ComboFix 08-12-28.04 - bbb 2008-12-30 1:18:11.2 - [color=red][b]FAT32[/b][/color]x86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.223.76 [GMT 5.5:30] Running from: C:\Documents and Settings\bbb\Desktop\iexplore.exe Command switches used :: C:\Documents and Settings\bbb\Desktop\CFScript.txt AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated) FW: Sygate Personal Firewall Pro *disabled* * Created a new restore point FILE :: c:\windows\system32\drivers\hmomsn.sys . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_ABP470N5 -------\Legacy_FCVJOFNMS -------\Legacy_RHGML -------\Service_abp470n5 -------\Service_fcvjofnms -------\Service_rhgml ((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-29 ))))))))))))))))))))))))))))))) . 2008-12-30 01:11 . 2008-12-30 01:11 d-------- C:\Program Files\Unlocker 2008-12-29 02:24 . 2008-12-29 02:24 d-------- C:\ComboFix 2008-12-29 02:13 . 2008-12-29 02:13 250 --a------ C:\WINDOWS\gmer.ini 2008-12-29 01:00 . 2008-12-29 01:00 d-------- C:\Documents and Settings\bbb\Application Data\FlashFXP 2008-12-29 00:58 . 2008-12-29 00:58 d-------- C:\rsit 2008-12-29 00:50 . 2008-12-29 00:50 d-------- C:\Documents and Settings\bbb\Application Data\TuneUp Software 2008-12-29 00:48 . 2008-12-29 00:48 d-------- C:\Documents and Settings\bbb\Application Data\Simply Super Software 2008-12-29 00:46 . 2008-12-29 00:46 d--hs---- C:\FOUND.026 2008-12-29 00:46 . 2008-12-29 00:46 d-------- C:\Documents and Settings\bbb 2008-12-24 18:07 . 2008-12-24 18:07 d-------- C:\WINDOWS\ERUNT 2008-12-24 18:03 . 2008-11-06 02:03 d-------- C:\SDFix 2008-12-24 17:57 . 2008-12-24 17:57 d-------- C:\Program Files\Trend Micro 2008-12-24 17:13 . 2008-12-24 17:13 d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-12-24 17:13 . 2008-12-24 17:13 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes 2008-12-24 17:13 . 2008-12-24 17:13 d-------- C:\Documents and Settings\Administrator.TYRANT.000\Application Data\Malwarebytes 2008-12-24 17:13 . 2008-12-03 19:58 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-12-24 17:13 . 2008-12-03 19:58 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-12-21 23:56 . 2008-12-21 23:56 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab 2008-12-21 23:52 . 2008-12-21 23:52 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab Setup Files 2008-12-05 03:22 . 2008-12-05 03:22 d-------- C:\Program Files\FlashGet 2008-12-05 02:38 . 2008-12-05 02:38 d-------- C:\Program Files\Operaalpha . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-28 21:07 1,032,192 ----a-w C:\WINDOWS\system32\dllcache\explorer.exe 2008-12-28 21:07 1,032,192 ----a-w C:\WINDOWS\explorer.exe 2008-11-18 22:07 --------- d-----w C:\Documents and Settings\Administrator.TYRANT.000\Application Data\AutoSizer 2008-11-17 00:51 --------- d-----w C:\Program Files\Everything 2008-10-31 21:00 --------- d-----w C:\Program Files\FLVHosting 2008-11-15 23:53 67,696 ----a-w C:\Program Files\mozilla firefox\components\jar50.dll 2008-11-15 23:53 34,952 ----a-w C:\Program Files\mozilla firefox\components\myspell.dll 2008-11-15 23:53 46,720 ----a-w C:\Program Files\mozilla firefox\components\spellchk.dll 2008-11-15 23:53 54,376 ----a-w C:\Program Files\mozilla firefox\components\jsd3250.dll 2008-11-15 23:53 172,144 ----a-w C:\Program Files\mozilla firefox\components\xpinstal.dll . ((((((((((((((((((((((((((((( snapshot@2008-12-29_ 2.39.54.23 ))))))))))))))))))))))))))))))))))))))))) . + 2004-08-03 19:56:44 67,584 ----a-w C:\WINDOWS\system32\jcjwzrlr.dll + 2008-12-29 19:50:48 16,384 ----a-w C:\WINDOWS\temp\Perflib_Perfdata_7e4.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Bandwidth Monitor Pro"="C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe" [2005-02-09 19:32 303104] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "HTpatch"="C:\WINDOWS\htpatch.exe" [2002-12-19 17:10 28672] "SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2005-09-27 12:16 2717392] "TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2008-12-24 15:13 1230728] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLUA"= 0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableTaskMgr"= 1 (0x1) "DisableRegistryTools"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.3iv2"= C:\PROGRA~1\K-LITE~1\codecs\3IVXVF~1.DLL "VIDC.VP60"= C:\PROGRA~1\K-LITE~1\codecs\vp6vfw.dll "VIDC.VP61"= C:\PROGRA~1\K-LITE~1\codecs\vp6vfw.dll "VIDC.VP62"= C:\PROGRA~1\K-LITE~1\codecs\vp6vfw.dll "VIDC.VP70"= C:\PROGRA~1\K-LITE~1\codecs\vp7vfw.dll "VIDC.VP31"= C:\PROGRA~1\K-LITE~1\codecs\vp31vfw.dll "VIDC.FFDS"= C:\PROGRA~1\K-LITE~1\ffdshow\ff_vfw.dll "msacm.ac3acm"= C:\PROGRA~1\K-LITE~1\codecs\ac3acm.acm "msacm.l3fhg"= C:\PROGRA~1\K-LITE~1\codecs\l3codecp.acm [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "AudioDeck"=C:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe 1 "SiSUSBRG"=C:\WINDOWS\SiSUSBrg.exe "SiS Tray"=C:\WINDOWS\system32\sistray.EXE [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 "UacDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc] "AntiVirusOverride"=dword:00000001 "AntiVirusDisableNotify"=dword:00000001 "FirewallDisableNotify"=dword:00000001 "FirewallOverride"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 "UacDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\uTorrent\\uTorrent.exe"= "C:\\Program Files\\foobar2000\\foobar2000.exe"= "C:\\Program Files\\Trojan Remover\\Sschk.exe"= "C:\\PROGRA~1\\Sygate\\SPF\\smc.exe"= "C:\\PROGRA~1\\BANDWI~1\\Bandwidth Monitor Pro.exe"= "C:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"= "C:\\WINDOWS\\system32\\wscntfy.exe"= "C:\\WINDOWS\\regedit.exe"= "C:\\WINDOWS\\system32\\cmd.exe"= "C:\\Program Files\\Opera\\Opera.exe"= "C:\\Program Files\\Bandwidth Monitor Pro\\Bandwidth Monitor Pro.exe"= "C:\\WINDOWS\\htpatch.exe"= "C:\\Program Files\\Sygate\\SPF\\Smc.exe"= "C:\\iexplore\\regt.cfexe"= "C:\\WINDOWS\\system32\\netsh.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "2879:TCP"= 2879:TCP:WWW S2 lzdtbcg;lzdtbcg;C:\WINDOWS\system32\svchost.exe -k netsvcs [2008-07-27 03:27:19 14336] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs UxTuneUp lzdtbcg *Newly Created Service* - ABP470N5 *Newly Created Service* - LZDTBCG . Contents of the 'Scheduled Tasks' folder 2008-07-26 C:\WINDOWS\Tasks\1-Click Maintenance.job - C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe [2006-12-19 16:53] . . ------- Supplementary Scan ------- . IE: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm IE: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm TCP: {287F7905-70FB-4FF8-8DF7-A72E8941FB8D} = 208.67.220.220 208.67.222.222 TCP: {43E2F0E8-E4DB-4ADC-9BD9-946CBA87A143} = 208.67.222.222,208.67.220.220 C:\WINDOWS\Downloaded Program Files\CTSUEng.ocx - C:\WINDOWS\Downloaded Program Files\CTSUEngn.ocx O16 -: {6C269571-C6D7-4818-BCA4-32A035E8C884} hxxp://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab C:\WINDOWS\Downloaded Program Files\CTSUEng.inf FF - ProfilePath - . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-30 01:20:50 Windows 5.1.2600 Service Pack 2 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run HTpatch = C:\WINDOWS\htpatch.exe?ows\CurrentVersion\Run???\???/??Z???????Z???Z???????????????????Z???Z C?????Z$??????Z????????????S??Z????????m??Z???w????(???{??w???w???????w???w???Z????????d???b6?Z%??Z???Z????"??ZA??Z???Z.??wZ??Z?3?Z?3?Z????st.I???????Z????d???0=?Z?K?Z scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant] "ImagePath"="" . Completion time: 2008-12-30 1:21:48 - machine was rebooted ComboFix-quarantined-files.txt 2008-12-29 19:51:46 ComboFix2.txt 2008-12-28 21:10:42 Pre-Run: 569,024,512 bytes free Post-Run: 542,384,128 bytes free Ok.