Hi
Can you help me please.
I have had to reinstall windows from backup disks, which i created over a year ago. The problem is the disks seem to be corrupted with either spyware/malware/viruses. When I look at the msconfig startup option, a file called "recinfo" is ticked. I have since unticked this box.
I have done a combofix scan and initially it said rootkit activity detected. It said it was unable to delete any files, as I wasn't logged in as administrator. Once it reset, I tried again and it found a couple of recylebin folders. I will post the results of the scans below.
ComboFix 09-10-28.08 - cpu 30/10/2009 22:19.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.44.1033.18.1014.437 [GMT 0:00]
Running from: d:\2 nights live disc 2\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\$recycle.bin\S-1-5-21-2663419850-2949383644-2358543230-500
.
((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-30 )))))))))))))))))))))))))))))))
.
2009-10-30 22:24 . 2009-10-30 22:24 -------- d-----w- c:\users\cpu\AppData\Local\temp
2009-10-30 22:24 . 2009-10-30 22:24 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-10-30 22:19 . 2007-02-12 12:36 277784 ----a-w- c:\windows\system32\drivers\iaStor.sys
2009-10-30 22:19 . 2006-11-02 09:50 112232 ----a-w- c:\windows\system32\drivers\vsmraid.sys
2009-10-30 22:19 . 2006-11-02 09:49 19048 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-10-30 22:05 . 2009-10-30 22:05 -------- d-----w- c:\programdata\fsc-reg
2009-10-30 22:05 . 2009-10-30 22:05 -------- d-----w- c:\programdata\{174892B1-CBE7-44F5-86FF-AB555EFD73A3}
2009-10-30 22:04 . 2009-10-30 22:05 -------- d-----w- c:\program files\Activation Assistant for the 2007 Microsoft Office suites
2009-10-30 22:04 . 2009-10-30 22:04 -------- d-----w- c:\users\cpu\AppData\Local\Seven Zip
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-30 22:09 . 2007-12-25 11:58 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-10-30 22:09 . 2007-12-25 11:58 -------- d-----w- c:\programdata\Symantec
2009-10-30 22:02 . 2009-10-30 22:02 70176 ----a-w- c:\users\cpu\AppData\Local\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2006-11-02 1196032]
"fsc-reg"="c:\programdata\fsc-reg\fscreg.exe" [2007-11-08 511248]
"WindowsWelcomeCenter"="oobefldr.dll" - c:\windows\System32\oobefldr.dll [2006-11-02 2159104]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-12-25 1006264]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-04 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-04 154392]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-04 133912]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-11-22 630784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-02-27 153136]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-03-13 4399104]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
--- Other Services/Drivers In Memory ---
*NewlyCreated* - MBR
*Deregistered* - mbr
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-10-30 22:24
Windows 6.0.6000 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2009-10-30 22:26
ComboFix-quarantined-files.txt 2009-10-30 22:26
Pre-Run: 57,942,568,960 bytes free
Post-Run: 57,821,102,080 bytes free
- - End Of File - - 783E25BE2960AF5697DBD5EB39C6990C
I will post the results of the quarantine items
2009-10-30 22:23:29 . 2009-10-30 22:23:29 2,859 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-10-30 22:10:26 . 2009-10-30 22:19:08 113 ----a-w- C:\Qoobox\Quarantine\catchme.log
2006-11-02 08:51:34 . 2006-11-02 09:49:36 19,048 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\drivers\atapi.sys.vir
Thank you in advance for your help.