ComboFix 12-06-05.01 - Shoutbox 06/05/2012 16:51:12.2.4 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2789 [GMT -7:00] Running from: d:\documents and settings\Shoutbox\My Documents\Downloads\ComboFix.exe . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . C:\autorun.inf D:\Autorun.inf D:\dugk.pif E:\Autorun.inf E:\efdyc.pif E:\gjflwb.exe . d:\windows.0\system32\userinit.exe . . . is infected!! . d:\windows.0\system32\lsass.exe . . . is infected!! . d:\windows.0\system32\winlogon.exe . . . is infected!! . d:\windows.0\system32\services.exe . . . is infected!! . d:\windows.0\system32\svchost.exe . . . is infected!! . d:\windows.0\system32\spoolsv.exe . . . is infected!! . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Legacy_AMSINT32 -------\Service_amsint32 . . ((((((((((((((((((((((((( Files Created from 2012-05-05 to 2012-06-05 ))))))))))))))))))))))))))))))) . . 2012-06-05 23:56 . 2012-06-05 23:56 103140 --sh--r- D:\xrifk.pif 2012-06-05 23:29 . 2012-06-05 23:29 103140 --sh--r- D:\rcdiq.exe 2012-05-19 18:17 . 2012-05-19 18:17 -------- d-----w- D:\Inetpub 2012-05-18 23:12 . 2012-05-18 23:15 -------- d-----w- D:\NVIDIA 2012-05-18 22:33 . 2012-05-18 22:33 103140 --sh--r- D:\wugaok.exe . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . . . ------- Sigcheck ------- Note: Unsigned files aren't necessarily malware. . [-] 2008-04-14 . 9059438FA74511ACBA5376FC075148FE . 91136 . . [5.1.2600.5512] . . d:\windows.0\system32\lsass.exe . [-] 2008-04-14 . 227BB68E0CF8C6CBE5702DD9D4EFBEFA . 182272 . . [5.1.2600.5512] . . d:\windows.0\system32\services.exe . [-] 2008-04-14 . 648661C5CABD01B663090B0EB2AA0617 . 131584 . . [5.1.2600.5512] . . d:\windows.0\system32\spoolsv.exe . [-] 2008-04-14 . 3FB85C03095D492850EDDE551ECABE93 . 585728 . . [5.1.2600.5512] . . d:\windows.0\system32\winlogon.exe . [-] 2008-08-26 . 25CC085720EE3617FD1F8AB9E2F7CAB2 . 3594752 . . [7.00.6000.20900] . . d:\windows.0\system32\mshtml.dll . [-] 2008-04-14 . A408E5581011116C1D49C73D8E0F987F . 83968 . . [5.1.2600.5512] . . d:\windows.0\system32\svchost.exe . [-] 2008-04-14 . D72F68361A845D87986E84731A2B507E . 99840 . . [5.1.2600.5512] . . d:\windows.0\system32\userinit.exe . [-] 2010-01-30 . 505DE26E81DAE4DA9969FDED785935D3 . 2003968 . . [6.00.2900.5634] . . d:\windows.0\explorer.exe . [-] 2008-04-14 . E03F1C85ACAAE65782F3B592A47066F9 . 224256 . . [5.1.2600.5512] . . d:\windows.0\regedit.exe . [-] 2008-04-14 . 34002EF8A03D01F0340BFB2619459A19 . 93184 . . [5.1.2600.5512] . . d:\windows.0\system32\ctfmon.exe . [-] 2008-04-14 . 6C5856E2A97C66CC1823FF0AF8CD12E3 . 83456 . . [5.1.2600.5512] . . d:\windows.0\system32\wscntfy.exe . ((((((((((((((((((((((((((((( SnapShot@2012-06-05_23.29.04 ))))))))))))))))))))))))))))))))))))))))) . - 2001-08-23 01:00 . 2012-06-05 22:40 71060 d:\windows.0\system32\perfc009.dat + 2001-08-23 01:00 . 2012-06-05 23:38 71060 d:\windows.0\system32\perfc009.dat + 2001-08-23 01:00 . 2012-06-05 23:38 441124 d:\windows.0\system32\perfh009.dat - 2001-08-23 01:00 . 2012-06-05 22:40 441124 d:\windows.0\system32\perfh009.dat + 2012-06-05 23:37 . 2012-06-05 23:37 371272 d:\windows.0\Installer\{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}\SkypeIcon.exe - 2012-06-05 23:06 . 2012-06-05 23:06 371272 d:\windows.0\Installer\{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}\SkypeIcon.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Vistart"="d:\program files\E7-Addons\ViStart\ViStart.exe" [2009-01-07 1281996] "VisualTaskTips"="d:\program files\E7-Addons\VisualTaskTips\VisualTaskTips.exe" [2008-06-22 135168] "Styler"="d:\program files\E7-Addons\Styler\Styler.exe" [2007-04-15 376832] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RTHDCPL"="RTHDCPL.EXE" [2011-06-24 20053608] "NvCplDaemon"="d:\windows.0\system32\NvCpl.dll" [2012-02-29 15494464] "NvMediaCenter"="NvMCTray.dll" [2012-02-29 108352] "nwiz"="d:\program files\NVIDIA Corporation\nview\nwiz.exe" [2012-02-29 1634112] "ArcSoft Connection Service"="d:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-07-06 195072] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Vistart"="d:\program files\E7-Addons\ViStart\ViStart.exe" [2009-01-07 1281996] "VisualTaskTips"="d:\program files\E7-Addons\VisualTaskTips\VisualTaskTips.exe" [2008-06-22 135168] "Styler"="d:\program files\E7-Addons\Styler\Styler.exe" [2007-04-15 376832] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "ShowDeskFix"="shell32" [X] "nltide_3"="advpack.dll" [2009-03-16 124928] . d:\documents and settings\All Users\Start Menu\Programs\Startup\ Wireless Utility.lnk - d:\program files\EDIMAX\Common\RaUI.exe [2012-5-18 1683456] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "ForceClassicControlPanel"= 1 (0x1) "NoRecentDocsNetHood"= 1 (0x1) "HideRunAsVerb"= 1 (0x1) "Start_ShowHelp"= 0 (0x0) . [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoResolveTrack"= 1 (0x1) "NoSMHelp"= 1 (0x1) "NoSMConfigurePrograms"= 1 (0x1) "NoNetConnectDisconnect"= 1 (0x1) "NoRecentDocsNetHood"= 1 (0x1) "NoSMBalloonTip"= 0 (0x0) . [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "ForceClassicControlPanel"= 1 (0x1) "NoResolveTrack"= 1 (0x1) "NoSMHelp"= 1 (0x1) "NoSMConfigurePrograms"= 1 (0x1) "NoNetConnectDisconnect"= 1 (0x1) "NoRecentDocsNetHood"= 1 (0x1) "NoSMBalloonTip"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Userinit"="d:\windows.0\explorer.exe," . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc] "AntiVirusOverride"=dword:00000001 "AntiVirusDisableNotify"=dword:00000001 "FirewallDisableNotify"=dword:00000001 "FirewallOverride"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 "UacDisableNotify"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "DisableNotifications"= 1 (0x1) "DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "d:\\wugaok.exe"= "d:\\WINDOWS.0\\system32\\regsvr32.exe"= "d:\\Program Files\\E7-Addons\\Styler\\Styler.exe"= "d:\\Program Files\\Common Files\\Adobe\\Installers\\678cd98c8365a5647f9a2e539d120a8\\Setup.exe"= "c:\\itnmnd.exe"= "d:\\WINDOWS.0\\Network Diagnostic\\xpnetdiag.exe"= "d:\\WINDOWS.0\\system32\\sessmgr.exe"= "d:\\WINDOWS.0\\system32\\dumprep.exe"= "d:\\Program Files\\E7-Addons\\VisualTaskTips\\VisualTaskTips.exe"= "d:\\Program Files\\EDIMAX\\Common\\RalinkRegistryWriter.exe"= "d:\\WINDOWS.0\\RTHDCPL.EXE"= "d:\\Program Files\\EDIMAX\\Common\\RaUI.exe"= "d:\\Program Files\\Sony Ericsson\\Sony Ericsson PC Suite\\SEPCSuite.exe"= "d:\\Program Files\\VideoLAN\\VLC\\vlc.exe"= "\\??\\d:\\WINDOWS.0\\system32\\winlogon.exe"= . R1 VBoxDrv;VirtualBox Service;d:\windows.0\system32\drivers\VBoxDrv.sys [5/19/2012 11:09 AM 158512] R1 VBoxUSBMon;VirtualBox USB Monitor Driver;d:\windows.0\system32\drivers\VBoxUSBMon.sys [5/19/2012 11:09 AM 91440] R2 nvUpdatusService;NVIDIA Update Service Daemon;d:\program files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [5/18/2012 4:16 PM 2348352] R2 OMSI download service;Sony Ericsson OMSI download service;d:\program files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [5/18/2012 8:45 PM 167936] R2 SkypeUpdate;Skype Updater;d:\program files\Skype\Updater\Updater.exe [5/3/2012 8:31 AM 158856] R3 PAC207;PC Camer@;d:\windows.0\system32\drivers\PFC027.SYS [6/5/2012 11:26 AM 618112] R3 s0016bus;Sony Ericsson Device 0016 driver (WDM);d:\windows.0\system32\drivers\s0016bus.sys [5/18/2012 8:30 PM 89256] R3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;d:\windows.0\system32\drivers\s0016mdfl.sys [5/18/2012 8:30 PM 15016] R3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;d:\windows.0\system32\drivers\s0016mdm.sys [5/18/2012 8:30 PM 120744] R3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);d:\windows.0\system32\drivers\s0016mgmt.sys [5/18/2012 8:30 PM 114216] R3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);d:\windows.0\system32\drivers\s0016nd5.sys [5/18/2012 8:30 PM 25512] R3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;d:\windows.0\system32\drivers\s0016obex.sys [5/18/2012 8:30 PM 110632] R3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);d:\windows.0\system32\drivers\s0016unic.sys [5/18/2012 8:30 PM 115752] R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;d:\windows.0\system32\drivers\VBoxNetAdp.sys [12/19/2011 2:12 PM 104752] R3 VBoxNetFlt;VirtualBox Bridged Networking Service;d:\windows.0\system32\drivers\VBoxNetFlt.sys [12/19/2011 2:11 PM 116016] S2 zclqkfo;Helper Update;d:\windows.0\system32\svchost.exe -k netsvcs [4/13/2008 7:42 PM 83968] S3 Ambfilt;Ambfilt;d:\windows.0\system32\drivers\Ambfilt.sys [5/18/2012 3:35 PM 1691480] . --- Other Services/Drivers In Memory --- . *NewlyCreated* - AMSINT32 . HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs zclqkfo . . ------- Supplementary Scan ------- . uSearchURL,(Default) = hxxp://www.google.com/keyword/%s FF - ProfilePath - d:\documents and settings\Shoutbox\Application Data\Mozilla\Firefox\Profiles\fm02ddjx.default\ FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - d:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url] Rootkit scan 2012-06-05 16:56 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\zclqkfo] "ServiceDll"="d:\windows.0\system32\nkwuikn.dll" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'explorer.exe'(2900) d:\program files\E7-Addons\VisualTaskTips\VttHooks.dll d:\docume~1\Shoutbox\LOCALS~1\Temp\7Start\MainHook.Dll d:\windows.0\system32\msi.dll d:\windows.0\system32\wpdshserviceobj.dll d:\windows.0\system32\portabledevicetypes.dll d:\windows.0\system32\portabledeviceapi.dll . - - - - - - - > 'explorer.exe'(2588) d:\program files\E7-Addons\VisualTaskTips\VttHooks.dll d:\program files\E7-Addons\Styler\TB\StylerTB.dll d:\windows.0\system32\portabledeviceapi.dll . ------------------------ Other Running Processes ------------------------ . d:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe d:\windows.0\system32\nvsvc32.exe d:\program files\EDIMAX\Common\RalinkRegistryWriter.exe d:\windows.0\RTHDCPL.EXE d:\windows.0\system32\RunDLL32.exe d:\docume~1\Shoutbox\LOCALS~1\Temp\7Start\ViStart.exe . ************************************************************************** . Completion time: 2012-06-05 16:58:55 - machine was rebooted ComboFix-quarantined-files.txt 2012-06-05 23:58 ComboFix2.txt 2012-06-05 23:31 . Pre-Run: 14,280,450,048 bytes free Post-Run: 14,247,952,384 bytes free . WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS.0 [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(2)\WINDOWS.0="Microsoft Windows XP Professional" /noexecute=optin /fastdetect . - - End Of File - - 40E01D10AC8C9FC55A6D05863E25D1A6