ComboFix 10-11-02.04 - mindara 05/17/2004 0:35.1.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.382.191 [GMT 4.5:30] Running from: g:\instalki\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\mindara\klxir.exe c:\program files\Internet Explorer\dmlconf.dat c:\program files\K-Lite Codec Pack\Tools\StatsReader.exe c:\program files\Microsoft\DesktopLayer.exe c:\windows\system\WINSPOOL.DRV c:\windows\system32\sshnas21.dll c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job c:\windows\regedit.exe . . . is infected!! c:\windows\system32\msgsvc.dll . . . is infected!! c:\windows\explorer.exe . . . is infected!! c:\windows\hh.exe . . . is infected!! c:\windows\NOTEPAD.EXE . . . is infected!! Infected copy of c:\windows\winhlp32.exe was found and disinfected Restored copy from - c:\windows\system32\winhlp32.exe c:\windows\pchealth\helpctr\binaries\HelpCtr.exe . . . is infected!! c:\windows\pchealth\helpctr\binaries\msconfig.exe . . . is infected!! c:\windows\system32\accwiz.exe . . . is infected!! c:\windows\system32\ahui.exe . . . is infected!! c:\windows\system32\clipbrd.exe . . . is infected!! c:\windows\system32\clipsrv.exe . . . is infected!! c:\windows\system32\cmd.exe . . . is infected!! c:\windows\system32\cmdl32.exe . . . is infected!! c:\windows\system32\cmmon32.exe . . . is infected!! c:\windows\system32\cmstp.exe . . . is infected!! c:\windows\system32\conime.exe . . . is infected!! c:\windows\system32\cscript.exe . . . is infected!! c:\windows\system32\ctfmon.exe . . . is infected!! c:\windows\system32\ddeshare.exe . . . is infected!! c:\windows\system32\dpvsetup.exe . . . is infected!! c:\windows\system32\dxdiag.exe . . . is infected!! c:\windows\system32\eudcedit.exe . . . is infected!! c:\windows\system32\fsquirt.exe . . . is infected!! c:\windows\system32\grpconv.exe . . . is infected!! c:\windows\system32\logonui.exe . . . is infected!! c:\windows\system32\magnify.exe . . . is infected!! c:\windows\system32\mmc.exe . . . is infected!! c:\windows\system32\mnmsrvc.exe . . . is infected!! c:\windows\system32\mobsync.exe . . . is infected!! c:\windows\system32\mplay32.exe . . . is infected!! c:\windows\system32\msdtc.exe . . . is infected!! c:\windows\system32\mshta.exe . . . is infected!! c:\windows\system32\msiexec.exe . . . is infected!! c:\windows\system32\mspaint.exe . . . is infected!! c:\windows\system32\narrator.exe . . . is infected!! c:\windows\system32\nslookup.exe . . . is infected!! c:\windows\system32\ntbackup.exe . . . is infected!! c:\windows\system32\ntkrnlpa.exe . . . is infected!! c:\windows\system32\ntoskrnl.exe . . . is infected!! c:\windows\system32\odbcad32.exe . . . is infected!! c:\windows\system32\osk.exe . . . is infected!! c:\windows\system32\packager.exe . . . is infected!! c:\windows\system32\perfmon.exe . . . is infected!! c:\windows\system32\progman.exe . . . is infected!! c:\windows\system32\proquota.exe . . . is infected!! c:\windows\system32\rasphone.exe . . . is infected!! c:\windows\system32\rcimlby.exe . . . is infected!! c:\windows\system32\rsnotify.exe . . . is infected!! c:\windows\system32\rtcshare.exe . . . is infected!! c:\windows\system32\rundll32.exe . . . is infected!! c:\windows\system32\runonce.exe . . . is infected!! Infected copy of c:\windows\system32\setup.exe was found and disinfected Restored copy from - c:\system volume information\_restore{0BBD1166-5610-4100-959A-B8F8260023AF}\RP7\A0007226.exe c:\windows\system32\shrpubw.exe . . . is infected!! c:\windows\system32\sigverif.exe . . . is infected!! c:\windows\system32\sndrec32.exe . . . is infected!! c:\windows\system32\spider.exe . . . is infected!! c:\windows\system32\stimon.exe . . . is infected!! c:\windows\system32\sysocmgr.exe . . . is infected!! c:\windows\system32\taskmgr.exe . . . is infected!! c:\windows\system32\telnet.exe . . . is infected!! c:\windows\system32\tourstart.exe . . . is infected!! c:\windows\system32\utilman.exe . . . is infected!! c:\windows\system32\wextract.exe . . . is infected!! c:\windows\system32\wiaacmgr.exe . . . is infected!! c:\windows\system32\winlogon.exe . . . is infected!! c:\windows\system32\wpabaln.exe . . . is infected!! c:\windows\system32\wscript.exe . . . is infected!! c:\windows\system32\wuauclt1.exe . . . is infected!! c:\windows\system32\oobe\msoobe.exe . . . is infected!! c:\windows\system32\oobe\oobebaln.exe . . . is infected!! c:\windows\system32\Restore\rstrui.exe . . . is infected!! c:\windows\system32\usmt\migload.exe . . . is infected!! c:\windows\system32\usmt\migwiz.exe . . . is infected!! c:\windows\system32\usmt\migwiza.exe . . . is infected!! . \\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_SSHNAS -------\Service_SSHNAS ((((((((((((((((((((((((( Files Created from 2004-04-16 to 2004-05-16 ))))))))))))))))))))))))))))))) . 2004-05-17 09:45 . 2004-05-17 09:45 -------- d-----w- C:\UsbFix 2004-05-17 09:42 . 2004-05-17 09:42 -------- d-----w- C:\_OTL . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-23 06:26 . 2004-05-17 07:24 853054 ----a-w- c:\windows\srchasst\srchui.dll 2008-08-23 06:24 . 2004-05-17 07:24 43008 ----a-w- c:\windows\pchealth\helpctr\binaries\notiflag.exe 2008-08-23 06:23 . 2004-05-17 07:24 3207168 ----a-w- c:\windows\srchasst\msgr3en.dll 2008-08-23 06:23 . 2004-05-17 07:24 191488 ----a-w- c:\windows\pchealth\helpctr\binaries\msconfig.exe 2008-08-23 06:22 . 2004-05-17 07:23 761344 ----a-w- c:\windows\pchealth\helpctr\binaries\HelpCtr.exe 2008-07-12 19:48 . 2001-08-18 02:37 77891 ----a-w- c:\windows\system32\usrmlnka.exe 2008-07-12 19:48 . 2001-08-18 02:37 69700 ----a-w- c:\windows\system32\usrshuta.exe 2008-07-12 19:48 . 2001-08-18 02:37 61508 ----a-w- c:\windows\system32\usrprbda.exe 2008-07-12 19:48 . 2001-08-18 02:36 55296 ----a-w- c:\windows\system32\dvdplay.exe 2008-07-12 19:48 . 2001-08-18 02:36 3200 ----a-w- c:\windows\system32\wowfax.dll 2008-07-12 19:48 . 2001-08-18 02:36 13824 ----a-w- c:\windows\system32\wowfaxui.dll 2008-07-12 19:48 . 2001-08-18 02:36 86073 ----a-w- c:\windows\system32\usrfaxa.dll 2008-07-12 19:48 . 2001-08-18 02:36 8192 ----a-w- c:\windows\system32\tsbyuv.dll 2008-07-12 19:48 . 2001-08-18 02:36 77890 ----a-w- c:\windows\system32\usrdpa.dll 2008-07-12 19:48 . 2001-08-18 02:36 77883 ----a-w- c:\windows\system32\usrrtosa.dll 2008-07-12 19:48 . 2001-08-18 02:36 69699 ----a-w- c:\windows\system32\usrcoina.dll 2008-07-12 19:48 . 2001-08-18 02:36 61500 ----a-w- c:\windows\system32\usrcntra.dll 2008-07-12 19:48 . 2001-08-18 02:36 53305 ----a-w- c:\windows\system32\usrlbva.dll 2008-07-12 19:48 . 2001-08-18 02:36 49211 ----a-w- c:\windows\system32\usrvpa.dll 2008-07-12 19:48 . 2001-08-18 02:36 49211 ----a-w- c:\windows\system32\usrsdpia.dll 2008-07-12 19:48 . 2001-08-18 02:36 49209 ----a-w- c:\windows\system32\usrv80a.dll 2008-07-12 19:48 . 2001-08-18 02:36 45116 ----a-w- c:\windows\system32\usrvoica.dll 2008-07-12 19:48 . 2001-08-18 02:36 41019 ----a-w- c:\windows\system32\usrsvpia.dll 2008-07-12 19:48 . 2001-08-18 02:36 323641 ----a-w- c:\windows\system32\usrdtea.dll 2008-07-12 19:48 . 2001-08-18 02:36 102457 ----a-w- c:\windows\system32\usrv42a.dll 2008-07-12 19:48 . 2001-08-18 02:36 8192 ----a-w- c:\windows\system32\streamci.dll 2008-07-12 19:48 . 2001-08-18 02:36 72192 ----a-w- c:\windows\system32\sprio800.dll 2008-07-12 19:48 . 2001-08-18 02:36 70656 ----a-w- c:\windows\system32\sprio600.dll 2008-07-12 19:48 . 2001-08-18 02:36 69632 ----a-w- c:\windows\system32\spnike.dll 2008-07-12 19:48 . 2001-08-18 02:36 157696 ----a-w- c:\windows\system32\paqsp.dll 2008-07-12 19:48 . 2001-08-18 02:36 147968 ----a-w- c:\windows\system32\mdwmdmsp.dll 2008-07-12 19:48 . 2001-08-17 18:06 21376 ----a-w- c:\windows\system32\drivers\tsbvcap.sys 2008-07-12 19:48 . 2001-08-17 18:02 262528 ----a-w- c:\windows\system32\drivers\cinemst2.sys 2008-07-12 19:48 . 2001-08-17 18:02 58112 ----a-w- c:\windows\system32\drivers\vdmindvd.sys 2008-07-12 19:48 . 2001-08-17 18:01 51712 ----a-w- c:\windows\system32\drivers\tosdvd.sys 2008-07-12 19:48 . 2001-08-17 17:57 12160 ----a-w- c:\windows\system32\drivers\fsvga.sys 2008-07-12 19:48 . 2001-08-17 17:52 18688 ----a-w- c:\windows\system32\drivers\cdaudio.sys 2008-07-12 19:48 . 2001-08-17 17:24 12032 ----a-w- c:\windows\system32\drivers\riodrv.sys 2008-07-12 19:48 . 2001-08-17 17:24 12032 ----a-w- c:\windows\system32\drivers\rio8drv.sys 2008-07-12 19:48 . 2001-08-17 17:24 12032 ----a-w- c:\windows\system32\drivers\nikedrv.sys 2008-07-12 19:48 . 2001-08-17 17:24 11776 ----a-w- c:\windows\system32\drivers\cpqdap01.sys 2008-04-14 08:29 . 2008-04-14 08:29 451072 ----a-w- c:\windows\apppatch\AcLayers.dll 2008-04-14 08:29 . 2008-04-14 08:29 39424 ----a-w- c:\windows\apppatch\AcAdProc.dll 2008-04-14 08:29 . 2008-04-14 08:29 34816 ----a-w- c:\windows\help\sniffpol.dll 2008-04-14 08:29 . 2008-04-14 08:29 3374640 ----a-w- c:\windows\help\Tours\mmTour\tour.exe 2008-04-14 08:29 . 2008-04-14 08:29 33280 ----a-w- c:\windows\help\sstub.dll 2008-04-14 08:29 . 2008-04-14 08:29 279040 ----a-w- c:\windows\help\TSHOOT.dll 2008-04-14 08:29 . 2008-04-14 08:29 245248 ----a-w- c:\windows\apppatch\AcSpecfc.dll 2008-04-14 08:29 . 2008-04-14 08:29 1852928 ----a-w- c:\windows\apppatch\AcGenral.dll 2008-04-14 08:29 . 2008-04-14 08:29 152576 ----a-w- c:\windows\help\bnts.dll 2008-04-14 08:29 . 2008-04-14 08:29 141312 ----a-w- c:\windows\apppatch\AcLua.dll 2008-04-14 08:29 . 2008-04-14 08:29 116224 ----a-w- c:\windows\apppatch\AcXtrnal.dll 2008-04-14 08:29 . 2004-05-17 07:24 99840 ----a-w- c:\windows\pchealth\helpctr\binaries\HelpHost.exe 2008-04-14 08:29 . 2004-05-17 07:24 6656 ----a-w- c:\windows\pchealth\helpctr\binaries\HCAppRes.dll 2008-04-14 08:29 . 2004-05-17 07:24 21504 ----a-w- c:\windows\pchealth\helpctr\binaries\brpinfo.dll 2008-04-14 08:29 . 2004-05-17 07:24 58434 ----a-w- c:\windows\srchasst\srchctls.dll 2008-04-14 08:29 . 2004-05-17 07:24 150528 ----a-w- c:\windows\pchealth\UploadLB\Binaries\UploadM.exe 2008-04-14 08:29 . 2004-05-17 07:24 38400 ----a-w- c:\windows\pchealth\helpctr\binaries\pchsvc.dll 2008-04-14 08:29 . 2004-05-17 07:24 102912 ----a-w- c:\windows\pchealth\helpctr\binaries\pchshell.dll 2008-04-14 08:29 . 2004-05-17 07:24 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\HelpSvc.exe 2008-04-14 08:29 . 2004-05-17 07:24 376832 ----a-w- c:\windows\pchealth\helpctr\binaries\msinfo.dll 2008-04-14 08:29 . 2004-05-17 07:24 18432 ----a-w- c:\windows\pchealth\helpctr\binaries\HscUpd.exe . ------- Sigcheck ------- [-] 2008-08-23 . 87576541BA029261CA7C6136367E6D42 . 588800 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe [-] 2008-08-23 . 46EC7ED696EFEEF5E3E39675E3E7686F . 693248 . . [5.82] . . c:\windows\system32\comctl32.dll [7] 2008-04-14 . AEF3D788DBF40C7C4D204EA45EB0C505 . 921088 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll [7] 2008-04-14 . BD38D1EBE24A46BD3EDA059560AFBA12 . 1054208 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll [-] 2008-08-23 . 0A98E9ACCD69653136ADA38CE1F9150D . 2350208 . . [5.1.2600.5512] . . c:\windows\system32\ntoskrnl.exe [-] 2008-08-23 . 6FBE974874389B7D5F11870747B8622C . 516096 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll [-] 2008-08-23 . 1EA692C7EAA1E3680B5666B5B79EE66D . 1334784 . . [6.00.2900.5512] . . c:\windows\explorer.exe [-] 2008-07-12 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll [-] 2008-08-23 . CBF5945651C96E471B3A004BBDC36864 . 37376 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe [-] 2008-08-23 . 5726B241B5F072CC6811AE58A0DF3D00 . 2227072 . . [5.1.2600.5512] . . c:\windows\system32\ntkrnlpa.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Gadu-Gadu 10"="c:\program files\Gadu-Gadu 10\gg.exe" [2010-04-21 11985504] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-10-11 14940040] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-08-23 37376] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "nltide_2"="shell32" [X] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Userinit"="c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Gadu-Gadu 10\\gg.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D58F39FF-953E-4F45-898F-59F243B9A523}] 2008-04-23 00:46 124928 ----a-w- c:\windows\system32\advpack.dll . Contents of the 'Scheduled Tasks' folder . . ------- Supplementary Scan ------- . FF - ProfilePath - c:\documents and settings\mindara\Application Data\Mozilla\Firefox\Profiles\iy4zleck.default\ FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll . - - - - ORPHANS REMOVED - - - - HKCU-Run-wfret - c:\documents and settings\mindara\wfret.exe HKCU-Run-xaouqay - c:\documents and settings\mindara\xaouqay.exe HKCU-Run-hfwir - c:\documents and settings\mindara\hfwir.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2004-05-17 00:49 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(648) c:\windows\system32\SETUPAPI.dll c:\windows\system32\cscui.dll - - - - - - - > 'lsass.exe'(704) c:\windows\system32\SETUPAPI.dll - - - - - - - > 'explorer.exe'(2612) c:\windows\system32\SHDOCVW.dll c:\windows\system32\msctfime.ime c:\windows\system32\COMRes.dll c:\windows\System32\cscui.dll c:\windows\system32\SETUPAPI.dll c:\windows\system32\msi.dll c:\windows\system32\NETSHELL.dll c:\windows\system32\credui.dll c:\windows\system32\MSVCP60.dll c:\windows\system32\wpdshserviceobj.dll c:\windows\system32\portabledevicetypes.dll c:\windows\system32\portabledeviceapi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Internet Explorer\iexplore.exe c:\program files\Skype\Plugin Manager\skypePM.exe . ************************************************************************** . Completion time: 2004-05-17 00:54:00 - machine was rebooted ComboFix-quarantined-files.txt 2004-05-16 20:23 Pre-Run: 74,347,851,776 bytes free Post-Run: 74,089,320,448 bytes free - - End Of File - - 2669B98EDB7DCCBF41DBE6180FF82168