[mtovar76]

I was downloading a torrent (yes, i know- I swear I wont do it again)...now I get redirected when using Safari and Explorer. A web page that redirects says www.nnkclwv.com
I got a warning from my McAfee saying I had a Trojan AND my computer popped up a window from Brightouse Cable saying a Trojan was detected and this violated my agreement with them!
I have Windows XP Service Pack 3
I do not have a tab to disable System Restore on my System Properties. It disappeared.
I have done the steps on your removal guide...EXCEPT... when I run the GMER...it eventually shuts off and restarts my computer. I haven't seen it per se, but i come back in 30 minutes or an hour later and I have to log back on. Done this 2 times.
Also, I have ran OTL twice and it turned the window into a blank white rectangle. Last night I ran it again, and came in this morning and it was stuck on "Scanning NT Drivers 32..."
there was an error saying "Generic Host process for Win32 services has encountered a problem". So I do not have a GMER or OTL log. i do have a MBAM...
I have scanned with McAfee and it said it cleared it and I ran with Stinger and it crashed.


Malwarebytes' Anti-Malware 1.44
Database version: 3639
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/9/2010 9:37:40 AM
mbam-log-2010-07-09 (09-37-40).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 278642
Time elapsed: 2 hour(s), 1 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Miguel\Local Settings\Temp\services.exe (Password.Stealer) -> Delete on reboot.
C:\Documents and Settings\Miguel\Local Settings\Temp\win32.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\Miguel\Local Settings\Temp\winlogon.exe (Trojan.Agent) -> Delete on reboot.

HELP!!!

[Advertisements]

Hello mtovar76 and welcome to GeeksToGo
I'm hammerman and I'm going to help you fix your problem.

Before we begin, here are some guidelines which will help us both in fixing your problem.

• Malware removal is not instantaneous and will take a number of steps to complete. Please continue to carry out the steps requested until I let you know that your computer appears clean.
• Please do no attach logs or post them in Quote/Code boxes unless requested.
• I suggest you print or save any instructions I give you for easy reference. We may be using Safe mode and you will not always be able to access this thread. You can copy and paste these instructions into Notepad and then save the text file to your Desktop. If you need any help with this or further clarification, please let me know.
• When posting logs, please ensure Word Wrap is turned off in Notepad. Open Notepad, select Format on the menu bar and make sure that Word Wrap is unchecked.
• Please follow the steps exactly in the same order posted. If you can't perform a certain step, or you're unsure on what to do, please stop and let me know.
• If in doubt about anything, please ask.

Please follow these steps.

-- Step 1 --

Download TDSSKiller and save it to your Desktop.

• Extract the file and run it.
• Once completed it will create a log in the root directory (usually C:\).
• Please post the contents of that log in your next reply.

-- Step 2 --

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

[hammerman]

Hello mtovar76 and welcome to GeeksToGo
I'm hammerman and I'm going to help you fix your problem.

Before we begin, here are some guidelines which will help us both in fixing your problem.

• Malware removal is not instantaneous and will take a number of steps to complete. Please continue to carry out the steps requested until I let you know that your computer appears clean.
• Please do no attach logs or post them in Quote/Code boxes unless requested.
• I suggest you print or save any instructions I give you for easy reference. We may be using Safe mode and you will not always be able to access this thread. You can copy and paste these instructions into Notepad and then save the text file to your Desktop. If you need any help with this or further clarification, please let me know.
• When posting logs, please ensure Word Wrap is turned off in Notepad. Open Notepad, select Format on the menu bar and make sure that Word Wrap is unchecked.
• Please follow the steps exactly in the same order posted. If you can't perform a certain step, or you're unsure on what to do, please stop and let me know.
• If in doubt about anything, please ask.

Please follow these steps.

-- Step 1 --

Download TDSSKiller and save it to your Desktop.

• Extract the file and run it.
• Once completed it will create a log in the root directory (usually C:\).
• Please post the contents of that log in your next reply.

-- Step 2 --

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

[mtovar76]

I downloaded and ran TDSKiller...it has been stuck on this screen shot for 6 hours:

TDSS rootkit removing tool, Kaspersky Lab, 2010
version 2.3.2.2 Jun 30 2010 17:23:49

Scanning Services ...

Hidden service detected!
Service name: gmdbkgiy
Image path:
Type "delete" (without quotes) to delete it:

[hammerman]

Hi,

Do NOT type anything in. Just press Enter on your keyboard to continue.

[mtovar76]

Nothing happens... the cursor just keeps going farther down. This is the third time I have tried it since last night... ughhh

[hammerman]

Hi,

OK. Let's skip TDSSKiller and run the Combofix scan (step 2).

[mtovar76]

OK, i'm back from the weekend. here is the log. i turned McAfee anti virus back on and turn will turn off the pc...

ComboFix 10-07-15.05 - Miguel 07/18/2010 20:00:50.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1279.867 [GMT -4:00]
Running from: c:\documents and settings\Miguel\Desktop\Virus remove stuff\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Miguel\Application Data\SystemProc
c:\documents and settings\Miguel\Application Data\SystemProc\lsass.exe
c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}
c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest
c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul
c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\Downloaded Program Files\RdxIE.dll
c:\windows\iqafebocovofa.dll
c:\windows\oderifuc.dll
c:\windows\uwilarejucowoz.dll
c:\windows\xpsp1hfm.log
E:\autorun.inf

Infected copy of c:\windows\system32\drivers\termdd.sys was found and disinfected
Restored copy from - Kitty had a snack
c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((( Files Created from 2010-06-19 to 2010-07-19 )))))))))))))))))))))))))))))))
.

2010-07-19 00:20 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2010-07-19 00:20 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2010-07-17 07:04 . 2010-07-17 07:04 -------- d-----w- c:\windows\system32\MpEngineStore
2010-07-17 05:02 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-15 04:09 . 2010-07-16 00:18 52432 ----a-w- c:\windows\system32\drivers\klmd.sys
2010-07-14 23:46 . 2010-07-14 23:46 -------- d-----w- c:\program files\Bonjour
2010-07-14 23:44 . 2010-07-14 23:44 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-07-09 02:39 . 2010-07-10 18:21 0 ----a-w- c:\windows\Smukis.dat
2010-07-09 02:39 . 2010-07-09 05:52 0 ----a-w- c:\windows\Dlufuy.bin
2010-07-09 02:38 . 2010-07-09 02:39 -------- d-----w- c:\documents and settings\Miguel\Local Settings\Application Data\{B32868DE-87B3-4034-B74C-E846128680A8}
2010-07-09 02:38 . 2010-07-09 02:38 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-07-09 02:32 . 2010-07-19 00:22 766464 ----a-w- c:\windows\system32\drivers\gmdbkgiy.sys
2010-07-09 02:32 . 2010-07-09 02:32 -------- d-----w- c:\documents and settings\Miguel\Local Settings\Application Data\tmaqnlsga
2010-06-24 11:56 . 2010-06-24 11:56 -------- d-----w- c:\program files\Safari

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-14 23:55 . 2006-11-03 19:55 -------- d-----w- c:\program files\iTunes
2010-07-14 23:53 . 2006-01-30 05:27 -------- d-----w- c:\program files\iPod
2010-07-14 23:53 . 2007-07-06 02:11 -------- d-----w- c:\program files\Common Files\Apple
2010-07-10 15:32 . 2010-01-26 03:00 -------- d-----w- c:\program files\ERUNT
2010-07-09 02:32 . 2006-02-12 20:49 -------- d-----w- c:\documents and settings\Miguel\Application Data\BitTorrent
2010-07-04 22:46 . 2010-01-23 14:10 -------- d-----w- c:\documents and settings\Melinda.LYCAEUM\Application Data\Apple Computer
2010-06-29 23:21 . 2007-12-25 23:36 -------- d-----w- c:\documents and settings\Miguel\Application Data\ZoomBrowser EX
2010-06-29 23:14 . 2009-10-12 17:31 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2010-06-24 11:54 . 2008-12-15 22:13 -------- d-----w- c:\documents and settings\Miguel\Application Data\Move Networks
2010-06-14 14:31 . 2006-01-27 00:34 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
2010-06-04 16:29 . 2010-06-04 16:29 71992 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.16.0\SetupAdmin.exe
2010-05-28 03:10 . 2009-11-14 22:14 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-18 20:35 . 2010-05-18 20:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 20:35 . 2010-05-18 20:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-06 10:41 . 2006-06-23 15:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2002-09-03 17:11 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-28 10:29 . 2010-01-07 02:07 256 ----a-w- c:\documents and settings\Miguel\pool.bin
2010-04-27 21:16 . 2010-04-23 11:27 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-04-27 21:16 . 2010-04-23 11:27 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-04-27 21:16 . 2010-04-23 11:27 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-04-27 21:16 . 2010-04-23 11:27 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-04-27 21:16 . 2010-04-23 11:27 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-04-27 21:16 . 2010-04-23 11:27 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-04-27 21:16 . 2010-04-23 11:27 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-04-27 21:16 . 2010-04-23 11:27 385880 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-04-27 21:16 . 2010-04-23 11:27 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-04-27 21:16 . 2010-04-23 11:27 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-04-20 05:30 . 2002-09-03 16:27 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 00:47 . 2009-06-18 11:57 3062048 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-20 00:47 . 2008-07-16 17:20 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2006-05-03 09:06 . 2007-03-27 01:07 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2007-03-27 01:07 31232 -csh--r- c:\windows\system32\msfDX.dll
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2004-07-01 21:20 . 2004-07-01 21:20 212992 c:\bak\Updater.exe

2007-11-07 22:59 . 2007-10-11 00:51 39792 c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
2008-01-12 02:16 . 2008-01-12 02:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

2003-09-14 02:36 . 2003-09-14 02:36 50688 c:\program files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe

2007-03-26 11:07 . 2007-03-26 11:07 228088 c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\bak\RoxWatchTray9.exe
2007-08-16 13:56 . 2007-08-16 13:56 236016 c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

2007-12-26 02:29 . 2007-12-26 02:29 290112 c:\program files\DNA\bak\btdna.exe

2006-01-27 02:22 . 2003-12-18 21:37 184320 c:\program files\HP DVD\Umbrella\bak\DVDBitSet.exe

2006-01-27 02:22 . 2003-07-23 17:42 69632 c:\program files\HP DVD\Umbrella\bak\DVDTray.exe

2007-07-31 22:44 . 2007-07-31 22:44 271672 c:\program files\iTunes\bak\iTunesHelper.exe
2010-06-15 20:33 . 2010-06-15 20:33 141624 c:\program files\iTunes\iTunesHelper.exe

2007-10-29 12:51 . 2007-09-25 05:11 132496 c:\program files\Java\jre1.6.0_03\bin\bak\jusched.exe

2006-11-13 17:39 . 2006-11-13 17:39 1289000 c:\program files\Microsoft ActiveSync\bak\wcescomm.exe

2007-06-29 10:24 . 2007-06-29 10:24 286720 c:\program files\QuickTime\bak\qttask.exe
2010-03-18 01:53 . 2010-03-18 01:53 421888 c:\program files\QuickTime\QTTask.exe

2002-09-03 16:29 . 2004-08-04 07:56 15360 c:\windows\system32\bak\ctfmon.exe
2002-09-03 16:29 . 2008-04-14 00:12 15360 c:\windows\system32\ctfmon.exe

2002-03-19 21:30 . 2002-03-19 21:30 45632 c:\windows\system32\bak\taskswitch.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-18 39408]
"Hnidahifureqijol"="c:\windows\cfseror.dll" [N/A]
"nrlolaiy"="c:\documents and settings\Miguel\Local Settings\Application Data\tmaqnlsga\kbaalsjtssd.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-07-28 4841472]
"nwiz"="nwiz.exe" [2003-07-28 323584]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-06-25 1193848]
"Ljatowayewecig"="c:\windows\iqafebocovofa.dll" [N/A]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"MRT"="c:\windows\system32\MRT.exe" [2010-07-02 34045896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-07-28 49152]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=c:\windows\pss\BTTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 02:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
2008-12-16 20:16 637232 ----a-w- c:\program files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A940]
2003-02-08 22:42 86102 ------w- c:\program files\Dell AIO Printer A940\dlbabmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-09-04 19:17 133104 ----atw- c:\documents and settings\Miguel\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2003-07-13 07:49 155648 -c--a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-01-18 16:02 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2008-02-18 10:58 206184 -c--a-w- c:\program files\TomTom HOME 2\HOMERunner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TapiSrv"=3 (0x3)
"Schedule"=2 (0x2)
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:*:Disabled:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:*:Disabled:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:*:Disabled:@xpsp2res.dll,-22017

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/14/2009 6:18 PM 64288]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [4/23/2010 7:27 AM 82952]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [11/24/2009 2:15 PM 206096]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/23/2010 7:27 AM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [4/23/2010 7:27 AM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [4/23/2010 7:27 AM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [4/23/2010 7:27 AM 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [4/23/2010 7:27 AM 55456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [4/23/2010 7:27 AM 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [4/23/2010 7:27 AM 88480]
S1 4K23357a;4K23357a;c:\windows\system32\drivers\4k23357a.sys [1/26/2010 3:42 AM 0]
S1 emrzszsi;emrzszsi;\??\c:\windows\system32\drivers\emrzszsi.sys --> c:\windows\system32\drivers\emrzszsi.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/26/2010 8:37 PM 135664]
S3 asbp2poa;asbp2poa;\??\c:\docume~1\Miguel\LOCALS~1\Temp\asbp2poa.sys --> c:\docume~1\Miguel\LOCALS~1\Temp\asbp2poa.sys [?]
S3 klmd23;klmd23;c:\windows\system32\drivers\klmd.sys [7/15/2010 12:09 AM 52432]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 7:17 AM 1181328]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [4/23/2010 7:27 AM 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [4/23/2010 7:27 AM 83496]
S3 samhid;samhid;c:\windows\system32\drivers\Samhid.sys [5/28/2007 5:04 PM 7548]
S4 Samosdbecto;Samosdbecto; [x]

--- Other Services/Drivers In Memory ---

*Deregistered* - gmdbkgiy
*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder

2010-01-26 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 13:11]

2010-01-26 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 13:11]

2010-01-26 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 13:11]

2010-01-26 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 13:11]

2010-01-26 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 13:11]

2008-10-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]

2010-06-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cb0d018b5720a4.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-27 00:36]

2009-10-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-1592454029-2147250837-1004Core1ca59fb881124ee.job
- c:\documents and settings\Miguel\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 19:17]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp:/www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Send To &Bluetooth - c:\program files\DLink\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://216.128.199.100:2202/activex/AMC.cab
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-4K23357a
SafeBoot-klmd23.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-18 20:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gmdbkgiy]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-725345543-1592454029-2147250837-1004\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\ActiveSync]
"Name"="ActiveSync"
"DisplayName"="Microsoft ActiveSync"
"Param1"="ActiveSync"
"Type"="wellknown"
"Order"=dword:00000001
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-725345543-1592454029-2147250837-1004\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\IESettings]
"Name"="IESettings"
"Type"="IESettings"
"Order"=dword:00000004
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-725345543-1592454029-2147250837-1004\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\MediaFiles]
"Name"="MediaFiles"
"Type"="MediaFiles"
"Order"=dword:00000003
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-725345543-1592454029-2147250837-1004\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\NPW]
"Name"="NPW"
"Param1"="NPW"
"Type"="wellknown"
"Order"=dword:00000002
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-725345543-1592454029-2147250837-1004\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\Outlook]
"Name"="Outlook"
"DisplayName"="Microsoft Outlook"
"Param1"="Outlook"
"Type"="wellknown"
"Order"=dword:00000000
"State"=dword:00000002
.
Completion time: 2010-07-18 20:28:24
ComboFix-quarantined-files.txt 2010-07-19 00:28

Pre-Run: 13,411,848,192 bytes free
Post-Run: 13,527,121,920 bytes free

- - End Of File - - 8860002A3486B29CAFCC47F26D955024

[hammerman]

Hi,

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
c:\windows\Smukis.dat
c:\windows\Dlufuy.bin
c:\windows\system32\drivers\gmdbkgiy.sys
c:\windows\iqafebocovofa.dll
c:\windows\system32\drivers\emrzszsi.sys
c:\windows\system32\drivers\4k23357a.sys
c:\docume~1\Miguel\LOCALS~1\Temp\asbp2poa.sys

Folder::
c:\documents and settings\Miguel\Local Settings\Application Data\tmaqnlsga

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Hnidahifureqijol"=-
"nrlolaiy"=-
"Ljatowayewecig"=-
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gmdbkgiy]

Driver::
emrzszsi
4K23357a
asbp2poa
Samosdbecto

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

[mtovar76]

Here you are:ComboFix 10-07-19.01 - Miguel 07/19/2010 21:49:24.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1279.850 [GMT -4:00]
Running from: c:\documents and settings\Miguel\Desktop\Virus remove stuff\ComboFix.exe
Command switches used :: c:\documents and settings\Miguel\Desktop\Virus remove stuff\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\docume~1\Miguel\LOCALS~1\Temp\asbp2poa.sys"
"c:\windows\Dlufuy.bin"
"c:\windows\iqafebocovofa.dll"
"c:\windows\Smukis.dat"
"c:\windows\system32\drivers\4k23357a.sys"
"c:\windows\system32\drivers\emrzszsi.sys"
"c:\windows\system32\drivers\gmdbkgiy.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Miguel\Local Settings\Application Data\tmaqnlsga
c:\windows\Dlufuy.bin
c:\windows\Smukis.dat
c:\windows\system32\drivers\4k23357a.sys
c:\windows\system32\drivers\gmdbkgiy.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_4K23357A
-------\Legacy_ASBP2POA
-------\Service_4K23357a
-------\Service_asbp2poa
-------\Service_Samosdbecto
-------\Legacy_gmdbkgiy
-------\Service_gmdbkgiy


((((((((((((((((((((((((( Files Created from 2010-06-20 to 2010-07-20 )))))))))))))))))))))))))))))))
.

2010-07-19 00:20 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2010-07-19 00:20 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2010-07-17 07:04 . 2010-07-17 07:04 -------- d-----w- c:\windows\system32\MpEngineStore
2010-07-17 05:02 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-15 04:09 . 2010-07-16 00:18 52432 ----a-w- c:\windows\system32\drivers\klmd.sys
2010-07-14 23:46 . 2010-07-14 23:46 -------- d-----w- c:\program files\Bonjour
2010-07-09 02:38 . 2010-07-09 02:39 -------- d-----w- c:\documents and settings\Miguel\Local Settings\Application Data\{B32868DE-87B3-4034-B74C-E846128680A8}
2010-07-09 02:38 . 2010-07-09 02:38 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-06-24 11:56 . 2010-06-24 11:56 -------- d-----w- c:\program files\Safari

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-14 23:55 . 2006-11-03 19:55 -------- d-----w- c:\program files\iTunes
2010-07-14 23:53 . 2006-01-30 05:27 -------- d-----w- c:\program files\iPod
2010-07-14 23:53 . 2007-07-06 02:11 -------- d-----w- c:\program files\Common Files\Apple
2010-07-10 15:32 . 2010-01-26 03:00 -------- d-----w- c:\program files\ERUNT
2010-07-09 02:32 . 2006-02-12 20:49 -------- d-----w- c:\documents and settings\Miguel\Application Data\BitTorrent
2010-07-04 22:46 . 2010-01-23 14:10 -------- d-----w- c:\documents and settings\Melinda.LYCAEUM\Application Data\Apple Computer
2010-06-29 23:21 . 2007-12-25 23:36 -------- d-----w- c:\documents and settings\Miguel\Application Data\ZoomBrowser EX
2010-06-29 23:14 . 2009-10-12 17:31 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2010-06-24 11:54 . 2008-12-15 22:13 -------- d-----w- c:\documents and settings\Miguel\Application Data\Move Networks
2010-06-14 14:31 . 2006-01-27 00:34 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
2010-05-28 03:10 . 2009-11-14 22:14 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-18 20:35 . 2010-05-18 20:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 20:35 . 2010-05-18 20:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-06 10:41 . 2006-06-23 15:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2002-09-03 17:11 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-28 10:29 . 2010-01-07 02:07 256 ----a-w- c:\documents and settings\Miguel\pool.bin
2010-04-27 21:16 . 2010-04-23 11:27 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-04-27 21:16 . 2010-04-23 11:27 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-04-27 21:16 . 2010-04-23 11:27 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-04-27 21:16 . 2010-04-23 11:27 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-04-27 21:16 . 2010-04-23 11:27 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-04-27 21:16 . 2010-04-23 11:27 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-04-27 21:16 . 2010-04-23 11:27 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-04-27 21:16 . 2010-04-23 11:27 385880 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-04-27 21:16 . 2010-04-23 11:27 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-04-27 21:16 . 2010-04-23 11:27 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2006-05-03 09:06 . 2007-03-27 01:07 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2007-03-27 01:07 31232 -csh--r- c:\windows\system32\msfDX.dll
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2004-07-01 21:20 . 2004-07-01 21:20 212992 c:\bak\Updater.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-18 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-07-28 4841472]
"nwiz"="nwiz.exe" [2003-07-28 323584]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-06-25 1193848]
"Ljatowayewecig"="c:\windows\iqafebocovofa.dll" [N/A]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-07-28 49152]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=c:\windows\pss\BTTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 02:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
2008-12-16 20:16 637232 ----a-w- c:\program files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A940]
2003-02-08 22:42 86102 ------w- c:\program files\Dell AIO Printer A940\dlbabmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-09-04 19:17 133104 ----atw- c:\documents and settings\Miguel\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2003-07-13 07:49 155648 -c--a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-01-18 16:02 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2008-02-18 10:58 206184 -c--a-w- c:\program files\TomTom HOME 2\HOMERunner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TapiSrv"=3 (0x3)
"Schedule"=2 (0x2)
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:*:Disabled:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:*:Disabled:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:*:Disabled:@xpsp2res.dll,-22017

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/14/2009 6:18 PM 64288]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [4/23/2010 7:27 AM 82952]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [11/24/2009 2:15 PM 206096]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/23/2010 7:27 AM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [4/23/2010 7:27 AM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [4/23/2010 7:27 AM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [4/23/2010 7:27 AM 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [4/23/2010 7:27 AM 55456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [4/23/2010 7:27 AM 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [4/23/2010 7:27 AM 88480]
S1 cmfldfap;cmfldfap;\??\c:\windows\system32\drivers\cmfldfap.sys --> c:\windows\system32\drivers\cmfldfap.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/26/2010 8:37 PM 135664]
S3 klmd23;klmd23;c:\windows\system32\drivers\klmd.sys [7/15/2010 12:09 AM 52432]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 7:17 AM 1181328]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [4/23/2010 7:27 AM 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [4/23/2010 7:27 AM 83496]
S3 samhid;samhid;c:\windows\system32\drivers\Samhid.sys [5/28/2007 5:04 PM 7548]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder

2010-01-26 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 13:11]

2010-01-26 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 13:11]

2010-01-26 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 13:11]

2010-01-26 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 13:11]

2010-01-26 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 13:11]

2008-10-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]

2010-06-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cb0d018b5720a4.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-27 00:36]

2009-10-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-1592454029-2147250837-1004Core1ca59fb881124ee.job
- c:\documents and settings\Miguel\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 19:17]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp:/www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Send To &Bluetooth - c:\program files\DLink\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://216.128.199.100:2202/activex/AMC.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-19 22:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-725345543-1592454029-2147250837-1004\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\ActiveSync]
"Name"="ActiveSync"
"DisplayName"="Microsoft ActiveSync"
"Param1"="ActiveSync"
"Type"="wellknown"
"Order"=dword:00000001
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-725345543-1592454029-2147250837-1004\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\IESettings]
"Name"="IESettings"
"Type"="IESettings"
"Order"=dword:00000004
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-725345543-1592454029-2147250837-1004\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\MediaFiles]
"Name"="MediaFiles"
"Type"="MediaFiles"
"Order"=dword:00000003
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-725345543-1592454029-2147250837-1004\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\NPW]
"Name"="NPW"
"Param1"="NPW"
"Type"="wellknown"
"Order"=dword:00000002
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-725345543-1592454029-2147250837-1004\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\Outlook]
"Name"="Outlook"
"DisplayName"="Microsoft Outlook"
"Param1"="Outlook"
"Type"="wellknown"
"Order"=dword:00000000
"State"=dword:00000002
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1904)
c:\windows\system32\WININET.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\DLink\Bluetooth Software\bin\btwdins.exe
c:\windows\System32\nvsvc32.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\BCMSMMSG.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-07-19 22:25:39 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-20 02:25
ComboFix2.txt 2010-07-19 00:28

Pre-Run: 13,489,348,608 bytes free
Post-Run: 13,375,660,032 bytes free

- - End Of File - - 7D3BA0FCDE9E9613B73F64A4937BDC61

[hammerman]

Hi,

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
c:\windows\iqafebocovofa.dll
c:\windows\system32\drivers\cmfldfap.sys

Folder::
c:\documents and settings\Miguel\Local Settings\Application Data\{B32868DE-87B3-4034-B74C-E846128680A8}

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ljatowayewecig"=-

Driver::
cmfldfap

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

[mtovar76]

ok, back from the beach... here it is:


ComboFix 10-07-19.01 - Miguel 07/24/2010 16:58:25.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1279.840 [GMT -4:00]
Running from: c:\documents and settings\Miguel\Desktop\Virus remove stuff\ComboFix.exe
Command switches used :: c:\documents and settings\Miguel\Desktop\Virus remove stuff\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point

FILE ::
"c:\windows\iqafebocovofa.dll"
"c:\windows\system32\drivers\cmfldfap.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Miguel\Local Settings\Application Data\{B32868DE-87B3-4034-B74C-E846128680A8}
c:\documents and settings\Miguel\Local Settings\Application Data\{B32868DE-87B3-4034-B74C-E846128680A8}\chrome.manifest
c:\documents and settings\Miguel\Local Settings\Application Data\{B32868DE-87B3-4034-B74C-E846128680A8}\chrome\content\_cfg.js
c:\documents and settings\Miguel\Local Settings\Application Data\{B32868DE-87B3-4034-B74C-E846128680A8}\chrome\content\overlay.xul
c:\documents and settings\Miguel\Local Settings\Application Data\{B32868DE-87B3-4034-B74C-E846128680A8}\install.rdf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_cmfldfap


((((((((((((((((((((((((( Files Created from 2010-06-25 to 2010-07-25 )))))))))))))))))))))))))))))))
.

2010-07-19 00:20 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2010-07-19 00:20 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2010-07-17 07:04 . 2010-07-17 07:04 -------- d-----w- c:\windows\system32\MpEngineStore
2010-07-17 05:02 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-15 04:09 . 2010-07-16 00:18 52432 ----a-w- c:\windows\system32\drivers\klmd.sys
2010-07-14 23:46 . 2010-07-14 23:46 -------- d-----w- c:\program files\Bonjour
2010-07-09 02:38 . 2010-07-09 02:38 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-14 23:55 . 2006-11-03 19:55 -------- d-----w- c:\program files\iTunes
2010-07-14 23:53 . 2006-01-30 05:27 -------- d-----w- c:\program files\iPod
2010-07-14 23:53 . 2007-07-06 02:11 -------- d-----w- c:\program files\Common Files\Apple
2010-07-10 15:32 . 2010-01-26 03:00 -------- d-----w- c:\program files\ERUNT
2010-07-09 02:32 . 2006-02-12 20:49 -------- d-----w- c:\documents and settings\Miguel\Application Data\BitTorrent
2010-07-04 22:46 . 2010-01-23 14:10 -------- d-----w- c:\documents and settings\Melinda.LYCAEUM\Application Data\Apple Computer
2010-06-29 23:21 . 2007-12-25 23:36 -------- d-----w- c:\documents and settings\Miguel\Application Data\ZoomBrowser EX
2010-06-29 23:14 . 2009-10-12 17:31 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2010-06-24 11:56 . 2010-06-24 11:56 -------- d-----w- c:\program files\Safari
2010-06-24 11:54 . 2008-12-15 22:13 -------- d-----w- c:\documents and settings\Miguel\Application Data\Move Networks
2010-06-14 14:31 . 2006-01-27 00:34 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
2010-05-28 03:10 . 2009-11-14 22:14 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-18 20:35 . 2010-05-18 20:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 20:35 . 2010-05-18 20:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-06 10:41 . 2006-06-23 15:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2002-09-03 17:11 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-28 10:29 . 2010-01-07 02:07 256 ----a-w- c:\documents and settings\Miguel\pool.bin
2010-04-27 21:16 . 2010-04-23 11:27 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-04-27 21:16 . 2010-04-23 11:27 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-04-27 21:16 . 2010-04-23 11:27 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-04-27 21:16 . 2010-04-23 11:27 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-04-27 21:16 . 2010-04-23 11:27 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-04-27 21:16 . 2010-04-23 11:27 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-04-27 21:16 . 2010-04-23 11:27 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-04-27 21:16 . 2010-04-23 11:27 385880 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-04-27 21:16 . 2010-04-23 11:27 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-04-27 21:16 . 2010-04-23 11:27 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2006-05-03 09:06 . 2007-03-27 01:07 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2007-03-27 01:07 31232 -csh--r- c:\windows\system32\msfDX.dll
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2004-07-01 21:20 . 2004-07-01 21:20 212992 c:\bak\Updater.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-18 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-07-28 4841472]
"nwiz"="nwiz.exe" [2003-07-28 323584]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-06-25 1193848]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-07-28 49152]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=c:\windows\pss\BTTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 02:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
2008-12-16 20:16 637232 ----a-w- c:\program files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A940]
2003-02-08 22:42 86102 ------w- c:\program files\Dell AIO Printer A940\dlbabmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-09-04 19:17 133104 ----atw- c:\documents and settings\Miguel\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2003-07-13 07:49 155648 -c--a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-01-18 16:02 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2008-02-18 10:58 206184 -c--a-w- c:\program files\TomTom HOME 2\HOMERunner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TapiSrv"=3 (0x3)
"Schedule"=2 (0x2)
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:*:Disabled:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:*:Disabled:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:*:Disabled:@xpsp2res.dll,-22017

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/14/2009 6:18 PM 64288]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [4/23/2010 7:27 AM 82952]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [11/24/2009 2:15 PM 206096]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/23/2010 7:27 AM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [4/23/2010 7:27 AM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [4/23/2010 7:27 AM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [4/23/2010 7:27 AM 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [4/23/2010 7:27 AM 55456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [4/23/2010 7:27 AM 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [4/23/2010 7:27 AM 88480]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/26/2010 8:37 PM 135664]
S3 klmd23;klmd23;c:\windows\system32\drivers\klmd.sys [7/15/2010 12:09 AM 52432]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 7:17 AM 1181328]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [4/23/2010 7:27 AM 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [4/23/2010 7:27 AM 83496]
S3 samhid;samhid;c:\windows\system32\drivers\Samhid.sys [5/28/2007 5:04 PM 7548]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder

2010-01-26 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 13:11]

2010-01-26 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 13:11]

2010-01-26 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 13:11]

2010-01-26 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 13:11]

2010-01-26 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 13:11]

2008-10-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]

2010-06-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cb0d018b5720a4.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-27 00:36]

2009-10-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-1592454029-2147250837-1004Core1ca59fb881124ee.job
- c:\documents and settings\Miguel\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 19:17]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp:/www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Send To &Bluetooth - c:\program files\DLink\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://216.128.199.100:2202/activex/AMC.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-24 22:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-725345543-1592454029-2147250837-1004\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\ActiveSync]
"Name"="ActiveSync"
"DisplayName"="Microsoft ActiveSync"
"Param1"="ActiveSync"
"Type"="wellknown"
"Order"=dword:00000001
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-725345543-1592454029-2147250837-1004\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\IESettings]
"Name"="IESettings"
"Type"="IESettings"
"Order"=dword:00000004
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-725345543-1592454029-2147250837-1004\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\MediaFiles]
"Name"="MediaFiles"
"Type"="MediaFiles"
"Order"=dword:00000003
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-725345543-1592454029-2147250837-1004\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\NPW]
"Name"="NPW"
"Param1"="NPW"
"Type"="wellknown"
"Order"=dword:00000002
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-725345543-1592454029-2147250837-1004\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\Outlook]
"Name"="Outlook"
"DisplayName"="Microsoft Outlook"
"Param1"="Outlook"
"Type"="wellknown"
"Order"=dword:00000000
"State"=dword:00000002
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2404)
c:\windows\system32\WININET.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\DLink\Bluetooth Software\bin\btwdins.exe
c:\windows\System32\nvsvc32.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
c:\windows\BCMSMMSG.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-07-24 22:29:39 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-25 02:29
ComboFix2.txt 2010-07-20 02:25
ComboFix3.txt 2010-07-19 00:28

Pre-Run: 13,340,872,704 bytes free
Post-Run: 13,329,231,872 bytes free

- - End Of File - - 2391CD565F9E057D3B99AF3BB4F748BD

thanks for your time

[hammerman]

Hi,

How's your computer running now?

Please follow these steps.

-- Step 1 --

Download TFC to your desktop

• Open the file and close any other windows.
• It will close all programs itself when run, make sure to let it run uninterrupted.
• Click the Start button to begin the process. The program should not take long to finish its job
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

-- Step 2 --

Run Malwarebytes' Anti-Malware.

• Select the Update tab and then click Check for Updates. If an update is found, it will download and install the latest version.
• Select the Scanner tab, select "Perform Quick Scan", then click Scan
• The scan may take some time to finish, so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

-- Step 3 --

Delete your copy of OTL and then..

• Download OTL to your desktop.
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• When the window appears, underneath Output at the top change it to Minimal Output.
• Under the Custom Scan box paste this in
  
  netsvcs
  %SYSTEMDRIVE%\*.*
  %systemroot%\system32\*.wt
  %systemroot%\system32\*.ruy
  %systemroot%\Fonts\*.com
  %systemroot%\Fonts\*.dll
  %systemroot%\Fonts\*.ini
  %systemroot%\Fonts\*.ini2
  %systemroot%\system32\spool\prtprocs\w32x86\*.*
  %systemroot%\REPAIR\*.bak1
  %systemroot%\REPAIR\*.ini
  %systemroot%\system32\*.jpg
  %systemroot%\*.scr
  %systemroot%\*._sy
  %APPDATA%\Adobe\Update\*.*
  %ALLUSERSPROFILE%\Favorites\*.*
  %APPDATA%\Microsoft\*.*
  %PROGRAMFILES%\*.*
  %APPDATA%\Update\*.*
  %systemroot%\*. /mp /s
  CREATERESTOREPOINT
  %systemroot%\system32\*.dll /lockedfiles
  %systemroot%\Tasks\*.job /lockedfiles
  %systemroot%\System32\config\*.sav
  %systemroot%\system32\user32.dll /md5
  %systemroot%\system32\ws2_32.dll /md5
  %systemroot%\system32\ws2help.dll /md5
  HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
  
  
  Select Use SafeList under Extra Registry
  Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan won't take long.
  
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

[hammerman]

Duplicate post

Edited by hammerman, 25 July 2010 - 03:18 AM.

[hammerman]

Duplicate post

Edited by hammerman, 25 July 2010 - 03:17 AM.

[hammerman]

Duplicate post.

Edited by hammerman, 25 July 2010 - 03:16 AM.