (file missing)
O23 - Service: Network Associates Task Manager (McTaskManager) - Unknown owner - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe (file missing)
O23 - Service: OCS INVENTORY SERVICE (OCS INVENTORY) - http://ocsinventory.sourceforge.net - C:\Program Files\OCS Inventory Agent\ocsservice.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Vergence Locator Service (VergenceLocatorSvc) - Sentillion, Inc. - C:\Program Files\Sentillion\DesktopComponents\VergenceLocator.exe
--
End of file - 5796 bytes
Thank you.
ComboFix 08-08-11.01 - thsystem 2008-08-12 15:28:37.1 - NTFSx86
Running from: C:\Documents and Settings\thsystem\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\frh.auto\Application Data\macromedia\Flash Player\#SharedObjects\LDLK5VFC\interclick.com
C:\Documents and Settings\frh.auto\Application Data\macromedia\Flash Player\#SharedObjects\LDLK5VFC\interclick.com\ud.sol
C:\Documents and Settings\frh.auto\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\frh.auto\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\system32\vtUmJCRl.dll
----- BITS: Possible infected sites -----
http://tenfrhthwsus01.tenethealth.net:8530
.
((((((((((((((((((((((((( Files Created from 2008-07-12 to 2008-08-12 )))))))))))))))))))))))))))))))
.
2008-08-12 15:45 . 2007-10-17 10:24 70,976 --a------ C:\WINDOWS\system32\HIPIS0e00150.dll
2008-08-12 15:45 . 2008-08-12 15:45 37,622 --a------ C:\WINDOWS\system32\api_hook_list.dat
2008-08-12 14:55 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-08-12 14:55 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-08-11 15:56 . 2008-08-11 15:56 91 --a------ C:\WINDOWS\wininit.ini
2008-08-11 09:31 . 2008-08-11 09:31 <DIR> d-------- C:\Documents and Settings\nicholas.dybvig
2008-08-11 08:46 . 2008-08-11 08:56 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-11 08:46 . 2008-08-11 08:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-30 17:08 . 2008-06-13 08:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-07-30 17:08 . 2008-06-13 08:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-07-30 15:31 . 2008-07-30 15:31 <DIR> d-a------ C:\Temp
2008-07-16 01:56 . 2008-07-08 13:15 192,512 --a------ C:\WINDOWS\system32\KevlarSigs.dll
2008-07-16 01:56 . 2007-10-17 10:43 61,440 --a------ C:\WINDOWS\system32\HcSql.dll
2008-07-16 01:56 . 2008-03-26 12:33 58,688 --a------ C:\WINDOWS\system32\HcApi.dll
2008-07-16 01:56 . 2007-10-17 10:43 12,800 --a------ C:\WINDOWS\system32\HcSvc.dll
2008-07-16 01:53 . 2007-10-17 10:26 201,320 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-07-16 01:53 . 2007-10-17 10:24 100,104 --a------ C:\WINDOWS\system32\drivers\HIPK.sys
2008-07-16 01:53 . 2007-10-17 10:27 55,016 --a------ C:\WINDOWS\system32\drivers\mfetdik.sys
2008-07-16 01:53 . 2007-10-17 10:24 42,304 --a------ C:\WINDOWS\system32\hipqa.dll
2008-07-16 01:53 . 2007-10-17 10:24 30,856 --a------ C:\WINDOWS\system32\drivers\HIPPSK.sys
2008-07-16 01:53 . 2007-10-17 10:25 27,976 --a------ C:\WINDOWS\system32\drivers\HIPQK.sys
2008-07-16 01:53 . 2007-10-17 10:26 18,752 --a------ C:\WINDOWS\system32\mfehida.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-12 02:58 --------- d-----w C:\Program Files\OCS Inventory Agent
2008-07-16 06:50 --------- d-----w C:\Program Files\McAfee
2008-07-15 06:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{56C0293C-6D2C-470C-9D98-1EC32138C47B}]
2008-07-09 14:12 318208 --a------ C:\DOCUME~1\FRH~1.AUT\LOCALS~1\Temp\urqQiHwt.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\udaterui.exe" [2008-03-14 04:00 136512]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36 114688]
"LastBootTime"="C:\Install\PCboottime.vbs" [2008-06-25 12:42 1089]
"McAfee Host Intrusion Prevention Tray"="C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe" [2008-03-26 12:33 963904]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 02:48:20 40048]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=FRHLocalAdmin.cmd
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-484763869-1708537768-1177238915-368618\Scripts\Logon\0\0]
"Script"=FRHLogon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-484763869-1708537768-1177238915-391220\Scripts\Logon\0\0]
"Script"=FRHLogon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-484763869-1708537768-1177238915-606584\Scripts\Logon\0\0]
"Script"=FRHLogon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-484763869-1708537768-1177238915-765731\Scripts\Logon\0\0]
"Script"=FRHLogon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-484763869-1708537768-1177238915-789778\Scripts\Logon\0\0]
"Script"=FRHLogon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-484763869-1708537768-1177238915-821522\Scripts\Logon\0\0]
"Script"=FRHLogon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-484763869-1708537768-1177238915-902231\Scripts\Logon\0\0]
"Script"=FRHLogon.bat
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Sentillion\\DesktopComponents\\COMAdapters\\C2W_CM.exe"=
R2 enterceptAgent;McAfee Host Intrusion Prevention Service;C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe [2008-03-26 12:33]
R2 OCS INVENTORY;OCS INVENTORY SERVICE;C:\Program Files\OCS Inventory Agent\ocsservice.exe [2007-02-27 14:32]
R2 VergenceLocatorSvc;Vergence Locator Service;C:\Program Files\Sentillion\DesktopComponents\VergenceLocator.exe [2006-05-23 14:56]
R3 FirehkMP;FirehkMP;C:\WINDOWS\system32\DRIVERS\firehk.sys [2008-02-29 11:09]
R3 HIPK;McAfee Inc. HIPK;C:\WINDOWS\system32\drivers\HIPK.sys [2007-10-17 10:24]
R3 HIPPSK;McAfee Inc. HIPPSK;C:\WINDOWS\system32\drivers\HIPPSK.sys [2007-10-17 10:24]
R3 HIPQK;McAfee Inc. HIPQK;C:\WINDOWS\system32\drivers\HIPQK.sys [2007-10-17 10:25]
R3 hips;McAfee HIPSCore Service;C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe [2007-10-17 10:25]
S3 Firehk;McAfee NDIS Intermediate Filter;C:\WINDOWS\system32\DRIVERS\firehk.sys [2008-02-29 11:09]
.
Contents of the 'Scheduled Tasks' folder
2008-08-12 C:\WINDOWS\Tasks\shutdown.job
- c:\windows\system32\shutdown.exe [2004-08-04 07:00]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-ShStatEXE - C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
HKLM-Run-Network Associates Error Reporting Service - C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
MSConfigStartUp-fc04326b - C:\DOCUME~1\FRH~1.AUT\LOCALS~1\Temp\yahyiqtv.dll
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = about:blank
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-12 15:47:30
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\DWRCS.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZIPM12.EXE
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Sentillion\Vergence Authenticator\Authenticator.exe
C:\Program Files\Network Associates\Common Framework\Mctray.exe
C:\WINDOWS\system32\DWRCST.EXE
.
**************************************************************************
.
Completion time: 2008-08-12 15:51:35 - machine was rebooted [thsystem]
ComboFix-quarantined-files.txt 2008-08-12 20:51:23
Pre-Run: 12,083,593,216 bytes free
Post-Run: 12,040,679,424 bytes free
136 --- E O F --- 2008-07-31 10:24:05
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:56:50 PM, on 8/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\OCS Inventory Agent\ocsservice.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Sentillion\DesktopComponents\VergenceLocator.exe
C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe
C:\Program Files\Sentillion\Vergence Authenticator\Authenticator.exe
C:\Program Files\Network Associates\Common Framework\udaterui.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe
C:\WINDOWS\SYSTEM32\DWRCST.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {56C0293C-6D2C-470C-9D98-1EC32138C47B} - C:\DOCUME~1\FRH~1.AUT\LOCALS~1\Temp\urqQiHwt.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [LastBootTime] C:\Install\PCboottime.vbs
O4 - HKLM\..\Run: [McAfee Host Intrusion Prevention Tray] "C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.etenet.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1173286747484
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tenethealth.net
O17 - HKLM\Software\..\Telephony: DomainName = tenethealth.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tenethealth.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = tenethealth.net
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: McAfee Host Intrusion Prevention Service (enterceptAgent) - McAfee, Inc. - C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
O23 - Service: McAfee HIPSCore Service (hips) - McAfee, Inc. - C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Mcshield.exe (file missing)
O23 - Service: Network Associates Task Manager (McTaskManager) - Unknown owner - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe (file missing)
O23 - Service: OCS INVENTORY SERVICE (OCS INVENTORY) - http://ocsinventory.sourceforge.net - C:\Program Files\OCS Inventory Agent\ocsservice.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Vergence Locator Service (VergenceLocatorSvc) - Sentillion, Inc. - C:\Program Files\Sentillion\DesktopComponents\VergenceLocator.exe
--
End of file - 5796 bytes
Thank you.