ComboFix 08-12-28.01 - bbb 2008-12-29 2:37:02.1 - [color=red][b]FAT32[/b][/color]x86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.223.46 [GMT 5.5:30] Running from: c:\downloads\ComboFix.exe AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated) FW: Sygate Personal Firewall Pro *disabled* * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . [color=blue]Infected copy of c:\windows\explorer.exe was found and disinfected Restored copy from - c:\windows\system32\dllcache\explorer.exe[/COLOR] . ((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-28 ))))))))))))))))))))))))))))))) . 2008-12-29 02:13 . 2008-12-29 02:13 250 --a------ c:\windows\gmer.ini 2008-12-29 01:00 . 2008-12-29 01:00 d-------- c:\documents and settings\bbb\Application Data\FlashFXP 2008-12-29 00:58 . 2008-12-29 00:58 d-------- C:\rsit 2008-12-29 00:50 . 2008-12-29 00:50 d-------- c:\documents and settings\bbb\Application Data\TuneUp Software 2008-12-29 00:48 . 2008-12-29 00:48 d-------- c:\documents and settings\bbb\Application Data\Simply Super Software 2008-12-29 00:46 . 2008-12-29 00:46 d--hs---- C:\FOUND.026 2008-12-29 00:46 . 2008-12-29 00:46 d-------- c:\documents and settings\bbb 2008-12-24 18:07 . 2008-12-24 18:07 d-------- c:\windows\ERUNT 2008-12-24 18:03 . 2008-11-06 02:03 d-------- C:\SDFix 2008-12-24 17:57 . 2008-12-24 17:57 d-------- c:\program files\Trend Micro 2008-12-24 17:13 . 2008-12-24 17:13 d-------- c:\program files\Malwarebytes' Anti-Malware 2008-12-24 17:13 . 2008-12-24 17:13 d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes 2008-12-24 17:13 . 2008-12-24 17:13 d-------- c:\documents and settings\Administrator.TYRANT.000\Application Data\Malwarebytes 2008-12-24 17:13 . 2008-12-03 19:58 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2008-12-24 17:13 . 2008-12-03 19:58 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2008-12-21 23:56 . 2008-12-21 23:56 d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Kaspersky Lab 2008-12-21 23:52 . 2008-12-21 23:52 d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Kaspersky Lab Setup Files 2008-12-05 03:22 . 2008-12-05 03:22 d-------- c:\program files\FlashGet 2008-12-05 02:38 . 2008-12-05 02:38 d-------- c:\program files\Operaalpha . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-28 21:07 1,032,192 ----a-w c:\windows\system32\dllcache\explorer.exe 2008-12-28 21:07 1,032,192 ----a-w c:\windows\explorer.exe 2008-11-18 22:07 --------- d-----w c:\documents and settings\Administrator.TYRANT.000\Application Data\AutoSizer 2008-11-17 00:51 --------- d-----w c:\program files\Everything 2008-10-31 21:00 --------- d-----w c:\program files\FLVHosting 2008-11-15 23:53 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll 2008-11-15 23:53 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll 2008-11-15 23:53 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll 2008-11-15 23:53 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll 2008-11-15 23:53 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Bandwidth Monitor Pro"="c:\program files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe" [2005-02-09 303104] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "HTpatch"="c:\windows\htpatch.exe" [2002-12-19 28672] "SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2005-09-27 2717392] "TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2008-12-24 1230728] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLUA"= 0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableTaskMgr"= 1 (0x1) "DisableRegistryTools"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.3iv2"= c:\progra~1\K-LITE~1\codecs\3IVXVF~1.DLL "VIDC.VP60"= c:\progra~1\K-LITE~1\codecs\vp6vfw.dll "VIDC.VP61"= c:\progra~1\K-LITE~1\codecs\vp6vfw.dll "VIDC.VP62"= c:\progra~1\K-LITE~1\codecs\vp6vfw.dll "VIDC.VP70"= c:\progra~1\K-LITE~1\codecs\vp7vfw.dll "VIDC.VP31"= c:\progra~1\K-LITE~1\codecs\vp31vfw.dll "VIDC.FFDS"= c:\progra~1\K-LITE~1\ffdshow\ff_vfw.dll "msacm.ac3acm"= c:\progra~1\K-LITE~1\codecs\ac3acm.acm "msacm.l3fhg"= c:\progra~1\K-LITE~1\codecs\l3codecp.acm [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "AudioDeck"=c:\program files\VIA\VIAudioi\SBADeck\ADeck.exe 1 "SiSUSBRG"=c:\windows\SiSUSBrg.exe "SiS Tray"=c:\windows\system32\sistray.EXE [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 "UacDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc] "AntiVirusOverride"=dword:00000001 "AntiVirusDisableNotify"=dword:00000001 "FirewallDisableNotify"=dword:00000001 "FirewallOverride"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 "UacDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\foobar2000\\foobar2000.exe"= "c:\\Program Files\\Trojan Remover\\Sschk.exe"= "c:\\PROGRA~1\\Sygate\\SPF\\smc.exe"= "c:\\PROGRA~1\\BANDWI~1\\Bandwidth Monitor Pro.exe"= "c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"= "c:\\WINDOWS\\system32\\wscntfy.exe"= "c:\\WINDOWS\\regedit.exe"= "c:\\WINDOWS\\system32\\cmd.exe"= "c:\\Program Files\\Opera\\Opera.exe"= "c:\\Program Files\\Bandwidth Monitor Pro\\Bandwidth Monitor Pro.exe"= "c:\\ComboFix\\regt.cfexe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "2879:TCP"= 2879:TCP:WWW R3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\hmomsn.sys [] S2 fcvjofnms;fcvjofnms;c:\windows\system32\svchost.exe -k netsvcs [2008-07-27 14336] S2 rhgml;rhgml;c:\windows\system32\svchost.exe -k netsvcs [2008-07-27 14336] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs UxTuneUp fcvjofnms rhgml *Newly Created Service* - RHGML . Contents of the 'Scheduled Tasks' folder 2008-07-26 c:\windows\Tasks\1-Click Maintenance.job - c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2006-12-19 16:53] . . ------- Supplementary Scan ------- . IE: Download All by FlashGet - c:\program files\FlashGet\jc_all.htm IE: Download using FlashGet - c:\program files\FlashGet\jc_link.htm TCP: {287F7905-70FB-4FF8-8DF7-A72E8941FB8D} = 208.67.220.220 208.67.222.222 TCP: {43E2F0E8-E4DB-4ADC-9BD9-946CBA87A143} = 208.67.222.222,208.67.220.220 c:\windows\Downloaded Program Files\CTSUEng.ocx - c:\windows\Downloaded Program Files\CTSUEngn.ocx O16 -: {6C269571-C6D7-4818-BCA4-32A035E8C884} hxxp://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab c:\windows\Downloaded Program Files\CTSUEng.inf FF - ProfilePath - . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-29 02:39:39 Windows 5.1.2600 Service Pack 2 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run HTpatch = c:\windows\htpatch.exe?ows\CurrentVersion\Run???\???/??Z???????Z???Z???????????????????Z???Z C?????Z$??????Z????????????S??Z????????m??Z???w????(???{??w???w???????w???w???Z????????d???b6?Z%??Z???Z????"??ZA??Z???Z.??wZ??Z?3?Z?3?Z????st.I???????Z????d???0=?Z?K?Z scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant] "ImagePath"="" . --------------------- DLLs Loaded Under Running Processes --------------------- HKLM\Software\Microsoft\Windows\CurrentVersion\Run c:\windows\htpatch.exe?ows\CurrentVersion\Run???\???/??Z???????Z???Z???????????????????Z???Z C?????Z$??????Z????????????S??Z????????m??Z???w????(???{??w???w???????w???w???Z????????d???b6?Z%??Z???Z????"??ZA??Z???Z.??wZ??Z?3?Z?3?Z????st.I???????Z????d???0=?Z?K?Z . ------------------------ Other Running Processes ------------------------ . HKLM\Software\Microsoft\Windows\CurrentVersion\Run HTpatch = c:\windows\htpatch.exe?ows\CurrentVersion\Run???\???/??Z???????Z???Z???????????????????Z???Z C?????Z$??????Z????????????S??Z????????m??Z???w????(???{??w???w???????w???w???Z????????d???b6?Z%??Z???Z????"??ZA??Z???Z.??wZ??Z?3?Z?3?Z????st.I???????Z????d???0=?Z?K?Z . ************************************************************************** . Completion time: 2008-12-29 2:40:39 - machine was rebooted ComboFix-quarantined-files.txt 2008-12-28 21:10:38 Pre-Run: 587,644,928 bytes free Post-Run: 524,353,536 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 173