ComboFix 12-01-16.02 - Ricky 01/21/2012 20:53:54.2.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.294 [GMT -5:00] Running from: e:\computer repair progs\ComboFix\ComboFix.exe * Created a new restore point . - REDUCED FUNCTIONALITY MODE - . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\All Users\Desktop\Security Protection.lnk c:\documents and settings\Mary Kay\err.log c:\documents and settings\Ricky\err.log c:\program files\Mozilla Firefox\extensions\searchsettings@spigot.com c:\windows\{2521BB91-29B1-4d7e-9137-AC9875D77735} c:\windows\assembly\GAC_MSIL\desktop.ini c:\windows\cookies.ini c:\windows\cs_cache.ini c:\windows\EventSystem.log c:\windows\run.log c:\windows\smdat32a.sys c:\windows\smdat32m.sys c:\windows\SwSys1.bmp c:\windows\SwSys2.bmp c:\windows\system32\drivers\fad.sys c:\windows\system32\mcrh.tmp c:\windows\system32\msnav32.ax c:\windows\system32\winpfz32.sys c:\windows\system32\zxdnt3d.cfg c:\windows\wr.txt . Infected copy of c:\windows\system32\wuauclt.exe was found and disinfected Restored copy from - c:\windows\ERDNT\cache\wuauclt.exe . . ((((((((((((((((((((((((( Files Created from 2011-12-22 to 2012-01-22 ))))))))))))))))))))))))))))))) . . 2012-01-22 01:46 . 2012-01-22 01:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2012-01-22 01:46 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-01-21 22:33 . 2012-01-22 01:48 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2012-01-21 22:30 . 2012-01-21 22:30 -------- d-----w- c:\documents and settings\Ricky\Application Data\Malwarebytes 2012-01-21 22:30 . 2012-01-21 22:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2012-01-20 16:23 . 2012-01-20 16:23 -------- d-----w- C:\_OTL 2012-01-16 23:35 . 2004-08-04 10:00 41856 ----a-w- c:\windows\system32\drivers\imapi.sys 2012-01-16 23:35 . 2004-08-04 10:00 41856 ----a-w- c:\windows\system32\dllcache\imapi.sys 2012-01-16 15:48 . 2012-01-16 21:13 111872 ----a-w- c:\windows\system32\drivers\TrueSight.sys 2012-01-10 01:21 . 2012-01-10 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData 2012-01-10 01:17 . 2004-08-04 03:58 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys 2012-01-10 00:35 . 2004-08-04 05:56 21504 ----a-w- c:\windows\system32\hidserv.dll . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-01-16 21:49 . 2004-08-10 17:58 5504 ----a-w- c:\windows\system32\drivers\intelide.sys 2009-02-13 00:32 . 2009-02-16 23:25 774144 ----a-w- c:\program files\RngInterstitial.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-09-11 2054360] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-07-14 98304] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184] "Blubster"="c:\program files\Blubster\Blubster.exe" [2009-11-27 2866176] "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872] . c:\documents and settings\Ricky\Start Menu\Programs\Startup\ Skype.lnk - c:\windows\Installer\{D103C4BA-F905-437A-8049-DB24763BBE36}\SkypeIcon.exe [N/A] . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer] @="Service" . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] 2004-08-04 10:00 15360 ----a-w- c:\windows\system32\ctfmon.exe . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "DisableNotifications"= 1 (0x1) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"= "c:\windows\system32\ijjbediw.exe"= c:\windows\system32\ijj "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Blubster\\Blubster.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 . R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-09-11 735960] R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-01-22 40776] S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2009-09-11 108792] S1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2009-09-11 96408] S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-24 652872] S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-10 20464] . . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.dell4me.com/mywaybiz uInternet Connection Wizard,ShellNext = iexplore IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 LSP: mswsock.dll Trusted Zone: getmirar.com\click Trusted Zone: mirarsearch.com\click Trusted Zone: mirarsearch.com\redirect Trusted Zone: net-nucleus.com\awbeta TCP: Interfaces\{42AAA1A2-A41E-4C6B-BC89-B07492D6ECB3}: NameServer = 93.188.162.149,93.188.160.29 DPF: ActiveGS.cab - hxxp://www.virtualapple.org/gs.cab FF - ProfilePath - c:\documents and settings\Ricky\Application Data\Mozilla\Firefox\Profiles\w6omdj8q.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig FF - user.js: network.cookie.cookieBehavior - 0 FF - user.js: privacy.clearOnShutdown.cookies - false FF - user.js: security.warn_viewing_mixed - false FF - user.js: security.warn_viewing_mixed.show_once - false FF - user.js: security.warn_submit_insecure - false FF - user.js: security.warn_submit_insecure.show_once - false . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-01-21 20:58 Windows 5.1.2600 Service Pack 2 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . . c:\windows\3949259467:873831188.exe 816 bytes executable c:\windows\$NtUninstallKB20734$:SummaryInformation 0 bytes hidden from API . . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet004\Services\cbea64eb] "ImagePath"="\systemroot\3949259467:873831188.exe" . ------------------------ Other Running Processes ------------------------ . c:\windows\3949259467:873831188.exe c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe c:\windows\system32\wdfmgr.exe c:\windows\system32\fxssvc.exe c:\program files\Blubster\BGCheck.exe . ************************************************************************** . Completion time: 2012-01-21 21:12:02 - machine was rebooted ComboFix-quarantined-files.txt 2012-01-22 02:11 ComboFix2.txt 2012-01-17 00:51 . Pre-Run: 8,830,205,952 bytes free Post-Run: 8,810,123,264 bytes free . - - End Of File - - 88E51E8BBF66D58C64E21E95F790AF56