1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Antivirus-Live not able to boot into safe mode

Discussion in 'Virus & Other Malware Removal' started by Webmaster Doug, Jan 11, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. Webmaster Doug

    Webmaster Doug Thread Starter

    Joined:
    Nov 19, 2007
    Messages:
    48
    Greetings All!
    I'm reaching out to the Pro's.

    Huge mess on my bosses laptop - kids used it need I say more. It started with Internet Security 2010 which I thought I had removed and now Antivirus Live is in there. I can't get McAfee to load, rkill is now detected and blocked, won't work, can't get network connection any more. All this in just 6 hours yesterday!

    I can't get on line to get HJT nothing is being allowed to run other than the fake infection warnings. This is a WinXP media center OS running IE7.

    I'm open to suggestions, and need some help.
     
  2. Webmaster Doug

    Webmaster Doug Thread Starter

    Joined:
    Nov 19, 2007
    Messages:
    48
    I also removed webroot spy sweeper which was expired for almost a year.
     
  3. Webmaster Doug

    Webmaster Doug Thread Starter

    Joined:
    Nov 19, 2007
    Messages:
    48
    additional info.
     
  4. Webmaster Doug

    Webmaster Doug Thread Starter

    Joined:
    Nov 19, 2007
    Messages:
    48
    I was able to download and install TFC by OldTimer. I ran that, ran Malwarebytes Anti Malware, ran SuperAntiSpyware. Here's that log:

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 01/14/2010 at 06:31 PM
    a
    Application Version : 4.33.1000

    Core Rules Database Version : 4478
    Trace Rules Database Version: 2296

    Scan type : Complete Scan
    Total Scan Time : 01:01:35

    Memory items scanned : 459
    Memory threats detected : 0
    Registry items scanned : 5441
    Registry threats detected : 79
    File items scanned : 59956
    File threats detected : 16

    Adware.Vundo/Variant-SR
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler#{b5f8efb3-235c-45f6-b810-ed710badc5a9}
    HKCR\CLSID\{B5F8EFB3-235C-45F6-B810-ED710BADC5A9}
    HKCR\CLSID\{b5f8efb3-235c-45f6-b810-ed710badc5a9}\InprocServer32
    HKCR\CLSID\{b5f8efb3-235c-45f6-b810-ed710badc5a9}\InprocServer32#ThreadingModel
    C:\WINDOWS\SYSTEM32\JETEBEMI.DLL
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#mubiderol

    Adware.Tracking Cookie
    C:\Documents and Settings\Owner.NAPLESN\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner.NAPLESN\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner.NAPLESN\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner.NAPLESN\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner.NAPLESN\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner.NAPLESN\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner.NAPLESN\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner.NAPLESN\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner.NAPLESN\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner.NAPLESN\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner.NAPLESN\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner.NAPLESN\Cookies\own[email protected][2].txt

    Rogue.Agent/Gen
    HKU\.DEFAULT\SOFTWARE\AVSCAN
    HKU\.DEFAULT\SOFTWARE\AVSCAN#knkd
    HKU\.DEFAULT\SOFTWARE\AVSCAN#aazalirt
    HKU\.DEFAULT\SOFTWARE\AVSCAN#skaaanret
    HKU\.DEFAULT\SOFTWARE\AVSCAN#jungertab
    HKU\.DEFAULT\SOFTWARE\AVSCAN#zibaglertz
    HKU\.DEFAULT\SOFTWARE\AVSCAN#iddqdops
    HKU\.DEFAULT\SOFTWARE\AVSCAN#ronitfst
    HKU\.DEFAULT\SOFTWARE\AVSCAN#tobmygers
    HKU\.DEFAULT\SOFTWARE\AVSCAN#jikglond
    HKU\.DEFAULT\SOFTWARE\AVSCAN#tobykke
    HKU\.DEFAULT\SOFTWARE\AVSCAN#klopnidret
    HKU\.DEFAULT\SOFTWARE\AVSCAN#jiklagka
    HKU\.DEFAULT\SOFTWARE\AVSCAN#salrtybek
    HKU\.DEFAULT\SOFTWARE\AVSCAN#seeukluba
    HKU\.DEFAULT\SOFTWARE\AVSCAN#jrjakdsd
    HKU\.DEFAULT\SOFTWARE\AVSCAN#krkdkdkee
    HKU\.DEFAULT\SOFTWARE\AVSCAN#dkewiizkjdks
    HKU\.DEFAULT\SOFTWARE\AVSCAN#dkekkrkska
    HKU\.DEFAULT\SOFTWARE\AVSCAN#rkaskssd
    HKU\.DEFAULT\SOFTWARE\AVSCAN#kuruhccdsdd
    HKU\.DEFAULT\SOFTWARE\AVSCAN#krujmmwlrra
    HKU\.DEFAULT\SOFTWARE\AVSCAN#kkwknrbsggeg
    HKU\.DEFAULT\SOFTWARE\AVSCAN#ktknamwerr
    HKU\.DEFAULT\SOFTWARE\AVSCAN#iqmcnoeqz
    HKU\.DEFAULT\SOFTWARE\AVSCAN#ienotas
    HKU\.DEFAULT\SOFTWARE\AVSCAN#krkmahejdk
    HKU\.DEFAULT\SOFTWARE\AVSCAN#otpeppggq
    HKU\.DEFAULT\SOFTWARE\AVSCAN#krtawefg
    HKU\.DEFAULT\SOFTWARE\AVSCAN#oranerkka
    HKU\.DEFAULT\SOFTWARE\AVSCAN#kitiiwhaas
    HKU\.DEFAULT\SOFTWARE\AVSCAN#otowjdseww
    HKU\.DEFAULT\SOFTWARE\AVSCAN#otnnbektre
    HKU\.DEFAULT\SOFTWARE\AVSCAN#oropbbsee
    HKU\.DEFAULT\SOFTWARE\AVSCAN#irprokwks
    HKU\.DEFAULT\SOFTWARE\AVSCAN#ooorjaas
    HKU\.DEFAULT\SOFTWARE\AVSCAN#id
    HKU\S-1-5-18\SOFTWARE\AVSCAN
    HKU\S-1-5-18\SOFTWARE\AVSCAN#knkd
    HKU\S-1-5-18\SOFTWARE\AVSCAN#aazalirt
    HKU\S-1-5-18\SOFTWARE\AVSCAN#skaaanret
    HKU\S-1-5-18\SOFTWARE\AVSCAN#jungertab
    HKU\S-1-5-18\SOFTWARE\AVSCAN#zibaglertz
    HKU\S-1-5-18\SOFTWARE\AVSCAN#iddqdops
    HKU\S-1-5-18\SOFTWARE\AVSCAN#ronitfst
    HKU\S-1-5-18\SOFTWARE\AVSCAN#tobmygers
    HKU\S-1-5-18\SOFTWARE\AVSCAN#jikglond
    HKU\S-1-5-18\SOFTWARE\AVSCAN#tobykke
    HKU\S-1-5-18\SOFTWARE\AVSCAN#klopnidret
    HKU\S-1-5-18\SOFTWARE\AVSCAN#jiklagka
    HKU\S-1-5-18\SOFTWARE\AVSCAN#salrtybek
    HKU\S-1-5-18\SOFTWARE\AVSCAN#seeukluba
    HKU\S-1-5-18\SOFTWARE\AVSCAN#jrjakdsd
    HKU\S-1-5-18\SOFTWARE\AVSCAN#krkdkdkee
    HKU\S-1-5-18\SOFTWARE\AVSCAN#dkewiizkjdks
    HKU\S-1-5-18\SOFTWARE\AVSCAN#dkekkrkska
    HKU\S-1-5-18\SOFTWARE\AVSCAN#rkaskssd
    HKU\S-1-5-18\SOFTWARE\AVSCAN#kuruhccdsdd
    HKU\S-1-5-18\SOFTWARE\AVSCAN#krujmmwlrra
    HKU\S-1-5-18\SOFTWARE\AVSCAN#kkwknrbsggeg
    HKU\S-1-5-18\SOFTWARE\AVSCAN#ktknamwerr
    HKU\S-1-5-18\SOFTWARE\AVSCAN#iqmcnoeqz
    HKU\S-1-5-18\SOFTWARE\AVSCAN#ienotas
    HKU\S-1-5-18\SOFTWARE\AVSCAN#krkmahejdk
    HKU\S-1-5-18\SOFTWARE\AVSCAN#otpeppggq
    HKU\S-1-5-18\SOFTWARE\AVSCAN#krtawefg
    HKU\S-1-5-18\SOFTWARE\AVSCAN#oranerkka
    HKU\S-1-5-18\SOFTWARE\AVSCAN#kitiiwhaas
    HKU\S-1-5-18\SOFTWARE\AVSCAN#otowjdseww
    HKU\S-1-5-18\SOFTWARE\AVSCAN#otnnbektre
    HKU\S-1-5-18\SOFTWARE\AVSCAN#oropbbsee
    HKU\S-1-5-18\SOFTWARE\AVSCAN#irprokwks
    HKU\S-1-5-18\SOFTWARE\AVSCAN#ooorjaas
    HKU\S-1-5-18\SOFTWARE\AVSCAN#id

    Rootkit.Agent/Gen-Alureon
    C:\WINDOWS\SYSTEM32\DRIVERS\H8SRTQVNRJEPYJC.SYS

    Rogue.Agent/Gen-Nullo[DLL]
    C:\WINDOWS\SYSTEM32\H8SRTKRL32MAINWEQ.DLL

    Trojan.Agent/Gen-MSFake
    C:\WINDOWS\TEMP\H8SRTC68A.TMP


    ------------------------------------------------------------------------------------------------------

    Now I getting GMER and will run that.
     
  5. Webmaster Doug

    Webmaster Doug Thread Starter

    Joined:
    Nov 19, 2007
    Messages:
    48
    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit quick scan 2010-01-14 18:48:48
    Windows 5.1.2600 Service Pack 2
    Running: 4hiwkl8e.exe; Driver: C:\DOCUME~1\OWNER~1.NAP\LOCALS~1\Temp\uwldqpod.sys


    ---- System - GMER 1.0.15 ----

    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA80F978B]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xA80F9822]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA80F9739]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xA80F974D]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xA80F9836]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xA80F9862]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xA80F98D0]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xA80F98BA]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA80F97CB]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xA80F98FC]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xA80F980E]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xA80F9711]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xA80F9725]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA80F979F]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xA80F9938]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xA80F98A4]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xA80F988E]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xA80F984C]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xA80F9924]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xA80F9910]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xA80F9777]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xA80F9763]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xA80F9878]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xA80F98E6]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA80F97E1]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA80F97B5]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

    ---- Services - GMER 1.0.15 ----

    Service system32\drivers\H8SRTqvnrjepyjc.sys (*** hidden *** ) [DISABLED] H8SRTd.sys <-- ROOTKIT !!!

    ---- EOF - GMER 1.0.15 ----
     
  6. NeonFx

    NeonFx Malware Specialist

    Joined:
    Oct 22, 2008
    Messages:
    4,811
    Hello there :cool: Welcome to the TSG Forums.
    My name is NeonFx. I'll be glad to help you with your computer problems. Logs can take some time to research, so please be patient with me.


    Please note the following:

    • The fixes are specific to your problem and should only be used on this machine.
    • Please continue to review my answers until I tell you your machine appears to be clean. Absence of symptoms does not necessarily mean that the system is completely clean.
    • It's often worth reading through these instructions and printing them for ease of reference. I may ask you to boot into Safe Mode where you will be unable to follow my instructions online.
    • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
    • Please reply to this thread. Do not start a new topic.




    Step 1


    NOTE: ComboFix should NOT be used without supervision by someone trained in its use. It does a whole lot more to a system than just remove infected files.

    Download ComboFix from one of these locations:

    Link 1
    Link 2


    * IMPORTANT !!! Save ComboFix.exe to your Desktop




    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Disabling Security Programs
    • Double click on ComboFix.exe & follow the prompts.

      Note: Combofix will run without the Recovery Console installed.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.



    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


    [​IMG]


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    [​IMG]


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

    Notes:

    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you please let me know. A increasing number of infections are spreading using Autoplay and leaving it disabled is a good idea.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
     
  7. Webmaster Doug

    Webmaster Doug Thread Starter

    Joined:
    Nov 19, 2007
    Messages:
    48
    Greetings NeonFX!
    fyi: I'm on the East Coast in New England and this laptop is sitting in my office running a full GMER scan at this time. I'm home now and have that machine disconnected from the internet until I can get back into the office tomorrow morning, most likely in the mid to late a.m. Eastern time.

    My plan was to post the results of that scan and a HJT log. Should I continue with my plan and then move forward with the combofix?
     
  8. NeonFx

    NeonFx Malware Specialist

    Joined:
    Oct 22, 2008
    Messages:
    4,811
    I don't mind a few extra logs :) Take your time.
     
  9. Webmaster Doug

    Webmaster Doug Thread Starter

    Joined:
    Nov 19, 2007
    Messages:
    48
    Logfile of Trend Micro HijackThis v2.0.3 (BETA)
    Scan saved at 5:33:23 PM, on 1/15/2010
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16945)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\acs.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\NETGEAR\WN111v2\WN111V2.exe
    C:\Program Files\NETGEAR\WPN111\wpn111.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\WINDOWS\Desktop\TrendMicro\HiJackThis\HiJackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6920
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6920
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/apps/msk/en-us/msk7/default.asp?affid=370-9
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
    O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
    O4 - HKLM\..\Run: [jswtrayutil] "C:\Program Files\NETGEAR\WN111v2\jswtrayutil.exe"
    O4 - HKLM\..\Run: [MSKDetectorExe] "C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" /uninstall
    O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (rootkit-scan)] "C:\Program Files\Malwarebytes' Anti-Malware\bVeIbT75K.exe" /runcleanupscript
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O4 - Global Startup: NETGEAR WN111v2 Smart Wizard.lnk = C:\Program Files\NETGEAR\WN111v2\WN111V2.exe
    O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O21 - SSODL: yavakiziw - {94469c70-dcab-4aca-bf72-6b8af89cd5fe} - c:\windows\system32\ruludoji.dll (file missing)
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: tokatiluy - {94469c70-dcab-4aca-bf72-6b8af89cd5fe} - c:\windows\system32\ruludoji.dll (file missing)
    O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\WINDOWS\system32\acs.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: Google Update Service (gupdate1c96234d1a0b904) (gupdate1c96234d1a0b904) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\NETGEAR\WN111v2\jswpsapi.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

    --
    End of file - 7582 bytes
     
  10. Webmaster Doug

    Webmaster Doug Thread Starter

    Joined:
    Nov 19, 2007
    Messages:
    48
    ComboFix 10-01-15.01 - Owner 01/15/2010 17:43:45.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.554 [GMT -5:00]
    Running from: c:\documents and settings\Owner.NAPLESN\Desktop\ComboFix.exe
    AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\All Users\Application Data\Macromedia\SwUpdate
    c:\documents and settings\All Users\Application Data\Macromedia\SwUpdate\Flags.dtd
    c:\documents and settings\All Users\Application Data\Macromedia\SwUpdate\UA.dtd
    c:\documents and settings\All Users\Application Data\Macromedia\SwUpdate\UAcpt.dtd
    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    c:\recycler\S-1-5-21-3793755804-4069682362-3132155385-500
    c:\windows\kb913800.exe
    c:\windows\system32\18467.exe
    c:\windows\system32\19169.exe
    c:\windows\system32\26500.exe
    c:\windows\system32\6334.exe
    c:\windows\system32\H8SRTbdwqerxnld.dll
    c:\windows\system32\H8SRTbqeikxeuwq.dll
    c:\windows\system32\H8SRTbxhkwbimrg.dll
    c:\windows\system32\H8SRTefmqlirpdv.dll
    c:\windows\system32\H8SRTfvmhwvsqwl.dat
    c:\windows\Tasks\qqbmmxqn.job
    D:\Autorun.inf

    ----- BITS: Possible infected sites -----

    hxxp://82.98.235.34
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_H8SRTd.sys
    -------\Service_H8SRTd.sys


    ((((((((((((((((((((((((( Files Created from 2009-12-15 to 2010-01-15 )))))))))))))))))))))))))))))))
    .

    2010-01-15 22:32 . 2010-01-15 22:32 388096 ----a-r- c:\documents and settings\Owner.NAPLESN\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
    2010-01-14 23:45 . 2010-01-14 23:46 293376 ----a-w- C:\4hiwkl8e.exe
    2010-01-14 22:25 . 2010-01-14 22:25 52224 ----a-w- c:\documents and settings\Owner.NAPLESN\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    2010-01-14 22:25 . 2010-01-14 22:25 117760 ----a-w- c:\documents and settings\Owner.NAPLESN\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-01-14 22:24 . 2010-01-14 22:24 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2010-01-14 22:24 . 2010-01-14 22:24 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-01-14 22:24 . 2010-01-14 22:24 -------- d-----w- c:\documents and settings\Owner.NAPLESN\Application Data\SUPERAntiSpyware.com
    2010-01-14 22:23 . 2010-01-14 22:23 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2010-01-11 21:05 . 2009-11-04 21:54 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
    2010-01-11 21:05 . 2009-11-04 21:54 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
    2010-01-11 21:05 . 2009-11-04 21:54 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
    2010-01-11 21:05 . 2009-07-16 17:32 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
    2010-01-11 21:05 . 2010-01-11 21:05 -------- d-----w- c:\program files\Common Files\McAfee
    2010-01-11 21:02 . 2009-11-04 21:53 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
    2010-01-11 17:57 . 2010-01-11 17:57 -------- d-----w- c:\documents and settings\Owner.NAPLESN\Application Data\Malwarebytes
    2010-01-11 17:57 . 2009-12-30 19:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-01-11 17:57 . 2010-01-11 18:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-01-11 17:57 . 2010-01-11 17:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-01-11 17:57 . 2009-12-30 19:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-12-23 23:27 . 2009-12-23 23:27 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
    2009-12-23 23:27 . 2009-12-23 23:27 -------- d-----w- c:\documents and settings\Owner.NAPLESN\Application Data\CyberLink

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-01-15 20:35 . 2008-12-19 22:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
    2010-01-11 22:58 . 2006-07-19 05:51 -------- d-----w- c:\program files\Google
    2010-01-11 21:19 . 2006-07-19 06:11 -------- d-----w- c:\program files\McAfee
    2010-01-11 21:18 . 2006-07-19 06:10 -------- d-----w- c:\program files\McAfee.com
    2010-01-11 21:09 . 2006-07-19 06:11 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
    2010-01-11 20:54 . 2006-07-19 06:11 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com
    2010-01-06 20:30 . 2006-07-19 04:41 874240 ----a-w- c:\windows\system32\drivers\iaStor.sys
    2009-12-02 19:23 . 2006-11-09 18:13 1961720 -c--a-w- c:\documents and settings\Owner.NAPLESN\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
    2009-11-21 18:56 . 2009-04-01 19:20 -------- d-----w- c:\program files\NETGEAR
    2009-11-21 18:55 . 2006-07-19 05:49 -------- d--h--w- c:\program files\InstallShield Installation Information
    2009-11-17 22:00 . 2009-11-17 22:00 -------- d-----w- c:\program files\Scholastic
    2009-11-04 21:54 . 2009-11-04 21:54 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
    2009-10-29 07:46 . 2005-01-09 23:48 832512 ----a-w- c:\windows\system32\wininet.dll
    2009-10-29 07:46 . 2005-01-09 23:48 78336 ----a-w- c:\windows\system32\ieencode.dll
    2009-10-29 07:46 . 2005-01-09 23:47 17408 ----a-w- c:\windows\system32\corpol.dll
    2009-10-21 06:00 . 2005-01-09 23:48 75776 ----a-w- c:\windows\system32\strmfilt.dll
    2009-10-21 06:00 . 2005-01-09 23:48 25088 ----a-w- c:\windows\system32\httpapi.dll
    2009-10-20 14:58 . 2004-08-04 06:00 263552 ----a-w- c:\windows\system32\drivers\http.sys
    2006-12-09 11:54 . 2006-12-09 11:54 53664 -c--a-w- c:\program files\IF
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-05 2002160]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
    "Malwarebytes Anti-Malware (rootkit-scan)"="c:\program files\Malwarebytes' Anti-Malware\bVeIbT75K.exe" [2010-01-11 1394000]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "Power2GoExpress"="NA" [X]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2004-08-10 53760]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    NETGEAR WN111v2 Smart Wizard.lnk - c:\program files\NETGEAR\WN111v2\WN111V2.exe [2008-5-9 1474631]
    NETGEAR WPN111 Smart Wizard.lnk - c:\program files\NETGEAR\WPN111\wpn111.exe [2009-4-1 884838]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
    backup=c:\windows\pss\BigFix.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
    c:\windows\system32\dumprep 0 -k [X]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2004-08-10 19:00 15360 -c----w- c:\windows\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
    2005-08-06 04:56 64512 ----a-w- c:\windows\ehome\ehtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2006-02-19 06:41 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
    2005-10-12 16:30 139264 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
    2006-03-23 19:13 77824 ----a-w- c:\windows\system32\hkcmd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
    2006-03-23 19:17 118784 ----a-w- c:\windows\system32\igfxpers.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
    2006-03-23 19:17 94208 ----a-w- c:\windows\system32\igfxtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
    2005-12-28 18:56 602182 ----a-w- c:\program files\Intel\Wireless\Bin\iFrmewrk.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
    2005-12-28 18:55 667718 ----a-w- c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2007-12-11 17:10 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
    2006-11-07 19:49 1121280 ----a-w- c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2004-10-13 23:24 1694208 ------w- c:\program files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2007-12-11 15:56 286720 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
    2002-09-14 05:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
    2005-02-26 00:24 966656 ----a-w- c:\windows\creator\Remind_XP.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
    2005-12-27 17:20 413696 ----a-w- c:\windows\stsystra.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
    2006-05-24 02:22 573440 ----a-w- c:\program files\Motorola\SMSERIAL\sm56hlpr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
    2004-11-05 14:47 688218 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
    2004-11-05 14:47 98394 ----a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\NETGEAR\\WN111v2\\WN111V2.exe"=
    "c:\\WINDOWS\\system32\\acs.exe"=
    "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
    R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [2/12/2008 6:05 PM 57440]
    R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]
    S0 fkquupkr;fkquupkr;c:\windows\system32\drivers\pmdaow.sys --> c:\windows\system32\drivers\pmdaow.sys [?]
    S2 gupdate1c96234d1a0b904;Google Update Service (gupdate1c96234d1a0b904);c:\program files\Google\Update\GoogleUpdate.exe [12/19/2008 6:52 PM 133104]
    S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [4/1/2009 2:20 PM 17149]
    S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\NETGEAR\WN111v2\jswpsapi.exe [2/27/2008 11:54 AM 360547]
    S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\drivers\PTDUBus.sys [10/10/2008 1:39 PM 29824]
    S3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\drivers\PTDUMdm.sys [10/10/2008 1:39 PM 41344]
    S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\drivers\PTDUVsp.sys [10/10/2008 1:39 PM 39936]
    S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\drivers\PTDUWWAN.sys [10/10/2008 1:39 PM 59776]
    S3 pwi_bus;Curitel PC Card Composite Device driver (WDM);c:\windows\system32\drivers\pwi_bus.sys [9/25/2006 11:24 AM 55344]
    S3 pwi_mdfl;Curitel PC Card Filter;c:\windows\system32\drivers\pwi_mdfl.sys [9/25/2006 11:24 AM 9200]
    S3 pwi_mdm;Curitel PC Card Drivers;c:\windows\system32\drivers\pwi_mdm.sys [9/25/2006 11:24 AM 89936]
    S3 pwi_oflt;Curitel PC Card OHCI Filter;c:\windows\system32\drivers\pwi_oflt.sys [9/25/2006 11:24 AM 9472]
    S3 pwi_serd;Curitel PC Card Diagnostic Serial Port (WDM);c:\windows\system32\drivers\pwi_serd.sys [9/25/2006 11:24 AM 69632]
    S3 usbkey;USB Dongle;c:\windows\system32\drivers\USBkey.sys [4/9/2008 11:02 AM 28848]
    S3 WN111v2;NETGEAR WN111v2 USB2.0 Wireless Card Service;c:\windows\system32\drivers\WN111v2.sys [5/31/2008 2:46 PM 434688]
    S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [4/1/2009 2:20 PM 362944]
    .
    Contents of the 'Scheduled Tasks' folder

    2009-12-29 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57]

    2010-01-15 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-19 16:38]

    2010-01-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2008-12-19 18:49]

    2010-01-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2008-12-19 18:49]

    2006-09-21 c:\windows\Tasks\ISP signup reminder 1.job
    - c:\windows\system32\OOBE\oobebaln.exe [2005-01-10 19:00]

    2006-09-21 c:\windows\Tasks\ISP signup reminder 2.job
    - c:\windows\system32\OOBE\oobebaln.exe [2005-01-10 19:00]

    2010-01-11 c:\windows\Tasks\McDefragTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-11 17:22]

    2010-01-11 c:\windows\Tasks\McQcTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-11 17:22]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Connection Wizard,ShellNext = hxxp://us.mcafee.com/apps/msk/en-us/msk7/default.asp?affid=370-9
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    uInternet Settings,ProxyOverride = <local>
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-jswtrayutil - c:\program files\NETGEAR\WN111v2\jswtrayutil.exe
    HKLM-Run-mcagent_exe - c:\program files\McAfee.com\Agent\mcagent.exe
    SharedTaskScheduler-{94469c70-dcab-4aca-bf72-6b8af89cd5fe} - c:\windows\system32\ruludoji.dll
    SSODL-yavakiziw-{94469c70-dcab-4aca-bf72-6b8af89cd5fe} - c:\windows\system32\ruludoji.dll
    MSConfigStartUp-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
    MSConfigStartUp-MCAgentExe - c:\progra~1\mcafee.com\agent\mcagent.exe
    MSConfigStartUp-MCUpdateExe - c:\progra~1\mcafee.com\agent\mcupdate.exe
    MSConfigStartUp-MPFExe - c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe
    MSConfigStartUp-MSKAGENTEXE - c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe
    MSConfigStartUp-OASClnt - c:\program files\McAfee.com\VSO\oasclnt.exe
    MSConfigStartUp-SpySweeper - c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe
    MSConfigStartUp-VirusScan Online - c:\program files\McAfee.com\VSO\mcvsshld.exe
    MSConfigStartUp-VSOCheckTask - c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe
    MSConfigStartUp-wuduyefak - c:\windows\system32\jetebemi.dll



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-01-15 17:49
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(892)
    c:\program files\SUPERAntiSpyware\SASWINLO.dll
    c:\windows\system32\WININET.dll

    - - - - - - - > 'explorer.exe'(2968)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Intel\Wireless\Bin\EvtEng.exe
    c:\program files\Intel\Wireless\Bin\S24EvMon.exe
    c:\windows\system32\acs.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\windows\eHome\ehRecvr.exe
    c:\windows\eHome\ehSched.exe
    c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe
    c:\progra~1\McAfee\MSC\mcmscsvc.exe
    c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
    c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
    c:\program files\McAfee\MPF\MPFSrv.exe
    c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    c:\program files\Intel\Wireless\Bin\RegSrvc.exe
    c:\windows\ehome\mcrdsvc.exe
    c:\windows\system32\dllhost.exe
    c:\progra~1\mcafee\VIRUSS~1\mcvsshld.exe
    c:\progra~1\mcafee\VIRUSS~1\mcvsmap.exe
    .
    **************************************************************************
    .
    Completion time: 2010-01-15 17:54:23 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-01-15 22:54

    Pre-Run: 93,119,643,648 bytes free
    Post-Run: 93,148,160,000 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

    Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5
    - - End Of File - - 48258BAD335CA1BCB160BF6DFBF4258F
     
  11. Webmaster Doug

    Webmaster Doug Thread Starter

    Joined:
    Nov 19, 2007
    Messages:
    48
    NeonFX,

    I'll be back Sunday late morning for our next move on this issue. Thank you VERY much for your help.
     
  12. NeonFx

    NeonFx Malware Specialist

    Joined:
    Oct 22, 2008
    Messages:
    4,811
    Excellent. That seems to have done most of the work.

    STEP 1

    Please do the following:

    1. Close any open open programs before running the fix.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    3. Open Notepad (Start > Programs > Accessories) and copy/paste the text in the codebox below into it:

    Code:
    Driver::
    fkquupkr
    
    File::
    c:\windows\system32\drivers\pmdaow.sys 
    
    KillAll::
    NOTE: Make sure WordWrap is unchecked in Notepad by clicking on the "Format" menu icon.

    Save this as CFScript.txt, in the same location as ComboFix.exe


    [​IMG]

    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

    STEP 2

    [​IMG] Run MalwareBytes AntiMalware


    • Update it by clicking on the Update tab and then on the button.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Full Scan", then click Scan. Scan all of your harddrives.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the entire report in your next reply.


    Extra Note:

    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.
     
  13. Webmaster Doug

    Webmaster Doug Thread Starter

    Joined:
    Nov 19, 2007
    Messages:
    48
    ComboFix 10-01-16.04 - Owner 01/17/2010 18:00:00.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.578 [GMT -5:00]
    Running from: c:\documents and settings\Owner.NAPLESN\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Owner.NAPLESN\Desktop\CFScript.txt
    AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

    FILE ::
    "c:\windows\system32\drivers\pmdaow.sys"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_FKQUUPKR
    -------\Service_fkquupkr


    ((((((((((((((((((((((((( Files Created from 2009-12-17 to 2010-01-17 )))))))))))))))))))))))))))))))
    .

    2010-01-17 22:44 . 2010-01-17 22:44 -------- d-----w- c:\windows\LastGood.Tmp
    2010-01-15 22:32 . 2010-01-15 22:32 388096 ----a-r- c:\documents and settings\Owner.NAPLESN\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
    2010-01-14 23:45 . 2010-01-14 23:46 293376 ----a-w- C:\4hiwkl8e.exe
    2010-01-14 22:25 . 2010-01-14 22:25 52224 ----a-w- c:\documents and settings\Owner.NAPLESN\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    2010-01-14 22:25 . 2010-01-14 22:25 117760 ----a-w- c:\documents and settings\Owner.NAPLESN\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-01-14 22:24 . 2010-01-14 22:24 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2010-01-14 22:24 . 2010-01-14 22:24 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-01-14 22:24 . 2010-01-14 22:24 -------- d-----w- c:\documents and settings\Owner.NAPLESN\Application Data\SUPERAntiSpyware.com
    2010-01-14 22:23 . 2010-01-14 22:23 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2010-01-11 21:05 . 2009-11-04 21:54 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
    2010-01-11 21:05 . 2009-11-04 21:54 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
    2010-01-11 21:05 . 2009-11-04 21:54 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
    2010-01-11 21:05 . 2009-07-16 17:32 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
    2010-01-11 21:05 . 2010-01-11 21:05 -------- d-----w- c:\program files\Common Files\McAfee
    2010-01-11 21:02 . 2009-11-04 21:53 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
    2010-01-11 17:57 . 2010-01-11 17:57 -------- d-----w- c:\documents and settings\Owner.NAPLESN\Application Data\Malwarebytes
    2010-01-11 17:57 . 2009-12-30 19:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-01-11 17:57 . 2010-01-11 18:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-01-11 17:57 . 2010-01-11 17:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-01-11 17:57 . 2009-12-30 19:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-12-23 23:27 . 2009-12-23 23:27 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
    2009-12-23 23:27 . 2009-12-23 23:27 -------- d-----w- c:\documents and settings\Owner.NAPLESN\Application Data\CyberLink

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-01-17 22:40 . 2008-12-19 22:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
    2010-01-11 22:58 . 2006-07-19 05:51 -------- d-----w- c:\program files\Google
    2010-01-11 21:19 . 2006-07-19 06:11 -------- d-----w- c:\program files\McAfee
    2010-01-11 21:18 . 2006-07-19 06:10 -------- d-----w- c:\program files\McAfee.com
    2010-01-11 21:09 . 2006-07-19 06:11 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
    2010-01-11 20:54 . 2006-07-19 06:11 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com
    2010-01-06 20:30 . 2006-07-19 04:41 874240 ----a-w- c:\windows\system32\drivers\iaStor.sys
    2009-12-02 19:23 . 2006-11-09 18:13 1961720 -c--a-w- c:\documents and settings\Owner.NAPLESN\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
    2009-11-21 18:56 . 2009-04-01 19:20 -------- d-----w- c:\program files\NETGEAR
    2009-11-21 18:55 . 2006-07-19 05:49 -------- d--h--w- c:\program files\InstallShield Installation Information
    2009-11-21 16:36 . 2005-01-09 23:47 470528 ----a-w- c:\windows\AppPatch\aclayers.dll
    2009-11-04 21:54 . 2009-11-04 21:54 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
    2009-10-29 07:46 . 2005-01-09 23:48 832512 ------w- c:\windows\system32\wininet.dll
    2009-10-29 07:46 . 2005-01-09 23:48 78336 ----a-w- c:\windows\system32\ieencode.dll
    2009-10-29 07:46 . 2005-01-09 23:47 17408 ----a-w- c:\windows\system32\corpol.dll
    2009-10-21 06:00 . 2005-01-09 23:48 75776 ----a-w- c:\windows\system32\strmfilt.dll
    2009-10-21 06:00 . 2005-01-09 23:48 25088 ----a-w- c:\windows\system32\httpapi.dll
    2009-10-20 14:58 . 2004-08-04 06:00 263552 ----a-w- c:\windows\system32\drivers\http.sys
    2006-12-09 11:54 . 2006-12-09 11:54 53664 -c--a-w- c:\program files\IF
    .

    ((((((((((((((((((((((((((((( [email protected]_22.49.01 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2005-01-09 23:48 . 2009-07-29 04:53 82432 c:\windows\system32\fontsub.dll
    + 2005-01-09 23:48 . 2009-10-15 17:21 82432 c:\windows\system32\fontsub.dll
    - 2005-01-09 23:48 . 2009-07-29 04:53 82432 c:\windows\system32\dllcache\fontsub.dll
    + 2005-01-09 23:48 . 2009-10-15 17:21 82432 c:\windows\system32\dllcache\fontsub.dll
    - 2005-01-09 23:48 . 2009-07-29 04:53 119808 c:\windows\system32\t2embed.dll
    + 2005-01-09 23:48 . 2009-10-16 03:51 119808 c:\windows\system32\t2embed.dll
    + 2005-01-09 23:48 . 2009-10-16 03:51 119808 c:\windows\system32\dllcache\t2embed.dll
    - 2005-01-09 23:48 . 2009-07-29 04:53 119808 c:\windows\system32\dllcache\t2embed.dll
    + 2005-01-09 23:47 . 2009-11-21 16:36 470528 c:\windows\system32\dllcache\aclayers.dll
    + 2010-01-17 22:42 . 2010-01-04 21:17 29634504 c:\windows\system32\MRT.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-05 2002160]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
    "Malwarebytes Anti-Malware (rootkit-scan)"="c:\program files\Malwarebytes' Anti-Malware\bVeIbT75K.exe" [2010-01-11 1394000]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "Power2GoExpress"="NA" [X]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2004-08-10 53760]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    NETGEAR WN111v2 Smart Wizard.lnk - c:\program files\NETGEAR\WN111v2\WN111V2.exe [2008-5-9 1474631]
    NETGEAR WPN111 Smart Wizard.lnk - c:\program files\NETGEAR\WPN111\wpn111.exe [2009-4-1 884838]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
    backup=c:\windows\pss\BigFix.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
    c:\windows\system32\dumprep 0 -k [X]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2004-08-10 19:00 15360 -c----w- c:\windows\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
    2005-08-06 04:56 64512 ----a-w- c:\windows\ehome\ehtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2006-02-19 06:41 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
    2005-10-12 16:30 139264 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
    2006-03-23 19:13 77824 ----a-w- c:\windows\system32\hkcmd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
    2006-03-23 19:17 118784 ----a-w- c:\windows\system32\igfxpers.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
    2006-03-23 19:17 94208 ----a-w- c:\windows\system32\igfxtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
    2005-12-28 18:56 602182 ----a-w- c:\program files\Intel\Wireless\Bin\iFrmewrk.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
    2005-12-28 18:55 667718 ----a-w- c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2007-12-11 17:10 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
    2006-11-07 19:49 1121280 ----a-w- c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2004-10-13 23:24 1694208 ------w- c:\program files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2007-12-11 15:56 286720 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
    2002-09-14 05:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
    2005-02-26 00:24 966656 ----a-w- c:\windows\creator\Remind_XP.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
    2005-12-27 17:20 413696 ----a-w- c:\windows\stsystra.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
    2006-05-24 02:22 573440 ----a-w- c:\program files\Motorola\SMSERIAL\sm56hlpr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
    2004-11-05 14:47 688218 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
    2004-11-05 14:47 98394 ----a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\NETGEAR\\WN111v2\\WN111V2.exe"=
    "c:\\WINDOWS\\system32\\acs.exe"=
    "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
    R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [2/12/2008 6:05 PM 57440]
    R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]
    S2 gupdate1c96234d1a0b904;Google Update Service (gupdate1c96234d1a0b904);c:\program files\Google\Update\GoogleUpdate.exe [12/19/2008 6:52 PM 133104]
    S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [4/1/2009 2:20 PM 17149]
    S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\NETGEAR\WN111v2\jswpsapi.exe [2/27/2008 11:54 AM 360547]
    S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\drivers\PTDUBus.sys [10/10/2008 1:39 PM 29824]
    S3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\drivers\PTDUMdm.sys [10/10/2008 1:39 PM 41344]
    S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\drivers\PTDUVsp.sys [10/10/2008 1:39 PM 39936]
    S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\drivers\PTDUWWAN.sys [10/10/2008 1:39 PM 59776]
    S3 pwi_bus;Curitel PC Card Composite Device driver (WDM);c:\windows\system32\drivers\pwi_bus.sys [9/25/2006 11:24 AM 55344]
    S3 pwi_mdfl;Curitel PC Card Filter;c:\windows\system32\drivers\pwi_mdfl.sys [9/25/2006 11:24 AM 9200]
    S3 pwi_mdm;Curitel PC Card Drivers;c:\windows\system32\drivers\pwi_mdm.sys [9/25/2006 11:24 AM 89936]
    S3 pwi_oflt;Curitel PC Card OHCI Filter;c:\windows\system32\drivers\pwi_oflt.sys [9/25/2006 11:24 AM 9472]
    S3 pwi_serd;Curitel PC Card Diagnostic Serial Port (WDM);c:\windows\system32\drivers\pwi_serd.sys [9/25/2006 11:24 AM 69632]
    S3 usbkey;USB Dongle;c:\windows\system32\drivers\USBkey.sys [4/9/2008 11:02 AM 28848]
    S3 WN111v2;NETGEAR WN111v2 USB2.0 Wireless Card Service;c:\windows\system32\drivers\WN111v2.sys [5/31/2008 2:46 PM 434688]
    S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [4/1/2009 2:20 PM 362944]
    .
    Contents of the 'Scheduled Tasks' folder

    2009-12-29 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57]

    2010-01-17 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-19 16:38]

    2010-01-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2008-12-19 18:49]

    2010-01-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2008-12-19 18:49]

    2006-09-21 c:\windows\Tasks\ISP signup reminder 1.job
    - c:\windows\system32\OOBE\oobebaln.exe [2005-01-10 19:00]

    2006-09-21 c:\windows\Tasks\ISP signup reminder 2.job
    - c:\windows\system32\OOBE\oobebaln.exe [2005-01-10 19:00]

    2010-01-11 c:\windows\Tasks\McDefragTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-11 17:22]

    2010-01-11 c:\windows\Tasks\McQcTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-11 17:22]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Connection Wizard,ShellNext = hxxp://us.mcafee.com/apps/msk/en-us/msk7/default.asp?affid=370-9
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    uInternet Settings,ProxyOverride = <local>
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-01-17 18:06
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(892)
    c:\program files\SUPERAntiSpyware\SASWINLO.dll
    c:\windows\system32\WININET.dll

    - - - - - - - > 'explorer.exe'(2596)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Intel\Wireless\Bin\EvtEng.exe
    c:\program files\Intel\Wireless\Bin\S24EvMon.exe
    c:\windows\system32\acs.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\windows\eHome\ehRecvr.exe
    c:\windows\eHome\ehSched.exe
    c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe
    c:\progra~1\McAfee\MSC\mcmscsvc.exe
    c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
    c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
    c:\program files\McAfee\MPF\MPFSrv.exe
    c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    c:\program files\Intel\Wireless\Bin\RegSrvc.exe
    c:\windows\ehome\mcrdsvc.exe
    c:\windows\system32\dllhost.exe
    c:\progra~1\mcafee\VIRUSS~1\mcvsshld.exe
    c:\progra~1\mcafee\VIRUSS~1\mcvsmap.exe
    .
    **************************************************************************
    .
    Completion time: 2010-01-17 18:10:39 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-01-17 23:10
    ComboFix2.txt 2010-01-15 22:54

    Pre-Run: 93,087,780,864 bytes free
    Post-Run: 93,045,932,032 bytes free

    Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5
    - - End Of File - - 562850226BC8298320811CCF8EAB9ECD
     
  14. NeonFx

    NeonFx Malware Specialist

    Joined:
    Oct 22, 2008
    Messages:
    4,811
    Alright. I'll wait for the other results.
     
  15. Webmaster Doug

    Webmaster Doug Thread Starter

    Joined:
    Nov 19, 2007
    Messages:
    48
    Malwarebytes' Anti-Malware 1.44
    Database version: 3585
    Windows 5.1.2600 Service Pack 2
    Internet Explorer 7.0.5730.13

    1/17/2010 9:07:26 PM
    mbam-log-2010-01-17 (21-07-26).txt

    Scan type: Full Scan (C:\|D:\|)
    Objects scanned: 179379
    Time elapsed: 41 minute(s), 3 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 10

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Qoobox\Quarantine\C\WINDOWS\system32\H8SRTbdwqerxnld.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\WINDOWS\system32\H8SRTbqeikxeuwq.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\WINDOWS\system32\H8SRTbxhkwbimrg.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\WINDOWS\system32\H8SRTefmqlirpdv.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP259\A0130298.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP259\A0130299.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP259\A0130300.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP259\A0130301.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP260\A0130366.sys (Malware.Trace) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP260\A0130534.sys (Malware.Trace) -> Quarantined and deleted successfully.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Antivirus Live able
  1. DebbyR
    Replies:
    2
    Views:
    496
  2. spoonthumb
    Replies:
    9
    Views:
    433
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/893208

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice