ComboFix 12-01-23.02 - Ricky 01/23/2012 22:28:49.4.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.301 [GMT -5:00] Running from: c:\documents and settings\Ricky\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Ricky\Desktop\CFScript.txt * Created a new restore point . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\windows\$NtUninstallKB20734$ c:\windows\$NtUninstallKB20734$\2829397833 c:\windows\$NtUninstallKB20734$\3421136107\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6} c:\windows\$NtUninstallKB20734$\3421136107\L\odetmngk c:\windows\$NtUninstallKB20734$\3421136107\loader.tlb c:\windows\$NtUninstallKB20734$\3421136107\U\@00000001 c:\windows\$NtUninstallKB20734$\3421136107\U\@000000c0 c:\windows\$NtUninstallKB20734$\3421136107\U\@000000cb c:\windows\$NtUninstallKB20734$\3421136107\U\@000000cf c:\windows\$NtUninstallKB20734$\3421136107\U\@80000000 c:\windows\$NtUninstallKB20734$\3421136107\U\@800000c0 c:\windows\$NtUninstallKB20734$\3421136107\U\@800000cb c:\windows\$NtUninstallKB20734$\3421136107\U\@800000cf c:\windows\system32\c_42144.nls . Infected copy of c:\windows\system32\drivers\serial.sys was found and disinfected Restored copy from - The cat found it :) . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Service_cbea64eb . . ((((((((((((((((((((((((( Files Created from 2011-12-24 to 2012-01-24 ))))))))))))))))))))))))))))))) . . 2012-01-24 03:24 . 2004-08-04 10:00 64896 ----a-w- c:\windows\system32\drivers\serial.sys 2012-01-24 03:24 . 2004-08-04 10:00 64896 ----a-w- c:\windows\system32\dllcache\serial.sys 2012-01-22 04:22 . 2012-01-22 04:22 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files 2012-01-21 22:33 . 2012-01-22 01:48 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2012-01-21 22:30 . 2012-01-21 22:30 -------- d-----w- c:\documents and settings\Ricky\Application Data\Malwarebytes 2012-01-21 22:30 . 2012-01-21 22:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2012-01-20 16:23 . 2012-01-20 16:23 -------- d-----w- C:\_OTL 2012-01-16 23:35 . 2004-08-04 10:00 41856 ----a-w- c:\windows\system32\drivers\imapi.sys 2012-01-16 23:35 . 2004-08-04 10:00 41856 ----a-w- c:\windows\system32\dllcache\imapi.sys 2012-01-16 15:48 . 2012-01-16 21:13 111872 ----a-w- c:\windows\system32\drivers\TrueSight.sys 2012-01-10 01:21 . 2012-01-22 04:29 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData 2012-01-10 01:17 . 2004-08-04 03:58 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys 2012-01-10 00:35 . 2004-08-04 05:56 21504 ----a-w- c:\windows\system32\hidserv.dll . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-01-16 21:49 . 2004-08-10 17:58 5504 ----a-w- c:\windows\system32\drivers\intelide.sys 2009-02-13 00:32 . 2009-02-16 23:25 774144 ----a-w- c:\program files\RngInterstitial.dll . . ------- Sigcheck ------- Note: Unsigned files aren't necessarily malware. . [7] 2010-04-16 . C4BA5E36FB57F547117305BF1E0FE454 . 634656 . . [7.00.6000.17055] . . c:\windows\ERDNT\cache\iexplore.exe [7] 2010-04-16 . C4BA5E36FB57F547117305BF1E0FE454 . 634656 . . [7.00.6000.17055] . . c:\windows\system32\dllcache\iexplore.exe [7] 2010-04-16 . B24A4E23A2FEDB6976EB04D334AD82B2 . 634648 . . [7.00.6000.21256] . . c:\windows\$hf_mig$\KB982381-IE7\SP3QFE\iexplore.exe [7] 2010-02-23 . B5116340B84824DDD0A641E36B126194 . 634648 . . [7.00.6000.17023] . . c:\windows\ie7updates\KB982381-IE7\iexplore.exe [7] 2010-02-23 . C8DDA4028065D5CE39CBE7A156B72AB9 . 634648 . . [7.00.6000.21228] . . c:\windows\$hf_mig$\KB980182-IE7\SP3QFE\iexplore.exe [7] 2009-12-18 . 53C291F3B01EECECBD7FD358EA3ACC94 . 634648 . . [7.00.6000.16981] . . c:\windows\ie7updates\KB980182-IE7\iexplore.exe [7] 2009-12-18 . D19E56D5930C37CF211867DF450C372A . 634632 . . [7.00.6000.21183] . . c:\windows\$hf_mig$\KB978207-IE7\SP3QFE\iexplore.exe [7] 2009-10-28 . 80675329E0FD54F016C4F8A83C616349 . 634632 . . [7.00.6000.21148] . . c:\windows\$hf_mig$\KB976325-IE7\SP3QFE\iexplore.exe [7] 2009-10-28 . 4F9B04D546C23A295F3F0AE015BE51DB . 634632 . . [7.00.6000.16945] . . c:\windows\ie7updates\KB978207-IE7\iexplore.exe [7] 2009-08-27 . F232BA9F39BC0F722672C7E79E68EBEA . 634648 . . [7.00.6000.16915] . . c:\windows\ie7updates\KB976325-IE7\iexplore.exe [7] 2009-08-27 . 332EC7562F3AA7364F2D4231C56DA986 . 634648 . . [7.00.6000.21115] . . c:\windows\$hf_mig$\KB974455-IE7\SP3QFE\iexplore.exe [7] 2009-06-29 . 3CFC56F73D494FC1AA2B6E981DF15ACD . 634632 . . [7.00.6000.16876] . . c:\windows\ie7updates\KB974455-IE7\iexplore.exe [7] 2009-06-29 . 02E2754D3E566C11A4934825920C47DD . 634632 . . [7.00.6000.21073] . . c:\windows\$hf_mig$\KB972260-IE7\SP3QFE\iexplore.exe [7] 2009-04-25 . 092A7F2B49A19ECCE5369D3CB2276148 . 636088 . . [7.00.6000.16850] . . c:\windows\ie7updates\KB972260-IE7\iexplore.exe [7] 2009-04-25 . C0503FD8D163652735C1EE900672A75C . 636088 . . [7.00.6000.21045] . . c:\windows\$hf_mig$\KB969897-IE7\SP3QFE\iexplore.exe [7] 2009-02-28 . BCD8E48709BE4A79606F0B6E8E9A6162 . 636088 . . [7.00.6000.21020] . . c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\iexplore.exe [7] 2009-02-28 . A251068640DDB69FD7805B57D89D7FF7 . 636072 . . [7.00.6000.16827] . . c:\windows\ie7updates\KB969897-IE7\iexplore.exe [7] 2008-12-19 . 15E8A89499741D5CF59A9CF6463A4339 . 634024 . . [7.00.6000.20978] . . c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\iexplore.exe [7] 2008-12-19 . 030D78FE84A086ED376EFCBD2D72C522 . 634024 . . [7.00.6000.16791] . . c:\windows\ie7updates\KB963027-IE7\iexplore.exe [7] 2008-10-15 . 9D3DB9ADFABD2F0BC778EC03250A3ABB . 633632 . . [7.00.6000.16762] . . c:\windows\ie7updates\KB961260-IE7\iexplore.exe [7] 2008-10-15 . 056C927CF7207857E8B34F7A8FFD9B9E . 633632 . . [7.00.6000.20935] . . c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\iexplore.exe [7] 2008-08-23 . E8305C30D35E85D6657ED3E9934CB302 . 635848 . . [7.00.6000.20900] . . c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\iexplore.exe [7] 2008-08-23 . 1F03216084447F990AE797317D0A6E70 . 635848 . . [7.00.6000.16735] . . c:\windows\ie7updates\KB958215-IE7\iexplore.exe [7] 2008-06-23 . 64E376A47763DAEABCDA14BD5B6EA286 . 625664 . . [7.00.6000.16705] . . c:\windows\ie7updates\KB956390-IE7\iexplore.exe [7] 2008-06-23 . C52A9EF571E91535EB78DB4B8B95EA07 . 625664 . . [7.00.6000.20861] . . c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\iexplore.exe [7] 2008-04-22 . 197B7E4030CFBD8D2979D375E1787AA2 . 625664 . . [7.00.6000.20815] . . c:\windows\$hf_mig$\KB950759-IE7\SP2QFE\iexplore.exe [7] 2008-04-22 . 232B22817B90AE0AFF2D189E3E3735AC . 625664 . . [7.00.6000.16674] . . c:\windows\ie7updates\KB953838-IE7\iexplore.exe [7] 2008-04-14 . 55794B97A7FAABD2910873C85274F409 . 93184 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\iexplore.exe [7] 2008-04-14 . 55794B97A7FAABD2910873C85274F409 . 93184 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\iexplore.exe [7] 2008-02-29 . 2D0E5592AB5A46C27DAF7CCAFF4F5B59 . 625664 . . [7.00.6000.16640] . . c:\windows\ie7updates\KB950759-IE7\iexplore.exe [7] 2008-02-22 . 6E0888626E0CAC79F57149814E22DB4D . 625664 . . [7.00.6000.20772] . . c:\windows\$hf_mig$\KB947864-IE7\SP2QFE\iexplore.exe [7] 2007-12-06 . 2703D940A62B731AA220529DD7331A78 . 625664 . . [7.00.6000.16608] . . c:\windows\ie7updates\KB947864-IE7\iexplore.exe [7] 2007-12-06 . 2703D940A62B731AA220529DD7331A78 . 625664 . . [7.00.6000.16608] . . c:\windows\SoftwareDistribution\Download\e5a204b08ee9dd0f7a20547e61486b27\SP2GDR\iexplore.exe [7] 2007-12-06 . 809D17D8FA0FDAEE07778CD821CAFFDE . 625664 . . [7.00.6000.20733] . . c:\windows\$hf_mig$\KB944533-IE7\SP2QFE\iexplore.exe [7] 2007-12-06 . 809D17D8FA0FDAEE07778CD821CAFFDE . 625664 . . [7.00.6000.20733] . . c:\windows\SoftwareDistribution\Download\e5a204b08ee9dd0f7a20547e61486b27\SP2QFE\iexplore.exe [7] 2007-10-10 . E854D02E4231F704D9BE782A424E6D8B . 625152 . . [7.00.6000.16574] . . c:\windows\ie7updates\KB944533-IE7\iexplore.exe [7] 2007-10-10 . E854D02E4231F704D9BE782A424E6D8B . 625152 . . [7.00.6000.16574] . . c:\windows\SoftwareDistribution\Download\e3709fbfd9557a7d083f543d51d38612\SP2GDR\iexplore.exe [7] 2007-10-10 . 632BDE0179847234433CA50945442ACB . 625664 . . [7.00.6000.20696] . . c:\windows\$hf_mig$\KB942615-IE7\SP2QFE\iexplore.exe [7] 2007-10-10 . 632BDE0179847234433CA50945442ACB . 625664 . . [7.00.6000.20696] . . c:\windows\SoftwareDistribution\Download\e3709fbfd9557a7d083f543d51d38612\SP2QFE\iexplore.exe [7] 2007-08-13 . DE49B348A18369B4626FBA1D49B07FB4 . 622080 . . [7.00.5730.13] . . c:\windows\ie7updates\KB942615-IE7\iexplore.exe [7] 2004-08-04 . E7484514C0464642BE7B4DC2689354C8 . 93184 . . [6.00.2900.2180] . . c:\windows\ie7\iexplore.exe . ((((((((((((((((((((((((((((( SnapShot@2012-01-17_00.45.55 ))))))))))))))))))))))))))))))))))))))))) . + 2004-08-10 17:51 . 2005-05-04 19:45 78848 c:\windows\system32\msiexec.exe + 2012-01-22 06:11 . 2012-01-22 06:11 78924 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\AntiPhishing\A0AB7674-8D67-4F4D-B5E1-96FAEADFB79D.dat + 2012-01-22 06:11 . 2012-01-22 10:29 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012012012220120123\index.dat + 2005-11-29 17:34 . 2012-01-22 06:11 49152 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2005-11-29 17:34 . 2012-01-22 10:29 114688 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-09-11 2054360] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-07-14 98304] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184] "Blubster"="c:\program files\Blubster\Blubster.exe" [2009-11-27 2866176] . c:\documents and settings\Ricky\Start Menu\Programs\Startup\ Skype.lnk - c:\windows\Installer\{D103C4BA-F905-437A-8049-DB24763BBE36}\SkypeIcon.exe [N/A] . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer] @="Service" . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] 2004-08-04 10:00 15360 ----a-w- c:\windows\system32\ctfmon.exe . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "DisableNotifications"= 1 (0x1) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"= "c:\windows\system32\ijjbediw.exe"= c:\windows\system32\ijj "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Blubster\\Blubster.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 . R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [9/11/2009 7:23 AM 108792] R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [9/11/2009 7:26 AM 96408] S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [9/11/2009 7:24 AM 735960] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [1/21/2012 5:33 PM 40776] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.dell4me.com/mywaybiz uInternet Connection Wizard,ShellNext = iexplore IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 Trusted Zone: getmirar.com\click Trusted Zone: mirarsearch.com\click Trusted Zone: mirarsearch.com\redirect Trusted Zone: net-nucleus.com\awbeta TCP: DhcpNameServer = 192.168.1.1 74.128.17.114 TCP: Interfaces\{42AAA1A2-A41E-4C6B-BC89-B07492D6ECB3}: NameServer = 93.188.162.149,93.188.160.29 DPF: ActiveGS.cab - hxxp://www.virtualapple.org/gs.cab FF - ProfilePath - c:\documents and settings\Ricky\Application Data\Mozilla\Firefox\Profiles\w6omdj8q.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig FF - user.js: network.cookie.cookieBehavior - 0 FF - user.js: privacy.clearOnShutdown.cookies - false FF - user.js: security.warn_viewing_mixed - false FF - user.js: security.warn_viewing_mixed.show_once - false FF - user.js: security.warn_submit_insecure - false FF - user.js: security.warn_submit_insecure.show_once - false . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-01-23 22:42 Windows 5.1.2600 Service Pack 2 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'explorer.exe'(2996) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe c:\windows\system32\wdfmgr.exe c:\windows\system32\fxssvc.exe c:\program files\Blubster\BGCheck.exe c:\program files\Common Files\Java\Java Update\jucheck.exe . ************************************************************************** . Completion time: 2012-01-23 22:51:55 - machine was rebooted ComboFix-quarantined-files.txt 2012-01-24 03:51 ComboFix2.txt 2012-01-23 04:00 ComboFix3.txt 2012-01-22 02:12 ComboFix4.txt 2012-01-17 00:51 . Pre-Run: 8,133,894,144 bytes free Post-Run: 8,202,715,136 bytes free . - - End Of File - - 4FAFB3860E0D8C83907018412A70E3A9