ComboFix 12-01-16.02 - Ricky 01/16/2012 18:42:44.1.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.318 [GMT -5:00] Running from: c:\documents and settings\Ricky\Desktop\ComboFix.exe * Created a new restore point . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\All Users\Application Data\salesmonitor c:\documents and settings\All Users\Application Data\winantispyware 2007 c:\documents and settings\All Users\Application Data\WinAntiSpyware 2007\Data\Abbr c:\documents and settings\All Users\Application Data\winantispyware 2007\Data\ProductCode c:\documents and settings\LocalService\Application Data\NetMon c:\documents and settings\LocalService\Application Data\NetMon\domains.txt c:\documents and settings\LocalService\Application Data\NetMon\log.txt c:\documents and settings\Mary Kay\System c:\documents and settings\Mary Kay\System\win_qs7.jqx c:\documents and settings\Ricky\Application Data\Ifsun c:\documents and settings\Ricky\Application Data\Ifsun\fopo.sae c:\documents and settings\Ricky\Application Data\Ifsun\fopo.tmp c:\documents and settings\Ricky\Application Data\SpamBlockerUtility_Icons c:\documents and settings\Ricky\Application Data\SpamBlockerUtility_Icons\Registryrepair.ico c:\documents and settings\Ricky\Application Data\SpamBlockerUtility_Icons\Software_Online_8.ico c:\documents and settings\Ricky\Application Data\SpamBlockerUtility_Icons\wallpapere1.ico c:\documents and settings\Ricky\Application Data\WinAntiSpyware 2006 c:\documents and settings\Ricky\Application Data\WinAntiSpyware 2006\Logs\update.log c:\program files\Altnet c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cevakrnl.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cevakrnl.ivd.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cevakrnl.rvd.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cran.ivd.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\emalware.i01.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\emalware.ivd.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\plugins.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\plugins.cab.cab c:\program files\Altnet\My Altnet Shares\Bullguard Protection\zip.xmd.cab c:\program files\AntiSpywareMaster c:\program files\AntiSpywareMaster\install_asm_update_scanner.exe c:\program files\FunWebProducts c:\program files\FunWebProducts\Shared\069A8800.dat c:\program files\Hotbar c:\program files\inetget2 c:\program files\Need2Find c:\program files\Need2Find\bar\History\search c:\program files\network monitor c:\program files\Search Settings c:\program files\Search Settings\FF\chrome.manifest c:\program files\Search Settings\FF\chrome\content\plugin.js c:\program files\Search Settings\FF\chrome\content\plugin.xul c:\program files\Search Settings\FF\chrome\content\protection.js c:\program files\Search Settings\FF\chrome\content\utils.js c:\program files\Search Settings\FF\chrome\locale\en-US\searchsettingsplugin.dtd c:\program files\Search Settings\FF\chrome\locale\en-US\searchsettingsplugin.properties c:\program files\Search Settings\FF\components\IFBHOSearch.xpt c:\program files\Search Settings\FF\components\IFBHOSearchHelperEngine.xpt c:\program files\Search Settings\FF\components\IFHelperPreferences.xpt c:\program files\Search Settings\FF\components\SearchSettingsFF.dll c:\program files\Search Settings\FF\install.rdf c:\program files\winpop c:\temp\tn3 c:\windows\cdmxtras c:\windows\Downloaded Program Files\f3initialsetup1.0.0.15-3.inf c:\windows\retadpu.exe.bin c:\windows\system32\c_42144.nl_ c:\windows\system32\c_42144.nls c:\windows\system32\drivers\core.cache.dsk c:\windows\system32\drivers\kungsflrpumxts.sys c:\windows\system32\lowsec c:\windows\system32\lowsec\local.ds c:\windows\system32\lowsec\user.ds c:\windows\system32\lowsec\user.ds.lll c:\windows\system32\o02PrEz c:\windows\system32\odetmngk.dll c:\windows\system32\W1 c:\windows\system32\W2 c:\windows\system32\W3 c:\windows\system32\W4 c:\windows\system32\W5 c:\windows\system32\win c:\windows\TWFyeSBLYXk . Infected copy of c:\windows\system32\drivers\imapi.sys was found and disinfected Restored copy from - The cat found it :) Infected copy of c:\windows\system32\msiexec.exe was found and disinfected Restored copy from - c:\windows\$MSI31Uninstall_KB893803v2$\msiexec.exe . c:\windows\system32\drivers\serial.sys . . . is infected!! . c:\program files\Application Updater\ApplicationUpdater.exe . . . is infected!! c:\program files\Application Updater\ApplicationUpdater.exe . . . was deleted!! You should re-install the program it pertains to . c:\program files\Java\jre6\bin\jqs.exe . . . is infected!! c:\program files\Java\jre6\bin\jqs.exe . . . was deleted!! You should re-install the program it pertains to . c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe . . . is infected!! c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe . . . was deleted!! You should re-install the program it pertains to . c:\program files\Viewpoint\Common\ViewpointService.exe . . . is infected!! c:\program files\Viewpoint\Common\ViewpointService.exe . . . was deleted!! You should re-install the program it pertains to . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Legacy_CMDSERVICE -------\Legacy_CORE -------\Legacy_DOMAINSERVICE -------\Legacy_FOPN -------\Legacy_NETWORK_MONITOR -------\Legacy_WINDOWS_OVERLAY_COMPONENTS -------\Service_ApiMon -------\Service_cbea64eb -------\Service_cmdService -------\Service_core -------\Service_DomainService -------\Service_Network Monitor -------\Service_Windows Overlay Components . . ((((((((((((((((((((((((( Files Created from 2011-12-17 to 2012-01-17 ))))))))))))))))))))))))))))))) . . 2012-01-16 23:35 . 2004-08-04 10:00 41856 ----a-w- c:\windows\system32\drivers\imapi.sys 2012-01-16 23:35 . 2004-08-04 10:00 41856 ----a-w- c:\windows\system32\dllcache\imapi.sys 2012-01-16 15:48 . 2012-01-16 21:13 111872 ----a-w- c:\windows\system32\drivers\TrueSight.sys 2012-01-10 01:21 . 2012-01-10 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData 2012-01-10 01:17 . 2004-08-04 03:58 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys 2012-01-10 00:35 . 2004-08-04 05:56 21504 ----a-w- c:\windows\system32\hidserv.dll . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-01-16 21:49 . 2004-08-10 17:58 5504 ----a-w- c:\windows\system32\drivers\intelide.sys 2009-02-13 00:32 . 2009-02-16 23:25 774144 ----a-w- c:\program files\RngInterstitial.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-09-11 2054360] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-07-14 98304] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184] "Blubster"="c:\program files\Blubster\Blubster.exe" [2009-11-27 2866176] . c:\documents and settings\Ricky\Start Menu\Programs\Startup\ Skype.lnk - c:\windows\Installer\{D103C4BA-F905-437A-8049-DB24763BBE36}\SkypeIcon.exe [N/A] . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer] @="Service" . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] 2004-08-04 10:00 15360 ----a-w- c:\windows\system32\ctfmon.exe . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "DisableNotifications"= 1 (0x1) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"= "c:\windows\system32\ijjbediw.exe"= c:\windows\system32\ijj "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Blubster\\Blubster.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 . R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [9/11/2009 7:23 AM 108792] R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [9/11/2009 7:26 AM 96408] S2 Application Updater;Application Updater;"c:\program files\Application Updater\ApplicationUpdater.exe" --> c:\program files\Application Updater\ApplicationUpdater.exe [?] S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [9/11/2009 7:24 AM 735960] S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.dell4me.com/mywaybiz uInternet Connection Wizard,ShellNext = iexplore IE: Compare Prices with &Dealio - c:\documents and settings\Ricky\Application Data\Dealio\kb124\res\DealioSearch.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 Trusted Zone: getmirar.com\click Trusted Zone: mirarsearch.com\click Trusted Zone: mirarsearch.com\redirect Trusted Zone: net-nucleus.com\awbeta TCP: Interfaces\{42AAA1A2-A41E-4C6B-BC89-B07492D6ECB3}: NameServer = 93.188.162.149,93.188.160.29 DPF: ActiveGS.cab - hxxp://www.virtualapple.org/gs.cab FF - ProfilePath - c:\documents and settings\Ricky\Application Data\Mozilla\Firefox\Profiles\w6omdj8q.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig FF - user.js: network.cookie.cookieBehavior - 0 FF - user.js: privacy.clearOnShutdown.cookies - false FF - user.js: security.warn_viewing_mixed - false FF - user.js: security.warn_viewing_mixed.show_once - false FF - user.js: security.warn_submit_insecure - false FF - user.js: security.warn_submit_insecure.show_once - false . - - - - ORPHANS REMOVED - - - - . BHO-{21652878-587A-466C-987A-C31EC6E38803} - c:\program files\ComPlus Applications\holenu4444.dll BHO-{664E992D-7D84-47A5-90E7-470D398D4B1F} - c:\program files\ComPlus Applications\holenu83122.dll SafeBoot-20410191.sys . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-01-16 19:45 Windows 5.1.2600 Service Pack 2 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . . c:\windows\3949259467:873831188.exe 816 bytes executable c:\windows\$NtUninstallKB20734$:SummaryInformation 0 bytes hidden from API . . ************************************************************************** . ------------------------ Other Running Processes ------------------------ . c:\windows\3949259467:873831188.exe c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe c:\windows\system32\wdfmgr.exe c:\windows\system32\fxssvc.exe . ************************************************************************** . Completion time: 2012-01-16 19:51:44 - machine was rebooted ComboFix-quarantined-files.txt 2012-01-17 00:51 . Pre-Run: 8,083,087,360 bytes free Post-Run: 8,797,130,752 bytes free . WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect . - - End Of File - - AE82FB7F5717D275AA7D2E93D40B4895