View Full Version : Malware issues
wildhorseAnnie
2008-07-10, 04:12
I have run spybot and uncovered the following Malware that I need assistance with removing.
Command Service
Smitfraud-C.CoreService
The spybot software was able to clean up about 100+ issues that the laptop had, but these two remain.
OuterInfo was found and removed.
Unit has had WinXP re-installed and now the USB ports are not totally functioning.
When a usb drive is plugged in the "ding" is heard that the system has found the drive but it does not show in the "My Computer" listings
The usb ports were functioning before OuterInfo malware was removed and the the WinXP re-install.
This machine is a mess . .I am just trying to avoid having to re-format and re-install the whole shooting match.
I do have a HJT log as follows below:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:02:31 PM, on 7/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\UGF0dGkgU21pdGg\command.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Symantec Shared\coShared\CW\1.0\CWDefScn.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\mrofinu572.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Documents and Settings\Patti Smith\Application Data\SpeedRunner\SpeedRunner.exe
C:\Documents and Settings\Patti Smith\Application Data\Microsoft\Windows\tbihtd.exe
C:\PROGRA~1\COMMON~1\zfqi\zfqim.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\GetModule\GetModule19.exe
C:\Program Files\GetPack\GetPack19.exe
C:\Program Files\mjc\mjc.exe
C:\Program Files\Sakora\Sakora.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\COMMON~1\zfqi\zfqia.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\PROGRA~1\COMMON~1\zfqi\zfqil.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: Helper Class - {3670A914-63C2-4E67-8C9B-370AE1922143} - C:\Program Files\BChanger\bchanger.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {8862345E-3556-476B-8E62-3944E6A54339} - C:\WINDOWS\system32\tuvUMgdc.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A6C54318-5AC7-477D-B0A7-49AF5189300C} - C:\WINDOWS\system32\efcDSlLc.dll
O2 - BHO: {ac61a2c8-1da6-821a-1664-534d29523caa} - {aac32592-d435-4661-a128-6ad18c2a16ca} - C:\WINDOWS\system32\pvoaqb.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AcctMgr] "C:\Program Files\Common Files\Symantec Shared\coShared\CIM\1.0\AcctMgr.exe" /startup
O4 - HKLM\..\Run: [ncoOSCheck] C:\Program Files\Norton Confidential\osCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [{98-8B-BB-B1-DW}] C:\WINDOWS\system32\wTMP\idevdpll.exe DWram
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C88332017491394662E901F3D293320221C46402788A1B8FA5FA5C664DFC5B3A2FBB4EB59BDD6717359926033AAC
O4 - HKLM\..\Run: [SBI] C:\Documents and Settings\Patti Smith\Local Settings\Temporary Internet Files\Content.IE5\C1TIBXOJ\installer_sbd_en[1].exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [48c98b1e] rundll32.exe "C:\WINDOWS\system32\woqunxhd.dll",b
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [BM4bfab882] Rundll32.exe "C:\WINDOWS\system32\iukjrhgi.dll",s
O4 - HKLM\..\RunOnce: [SpybotDeletingA4280] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8181] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk_tobedeleted"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpeedRunner] C:\Documents and Settings\Patti Smith\Application Data\SpeedRunner\SpeedRunner.exe
O4 - HKCU\..\Run: [SfKg6wIP] C:\Documents and Settings\Patti Smith\Application Data\Microsoft\Windows\tbihtd.exe
O4 - HKCU\..\Run: [zfqi] C:\PROGRA~1\COMMON~1\zfqi\zfqim.exe
O4 - HKCU\..\Run: [GetModule19] "C:\Program Files\GetModule\GetModule19.exe"
O4 - HKCU\..\Run: [GetPack19] "C:\Program Files\GetPack\GetPack19.exe"
O4 - HKCU\..\Run: [mjc] C:\Program Files\mjc\mjc.exe
O4 - HKCU\..\Run: [Sakora] C:\Program Files\Sakora\Sakora.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\wTMP\idevdpll.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?1b6a899e607242c6bd7578c4b527079d
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?1b6a899e607242c6bd7578c4b527079d
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O20 - Winlogon Notify: efcDSlLc - C:\WINDOWS\SYSTEM32\efcDSlLc.dll
O20 - Winlogon Notify: jkhhh - jkhhh.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\UGF0dGkgU21pdGg\command.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\ComPlus Applications\rteleci.html
--
End of file - 14226 bytes
pskelley
2008-07-11, 14:43
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
This can be a tough infection to remove so do not expect fast or easy.
Patti, is Spybot S&D the only tool you have run so far? It would not cause USB issues, you have a good mess here, where did you get all of this junk?
Reformat is an option, but I believe we can clean it if you will follow directions, but it will be work!
Make sure you read the directions and that word wrap is turned off in notepad.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
Remove any old copies of combofix before you proceed.
Thanks to sUBs and anyone else who helped with this fix.
It is important that it is saved directly to your Desktop
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the combofix log and a new HJT log.
Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Thanks...Phil
wildhorseAnnie
2008-07-15, 21:04
Be it known. .this is not my PC . .belongs to one of my co-workers . .who let her son use her PC . .
I will start on the first step that you have supplied . .tonight . .hopefully.
My post got lost in all the others . .basically. .I could not "find myself"
pskelley
2008-07-15, 21:31
At the top of this page is "Thread Tools" click that and then on the drop down menu choose Subscribe to the thread (you should have been subscribed when you posted) A notification will come in email whenever I respond to the topic. Make sure you don't have mail from Safer Networking going to junk mail, best to add us to your address book until we finish.
Thanks
wildhorseAnnie
2008-07-16, 03:09
:red:
Good Evening, took me a bit . .
Hope I did this correctly
Here is the combofix log
ComboFix 08-07-14.2 - Patti Smith 2008-07-15 18:56:52.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.137 [GMT -4:00]
Running from: D:\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Patti Smith\Application Data\SpeedRunner
C:\Documents and Settings\Patti Smith\Application Data\SpeedRunner\config.cfg
C:\Documents and Settings\Patti Smith\Application Data\SpeedRunner\SpeedRunner.exe
C:\Documents and Settings\Patti Smith\Application Data\SpeedRunner\SRUninstall.exe
C:\Documents and Settings\Patti Smith\My Documents\FNTS~1
C:\Documents and Settings\Patti Smith\My Documents\STEM32~1
C:\Documents and Settings\Patti Smith\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Patti Smith\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Patti Smith\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Program Files\AntiSpywareMaster
C:\Program Files\Common Files\racle~1
C:\Program Files\Common Files\zfqi
C:\Program Files\Common Files\zfqi\zfqia.exe
C:\Program Files\Common Files\zfqi\zfqia.lck
C:\Program Files\Common Files\zfqi\zfqid\class-barrel
C:\Program Files\Common Files\zfqi\zfqid\vocabulary
C:\Program Files\Common Files\zfqi\zfqid\zfqic.dll
C:\Program Files\Common Files\zfqi\zfqih
C:\Program Files\Common Files\zfqi\zfqil.exe
C:\Program Files\Common Files\zfqi\zfqil.lck
C:\Program Files\Common Files\zfqi\zfqim.exe
C:\Program Files\Common Files\zfqi\zfqim.lck
C:\Program Files\Common Files\zfqi\zfqip.exe
C:\Program Files\Common Files\zfqi\zfqip.lck
C:\Program Files\ComPlus Applications\qucano.dll
C:\Program Files\crosof~1.net
C:\Program Files\GetModule
C:\Program Files\GetModule\dicik.gz
C:\Program Files\GetModule\GetModule18.exe
C:\Program Files\GetModule\GetModule19.exe
C:\Program Files\GetModule\kwdik.gz
C:\Program Files\GetPack
C:\Program Files\GetPack\dictame.gz
C:\Program Files\GetPack\GetPack18.exe
C:\Program Files\GetPack\GetPack19.exe
C:\Program Files\GetPack\trgtame.gz
C:\Program Files\ISM
C:\Program Files\ISM\ism.exe
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\mjc
C:\Program Files\mjc\mjc.exe
C:\Program Files\QdrPack
C:\Program Files\QdrPack\bostrupd.exe
C:\Program Files\QdrPack\QdrPack16.exe
C:\Program Files\QdrPack\QdrPack17.exe
C:\Program Files\QdrPack\wadsvupd.exe
C:\Program Files\Sakora
C:\Program Files\Sakora\Sakora.exe
C:\Program Files\Spcron
C:\Program Files\Spcron\Spc.dll
C:\Program Files\Temporary
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\BM4bfab882.txt
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\racle~1
C:\WINDOWS\system\oeminfo.ini
C:\WINDOWS\system32\aigchqff.dll
C:\WINDOWS\system32\ajbxcqve.ini
C:\WINDOWS\system32\auksrbbj.ini
C:\WINDOWS\system32\awjjsetv.dll
C:\WINDOWS\system32\b1
C:\WINDOWS\system32\b1\cbwa3ui.exe
C:\WINDOWS\system32\bdssnemc.dll
C:\WINDOWS\system32\bejirmhx.dll
C:\WINDOWS\system32\beqbshwj.ini
C:\WINDOWS\system32\bkcnrbrc.ini
C:\WINDOWS\system32\bqgkjrfr.dll
C:\WINDOWS\system32\brysidvk.ini
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\bxnmhysv.dll
C:\WINDOWS\system32\cbacabqh.ini
C:\WINDOWS\system32\cfplxfxj.dll
C:\WINDOWS\system32\ckfqtaxd.dll
C:\WINDOWS\system32\crbrnckb.dll
C:\WINDOWS\system32\cvcjgfyy.dll
C:\WINDOWS\system32\cwhuqcvt.dll
C:\WINDOWS\system32\decykfur.dll
C:\WINDOWS\system32\dhxnuqow.ini
C:\WINDOWS\system32\dlpqyctf.dll
C:\WINDOWS\system32\dobe~1
C:\WINDOWS\system32\dpuioxag.dll
C:\WINDOWS\system32\ebhflfto.dll
C:\WINDOWS\system32\eelfnawq.dll
C:\WINDOWS\system32\efcDSlLc.dll
C:\WINDOWS\system32\efdilebm.dll
C:\WINDOWS\system32\egsahpiq.ini
C:\WINDOWS\system32\erllwlso.dll
C:\WINDOWS\system32\evqcxbja.dll
C:\WINDOWS\system32\fguytmpx.dll
C:\WINDOWS\system32\fuoyelgl.dll
C:\WINDOWS\system32\g14.exe
C:\WINDOWS\system32\gcpicrxp.dll
C:\WINDOWS\system32\giksapoa.dll
C:\WINDOWS\system32\gqdniwmo.dll
C:\WINDOWS\system32\hfooouks.dll
C:\WINDOWS\system32\hqbacabc.dll
C:\WINDOWS\system32\hxqyxiva.exe
C:\WINDOWS\system32\iblwahjw.dll
C:\WINDOWS\system32\icidyila.dll
C:\WINDOWS\system32\idcbqq.dll
C:\WINDOWS\system32\iomkyxjs.dll
C:\WINDOWS\system32\isbjnoft.dll
C:\WINDOWS\system32\itfmcgod.exe
C:\WINDOWS\system32\iukjrhgi.dll
C:\WINDOWS\system32\ixikmxsi.dll
C:\WINDOWS\system32\jbbrskua.dll
C:\WINDOWS\system32\jcupifup.dll
C:\WINDOWS\system32\jwhsbqeb.dll
C:\WINDOWS\system32\jxfxlpfc.ini
C:\WINDOWS\system32\kgwdvtdu.dll
C:\WINDOWS\system32\kuvhbwxk.dll
C:\WINDOWS\system32\kvdisyrb.dll
C:\WINDOWS\system32\lcnttkdm.exe
C:\WINDOWS\system32\lcyhwjpf.exe
C:\WINDOWS\system32\lqsrwajr.dll
C:\WINDOWS\system32\lrbysbxn.dll
C:\WINDOWS\system32\lylkvfll.dll
C:\WINDOWS\system32\mbelidfe.ini
C:\WINDOWS\system32\mchjxbyx.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mdiqpibe.dll
C:\WINDOWS\system32\mmivbske.exe
C:\WINDOWS\system32\mnetqwsk.dll
C:\WINDOWS\system32\mqrlfecy.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\mykvriid.dll
C:\WINDOWS\system32\n3
C:\WINDOWS\system32\n3\predircom3.exe
C:\WINDOWS\system32\ntmuiyey.dll
C:\WINDOWS\system32\nxbsybrl.ini
C:\WINDOWS\system32\nxgefqnd.dll
C:\WINDOWS\system32\ofyxewye.dll
C:\WINDOWS\system32\ohdlbwsg.dll
C:\WINDOWS\system32\opvyxejc.dll
C:\WINDOWS\system32\otkwvsoc.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pdaeohmr.dll
C:\WINDOWS\system32\pqhtcaub.dll
C:\WINDOWS\system32\pvoaqb.dll
C:\WINDOWS\system32\qiphasge.dll
C:\WINDOWS\system32\qisxtoyv.dll
C:\WINDOWS\system32\qoareyth.ini
C:\WINDOWS\system32\qscctlav.dll
C:\WINDOWS\system32\qwanflee.ini
C:\WINDOWS\system32\qwptfwaq.exe
C:\WINDOWS\system32\qwrrykat.ini
C:\WINDOWS\system32\qxygkber.dll
C:\WINDOWS\system32\qyrcfkcy.dll
C:\WINDOWS\system32\rebkgyxq.ini
C:\WINDOWS\system32\rekkwjyo.dll
C:\WINDOWS\system32\rjawrsql.ini
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\system32\scmnxymt.exe
C:\WINDOWS\system32\sks~1
C:\WINDOWS\system32\skuooofh.ini
C:\WINDOWS\system32\takyrrwq.dll
C:\WINDOWS\system32\tbqwcemw.dll
C:\WINDOWS\system32\tsfirrxn.dll
C:\WINDOWS\system32\uausfdwt.exe
C:\WINDOWS\system32\ucvjkdjm.ini
C:\WINDOWS\system32\upquskpv.ini
C:\WINDOWS\system32\vccncflv.dll
C:\WINDOWS\system32\vuensgch.dll
C:\WINDOWS\system32\vyffgyjy.ini
C:\WINDOWS\system32\vyotxsiq.ini
C:\WINDOWS\system32\wibkwotd.exe
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\woqunxhd.dll
C:\WINDOWS\system32\wxdnfdba.exe
C:\WINDOWS\system32\xdgkmdqg.dll
C:\WINDOWS\system32\xdriwhrg.ini
C:\WINDOWS\system32\xlmlamna.dll
C:\WINDOWS\system32\xlxwfpuy.dll
C:\WINDOWS\system32\xpmanqmv.dll
C:\WINDOWS\system32\xpmtyugf.ini
C:\WINDOWS\system32\yayVnNfd.dll
C:\WINDOWS\system32\ycdisymv.dll
C:\WINDOWS\system32\ydnndbfb.dll
C:\WINDOWS\system32\yjygffyv.dll
C:\WINDOWS\system32\yyfgjcvc.ini
C:\WINDOWS\system32\yyfwghfx.dll
C:\WINDOWS\UGF0dGkgU21pdGg\
C:\WINDOWS\UGF0dGkgU21pdGg\\asappsrv.dll
C:\WINDOWS\UGF0dGkgU21pdGg\\command.exe
C:\WINDOWS\UGF0dGkgU21pdGg\\o3IXx340oZYDx30.vbs
C:\WINDOWS\UGF0dGkgU21pdGg\command.exe
C:\WINDOWS\zfqi
C:\WINDOWS\zfqi\wu
C:\WINDOWS\zfqi\zfqi.dat
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR
-------\Service_cmdService
((((((((((((((((((((((((( Files Created from 2008-06-15 to 2008-07-15 )))))))))))))))))))))))))))))))
.
2008-07-15 19:36 . 2008-07-15 19:36 <DIR> d-------- C:\temp\tn3
2008-07-15 19:36 . 2008-07-15 19:36 49,159 --a------ C:\WINDOWS\system32\rwwnw64d.exe
2008-07-15 19:36 . 2008-07-15 19:36 32 --a------ C:\WINDOWS\system32\msnav32.ax
2008-07-09 20:36 . 2008-07-09 20:39 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-07-09 20:26 . 2008-07-15 18:05 0 --a------ C:\WINDOWS\system32\atmtd.dll.tmp
2008-07-07 21:11 . 2005-10-14 14:45 135,168 --a------ C:\WINDOWS\system32\igfxres.dll
2008-07-07 21:10 . 2008-07-07 21:10 13,646 --a------ C:\WINDOWS\system32\wpa.bak
2008-07-07 21:07 . 2008-07-07 21:07 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-07-07 20:54 . 2004-08-04 08:00 131,584 --a--c--- C:\WINDOWS\system32\dllcache\pmxviceo.dll
2008-07-07 20:53 . 2004-08-04 08:00 187,938 --a--c--- C:\WINDOWS\system32\dllcache\c_20005.nls
2008-07-07 20:52 . 2004-05-13 00:39 876,653 --a--c--- C:\WINDOWS\system32\dllcache\fp4awel.dll
2008-07-07 20:50 . 2008-07-07 20:50 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-07-07 20:50 . 2008-07-07 20:50 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-07-07 20:50 . 2008-07-07 20:50 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-07-07 20:50 . 2008-07-07 20:50 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-07-07 20:50 . 2008-07-07 20:50 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-07-07 20:49 . 2004-08-04 08:00 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe
2008-07-07 20:39 . 2004-08-04 08:00 2,012,670 --a--c--- C:\WINDOWS\system32\dllcache\NT5.CAT
2008-07-07 20:01 . 2008-07-07 20:15 <DIR> d-------- C:\VundoFix Backups
2008-07-07 19:52 . 2008-07-07 19:52 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-07 18:39 . 2008-07-07 18:39 <DIR> d-------- C:\Documents and Settings\Patti Smith\Application Data\RegSweep
2008-07-07 16:26 . 2008-07-07 16:26 <DIR> d-------- C:\WINDOWS\dell
2008-06-25 11:47 . 2008-06-25 08:47 41,984 --a------ C:\WINDOWS\b156.exe
2008-06-24 17:32 . 2008-06-24 17:32 <DIR> d-------- C:\Program Files\BChanger
2008-06-22 09:43 . 2008-06-22 09:43 41,984 -ra------ C:\WINDOWS\mrofinu572.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-15 22:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-09 22:53 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-07 23:30 8,438 ----a-w C:\Documents and Settings\Patti Smith\Application Data\wklnhst.dat
2008-06-13 11:05 95,232 ----a-w C:\WINDOWS\b152.exe
2008-06-11 21:10 --------- d-----w C:\Program Files\iCheck
2008-06-01 21:50 --------- d-----w C:\Documents and Settings\Guest\Application Data\Symantec
2008-05-16 11:30 231,424 ----a-w C:\WINDOWS\b148.exe
2008-05-12 10:43 68,096 ----a-w C:\WINDOWS\b155.exe
2008-04-26 16:39 37,376 ----a-w C:\WINDOWS\mrofinu1000106.exe
2006-08-06 00:42 77,120 ----a-w C:\Documents and Settings\Patti Smith\Application Data\GDIPFONTCACHEV1.DAT
2007-08-09 17:08 8,784 ----a-w C:\Program Files\mozilla firefox\plugins\ractrlkeyhook.dll
2007-08-09 17:10 245,408 ----a-w C:\Program Files\mozilla firefox\plugins\unicows.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59 115816]
"AcctMgr"="C:\Program Files\Common Files\Symantec Shared\coShared\CIM\1.0\AcctMgr.exe" [2006-11-27 21:43 591488]
"ncoOSCheck"="C:\Program Files\Norton Confidential\osCheck.exe" [2006-11-27 21:40 120488]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-12-22 22:27 180269]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30 517768]
"{98-8B-BB-B1-DW}"="c:\windows\system32\rwwnw64d.exe" [2008-07-15 19:36 49159]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 06:00 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 06:00 44032]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 08:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 08:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 08:00 455168]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 14:49 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 14:46 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 14:50 114688]
C:\Documents and Settings\Patti Smith\Start Menu\Programs\Startup\
DW_Start.lnk - C:\WINDOWS\system32\rwwnw64d.exe [2008-07-15 19:36:49 49159]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\ComPlus Applications\rteleci.html
FriendlyName=
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Verizon Online Support Center.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Verizon Online Support Center.lnk
backup=C:\WINDOWS\pss\Verizon Online Support Center.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell Wireless Manager UI]
C:\WINDOWS\system32\WLTRAY [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 08:00 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2005-03-04 12:26 606208 C:\Program Files\Dell\QuickSet\quickset.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2005-05-15 03:04 332800 C:\Program Files\Dell Support\DSAgnt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--a------ 2005-02-23 17:19 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2005-01-12 15:54 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-17 00:11 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-10-14 14:46 77824 C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-10-14 14:50 114688 C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-10-14 14:49 94208 C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2006-07-07 19:15 600896 C:\Program Files\Microsoft IntelliPoint\ipoint.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-02-16 17:15 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
--a------ 2006-07-07 19:14 576320 C:\Program Files\Microsoft IntelliType Pro\itype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--a------ 2001-08-17 00:41 28738 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
--a------ 2002-05-18 13:04 327680 C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgrWired]
--a------ 2004-12-09 14:58 86016 C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2003-11-19 18:48 32881 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2004-05-14 01:35 536576 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
--a------ 2004-05-13 11:23 98304 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-12-22 22:27 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\msncall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R1 termddd;termddd;C:\WINDOWS\system32\drivers\termddd.sys [2008-04-26 12:39]
R2 CWMonitor;Symantec Crimeware Protection Driver;C:\Program Files\Common Files\Symantec Shared\coShared\CW\1.0\Monitor.sys [2006-10-05 10:41]
.
Contents of the 'Scheduled Tasks' folder
"2008-03-27 03:14:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-15 23:25:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-07-07 22:40:02 C:\WINDOWS\Tasks\RegSweep Scheduled Scan.job"
- C:\Program Files\RegSweep\RegSweep.ex
- C:\Program Files\RegSweep
.
- - - - ORPHANS REMOVED - - - -
BHO-{8862345E-3556-476B-8E62-3944E6A54339} - C:\WINDOWS\system32\tuvUMgdc.dll
HKCU-Run-GetModule19 - C:\Program Files\GetModule\GetModule19.exe
HKCU-Run-GetPack19 - C:\Program Files\GetPack\GetPack19.exe
HKCU-Run-mjc - C:\Program Files\mjc\mjc.exe
HKCU-Run-Sakora - C:\Program Files\Sakora\Sakora.exe
HKLM-Run-48c98b1e - C:\WINDOWS\system32\woqunxhd.dll
HKLM-Run-BM4bfab882 - C:\WINDOWS\system32\iukjrhgi.dll
Notify-jkhhh - jkhhh.dll
MSConfigStartUp-DXDllRegExe - dxdllreg.exe
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-15 19:36:31
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\system32\rwwnw64d.exe 49159 bytes executable
scan completed successfully
hidden files: 1
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\Common Files\Symantec Shared\coShared\CW\1.0\CWDefScn.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-07-15 19:41:48 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-15 23:41:17
Pre-Run: 12,942,577,664 bytes free
Post-Run: 13,691,314,176 bytes free
417 --- E O F --- 2008-04-12 12:55:24
and now for the hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:01:38 PM, on 7/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\coShared\CW\1.0\CWDefScn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\igfxsrvc.exe
c:\windows\system32\rwwnw64d.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AcctMgr] "C:\Program Files\Common Files\Symantec Shared\coShared\CIM\1.0\AcctMgr.exe" /startup
O4 - HKLM\..\Run: [ncoOSCheck] C:\Program Files\Norton Confidential\osCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [{98-8B-BB-B1-DW}] c:\windows\system32\rwwnw64d.exe DWram
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?1b6a899e607242c6bd7578c4b527079d
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?1b6a899e607242c6bd7578c4b527079d
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\ComPlus Applications\rteleci.html
--
End of file - 11370 bytes
pskelley
2008-07-16, 03:54
Thanks for returning your information and yes Patti, you have a very infected computer on your hands. Where did you get it infected this bad? Look at the files under Other Deletions in the combofix log that were removed and that will give you an idea of the infection.
Be sure to read and follow all directions carefully and in the numbered order.
1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.
3) Open notepad and copy/paste the text in the codebox below into it:
File::
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\atmtd.dll.tmp
C:\WINDOWS\mrofinu572.exe
Folder::
C:\temp\tn3
C:\VundoFix Backups
Save this as CFScript
http://i24.photobucket.com/albums/c30/ken545/CFScript.gif
Referring to the picture above, drag CFScript into ComboFix.exe.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)
4) Start > Control Panel > Add Remove programs and uninstall MyWaySearch (or anything that looks like it)
5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O4 - HKLM\..\Run: [{98-8B-BB-B1-DW}] c:\windows\system32\rwwnw64d.exe DWram
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O24 - Desktop Component 0: (no name) - C:\Program Files\ComPlus Applications\rteleci.html
Close all programs but HJT and all browser windows, then click on "Fix Checked"
6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart and post the combofix log from CFScript, a new HJT log and some feedback from you. How if the computer running now?
Thanks...Phil
wildhorseAnnie
2008-07-16, 04:18
I did review that "Other Deletions" section.
Patti's computer has most definitely been places . ..and apparently unprotected to boot. She had Norton on it but I highly doubt it was running.
I will have to postpone the next step until tomorrow evening. It's after 9 pm here and I have to be up at 4am to be in to work at 6.
Thanks for all your assistance to this point.
BTW - I'm the Helpdesk in the IT Dept. at my place of employ . .That's how I end up unraveling others computer issues . .after work. I can't stress enough to our users how important good antivirus software is and the attention they should pay to keeping it up to date and running.
And this lady wants to get another computer . .for the son that messed up this one . .Oh . .joy . .
pskelley
2008-07-16, 14:17
Thanks for the feedback and that is not a problem. I hope you told her to keep the computer plugged unless you plug it in. This junk will download more and all of 015 items are malware sites that have access to her "Trusted Zone".
Phil
wildhorseAnnie
2008-07-17, 02:15
She is on vacation and her laptop is here at my place. Since it is configured for her highspeed access and all I have available is dial up it's not making any connection to the internet. Any of the tools have to be downloaded by my pc and saved to a cd (since that is the only drive it recognizes that I can used to move the tools onto the machine).
pskelley
2008-07-17, 02:30
I am not quite sure what you are telling me. Perhaps it would be better to close this topic and you can post again when all parties are prepared to cooperate in the cleanup. Many folks are waiting for anyone who can help them just now.
Thanks
wildhorseAnnie
2008-07-17, 02:35
I am doing the cleanup - this is way beyond what Patty can handle . .if you check my profile - you will see who I am I am cleaning up Patty's machine . .and to be honest . .I am learning a lot from you. More than the 5 PC Admins that I work with would ever even think that a "woman" could.
wildhorseAnnie
2008-07-17, 03:16
I have completed the instructions.
I did not find the first 4 lines you indicated in the HiJackThis scan. Did find the last 22.
Here are the logs the HijackThis first, followed by the combofix.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:53:04 PM, on 7/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\coShared\CW\1.0\CWDefScn.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AcctMgr] "C:\Program Files\Common Files\Symantec Shared\coShared\CIM\1.0\AcctMgr.exe" /startup
O4 - HKLM\..\Run: [ncoOSCheck] C:\Program Files\Norton Confidential\osCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?1b6a899e607242c6bd7578c4b527079d
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?1b6a899e607242c6bd7578c4b527079d
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\ComPlus Applications\rteleci.html
--
End of file - 9962 bytes
Now the Combofix
ComboFix 08-07-14.2 - Patti Smith 2008-07-16 19:26:11.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.239 [GMT -4:00]
Running from: C:\Documents and Settings\Patti Smith\Desktop\ComboFix.exe
Command switches used :: D:\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\system32\atmtd.dll.tmp
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\rwwnw64d.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\temp\tn3
C:\VundoFix Backups
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\aimqnpgl.exe.bad
C:\VundoFix Backups\aomxvmrc.dll.bad
C:\VundoFix Backups\avdpgekr.exe.bad
C:\VundoFix Backups\cdgMUvut.ini.bad
C:\VundoFix Backups\cdgMUvut.ini2.bad
C:\VundoFix Backups\tk68.exe.bad
C:\VundoFix Backups\tuvUMgdc.dll.bad
C:\WINDOWS\BM4bfab882.xml
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\system32\atmtd.dll.tmp
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\rwwnw64d.exe
.
((((((((((((((((((((((((( Files Created from 2008-06-16 to 2008-07-16 )))))))))))))))))))))))))))))))
.
2008-07-09 20:36 . 2008-07-09 20:39 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-07-07 21:11 . 2005-10-14 14:45 135,168 --a------ C:\WINDOWS\system32\igfxres.dll
2008-07-07 21:10 . 2008-07-07 21:10 13,646 --a------ C:\WINDOWS\system32\wpa.bak
2008-07-07 21:07 . 2008-07-07 21:07 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-07-07 20:54 . 2004-08-04 08:00 131,584 --a--c--- C:\WINDOWS\system32\dllcache\pmxviceo.dll
2008-07-07 20:53 . 2004-08-04 08:00 187,938 --a--c--- C:\WINDOWS\system32\dllcache\c_20005.nls
2008-07-07 20:52 . 2004-05-13 00:39 876,653 --a--c--- C:\WINDOWS\system32\dllcache\fp4awel.dll
2008-07-07 20:50 . 2008-07-07 20:50 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-07-07 20:50 . 2008-07-07 20:50 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-07-07 20:50 . 2008-07-07 20:50 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-07-07 20:50 . 2008-07-07 20:50 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-07-07 20:50 . 2008-07-07 20:50 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-07-07 20:49 . 2004-08-04 08:00 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe
2008-07-07 20:39 . 2004-08-04 08:00 2,012,670 --a--c--- C:\WINDOWS\system32\dllcache\NT5.CAT
2008-07-07 19:52 . 2008-07-07 19:52 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-07 18:39 . 2008-07-07 18:39 <DIR> d-------- C:\Documents and Settings\Patti Smith\Application Data\RegSweep
2008-07-07 16:26 . 2008-07-07 16:26 <DIR> d-------- C:\WINDOWS\dell
2008-06-25 11:47 . 2008-06-25 08:47 41,984 --a------ C:\WINDOWS\b156.exe
2008-06-24 17:32 . 2008-06-24 17:32 <DIR> d-------- C:\Program Files\BChanger
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-15 22:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-09 22:53 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-07 23:30 8,438 ----a-w C:\Documents and Settings\Patti Smith\Application Data\wklnhst.dat
2008-06-13 11:05 95,232 ----a-w C:\WINDOWS\b152.exe
2008-06-11 21:10 --------- d-----w C:\Program Files\iCheck
2008-06-01 21:51 63,918 ----a-w C:\WINDOWS\system32\{24e1a0e2-948d-41fb-7012-268bdbd28a4a}.dll-uninst.exe
2008-06-01 21:50 --------- d-----w C:\Documents and Settings\Guest\Application Data\Symantec
2008-05-27 13:37 371,200 ----a-w C:\WINDOWS\system32\{24e1a0e2-948d-41fb-7012-268bdbd28a4a}.dll
2008-05-16 11:30 231,424 ----a-w C:\WINDOWS\b148.exe
2008-05-12 10:43 68,096 ----a-w C:\WINDOWS\b155.exe
2008-04-27 12:12 1,483,765 --sha-w C:\WINDOWS\system32\usrqvufj.tmp
2008-04-26 16:39 37,376 ----a-w C:\WINDOWS\mrofinu1000106.exe
2006-08-06 00:42 77,120 ----a-w C:\Documents and Settings\Patti Smith\Application Data\GDIPFONTCACHEV1.DAT
2007-08-09 17:08 8,784 ----a-w C:\Program Files\mozilla firefox\plugins\ractrlkeyhook.dll
2007-08-09 17:10 245,408 ----a-w C:\Program Files\mozilla firefox\plugins\unicows.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59 115816]
"AcctMgr"="C:\Program Files\Common Files\Symantec Shared\coShared\CIM\1.0\AcctMgr.exe" [2006-11-27 21:43 591488]
"ncoOSCheck"="C:\Program Files\Norton Confidential\osCheck.exe" [2006-11-27 21:40 120488]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-12-22 22:27 180269]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30 517768]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 06:00 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 06:00 44032]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 08:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 08:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 08:00 455168]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 14:49 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 14:46 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 14:50 114688]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\ComPlus Applications\rteleci.html
FriendlyName=
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Verizon Online Support Center.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Verizon Online Support Center.lnk
backup=C:\WINDOWS\pss\Verizon Online Support Center.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell Wireless Manager UI]
C:\WINDOWS\system32\WLTRAY [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 08:00 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2005-03-04 12:26 606208 C:\Program Files\Dell\QuickSet\quickset.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2005-05-15 03:04 332800 C:\Program Files\Dell Support\DSAgnt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--a------ 2005-02-23 17:19 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2005-01-12 15:54 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-17 00:11 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-10-14 14:46 77824 C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-10-14 14:50 114688 C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-10-14 14:49 94208 C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2006-07-07 19:15 600896 C:\Program Files\Microsoft IntelliPoint\ipoint.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-02-16 17:15 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
--a------ 2006-07-07 19:14 576320 C:\Program Files\Microsoft IntelliType Pro\itype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--a------ 2001-08-17 00:41 28738 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
--a------ 2002-05-18 13:04 327680 C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgrWired]
--a------ 2004-12-09 14:58 86016 C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2003-11-19 18:48 32881 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2004-05-14 01:35 536576 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
--a------ 2004-05-13 11:23 98304 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-12-22 22:27 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\msncall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R1 termddd;termddd;C:\WINDOWS\system32\drivers\termddd.sys [2008-04-26 12:39]
R2 CWMonitor;Symantec Crimeware Protection Driver;C:\Program Files\Common Files\Symantec Shared\coShared\CW\1.0\Monitor.sys [2006-10-05 10:41]
.
Contents of the 'Scheduled Tasks' folder
"2008-03-27 03:14:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-16 23:25:06 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-07-07 22:40:02 C:\WINDOWS\Tasks\RegSweep Scheduled Scan.job"
- C:\Program Files\RegSweep\RegSweep.ex
- C:\Program Files\RegSweep
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-{98-8B-BB-B1-DW} - C:\windows\system32\rwwnw64d.exe
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-16 19:29:31
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-07-16 19:31:25
ComboFix-quarantined-files.txt 2008-07-16 23:30:46
ComboFix2.txt 2008-07-15 23:41:49
Pre-Run: 14,323,138,560 bytes free
Post-Run: 14,310,477,824 bytes free
208 --- E O F --- 2008-04-12 12:55:24
At least the machine is not giving constant error messages about dll's that it can't locate.
If you give me the go ahead, I will take the time to configure a dialup internet connection on it.
I am still unsure if the Norton installed on it is working properly,
ah . .just tried the shortcut that "says" it is Internet Security Suite and I get the http://ad.outerinfoads.com/reicon?bid=4047&pid=1600&oid=5&fid=99001281'. Make sure you typed the name correctly and then try again. To search for a file, click the Start button, then click Search. It also popped up a browser window.
I'm going to make a guess that even though this icon resembles Norton it is not, when I right click on the shortcut and bring up the properties the general tab says type of file - Internet Short Cut.
Would you say that this "shortcut" should be deleted?
wildhorseAnnie
2008-07-17, 03:38
In searching for antivirus software on this machine . .I'm not finding any.
It does have Norton Confidential, and in reading bits on this . it is not antivirus software.
I am familiar with Norton Antivirus and with McAfee.
I'm also seeing Sakora listed when I go to Start -> Control Panel -> Add and remove programs.
Should the Sakora be removed??
I'm not really finding info in my websearches that lead me to believe it is what I would call a valid software program.
pskelley
2008-07-17, 15:02
Thanks for returning your information and the feedback. The junk may have messed with her security programs like Symantec, so you will need to go online to update and run it to make sure it is running ok. If there are issues you will need to ask for instructions here:
http://www.symantec.com/enterprise/support/index.jsp
Sakora <<< uninstall that, surprised combofix did not removed it see this:
http://www.bleepingcomputer.com/startups/Sakora.exe-23358.html
Please post an uninstall list so I can taake a look:
Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP,
Update for Windows XP and Windows XP Hotfix to shorten the list)
A couple of things I notice, before you return the computer, but please wait until we are clean of malware.
1) Update Internet Explorer if only for the additional security it provides:
http://www.microsoft.com/windows/products/winfamily/ie/default.mspx
2) Install Service Pack 3 which is available now from Windows Updates.
Let's run MBAM to see if it can find anything not is the combofix database:
Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file in your next reply.
Please add any coments or questions you think will help.
Thanks...Phil
wildhorseAnnie
2008-07-18, 00:14
Thanks Phil,
It may be a couple of nights before I can attempt that. . work as been hectic and it's overly warm here and I'm exhausted.
You have been fantastic . .wish you worked where I do . . .
Thanks again . .I will post when I have this next process completed.
Ann
pskelley
2008-07-18, 00:39
No problem Ann, and you are telling someone who lives in Clearwater, Florida about "overly warm":santa:
Since the computer is idle, take the time you need.
Phil
wildhorseAnnie
2008-07-21, 23:58
Hi Phil,
Here is the HJT uninstall_list from Patti's machine:
Adobe Flash Player Plugin
Adobe Reader 7.0.9
AnswerWorks 4.0 Runtime - English
AOL Instant Messenger
AppCore
Apple Mobile Device Support
Apple Software Update
Avira AntiVir PersonalEdition Classic
BChanger
BitLord 1.1
Bonjour
ccCommon
Conexant D110 MDC V.9x Modem
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Media Experience
Dell Picture Studio v3.0
Dell Support 3.1
Dell Wireless WLAN Card
Diablo II
Digital Line Detect
Form Fill (Windows Live Toolbar)
GdiplusUpgrade
HijackThis 2.0.2
Hoyle Puzzle Games 2007
HP Image Zone 3.5
HP PSC & OfficeJet 3.5
HP Software Update
Intel(R) Graphics Media Accelerator Driver for Mobile
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet for Wired Connections
Internal Network Card Power Management
Internet Explorer Default Page
Internet Speed Monitor
iTunes
Jasc Paint Shop Photo Album 5
Jasc Paint Shop Pro Studio, Dell Editon
Java 2 Runtime Environment, SE v1.4.2_03
Learn2 Player (Uninstall Only)
LiveUpdate 3.1 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Macromedia Flash Player
Macromedia Flash Player 8
Macromedia Shockwave Player
MathPlayer
Memories Disc Creator 2.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Encarta Encyclopedia Standard 2005
Microsoft Picture It! Photo 2002
Microsoft Picture It! Premium 10
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Streets and Trips 2002
Microsoft Streets and Trips 2005
Microsoft Word 2002
Microsoft Works
Microsoft Works 2002 Setup Launcher
Microsoft Works 2005 Setup Launcher
Microsoft Works 6.0
Microsoft Works Suite Add-in for Microsoft Word
Microsoft Works Suite Add-in for Microsoft Word
Modem Helper
Mozilla Firefox (2.0.0.14)
MSN
MSN Encarta Plus Support Files
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
NetWaiting
Norton Confidential
Norton Confidential
Norton Confidential (Symantec Corporation)
Norton Confidential Browser Component
Norton Confidential Crimeware Component
Norton Confidential MS redistributables
Norton Confidential Web Authentification Component
Norton Confidential Web Protection Component
Norton Password Manager
Norton Personal Privacy
Norton Protection Center
OneCare Advisor (Windows Live Toolbar)
overland
Photo Click
Postal 2 Share The Pain
PowerDVD 5.5
QuickBooks Pro 2005
QuickSet
QuickTime
RealPlayer
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Shockwave
Smart Menus (Windows Live Toolbar)
SPBBC 32bit
Spybot - Search & Destroy 1.4
Synaptics Pointing Device Driver
Tabbed Browsing (Windows Live Toolbar)
TurboTax Deluxe 2007
TurboTax ItsDeductible 2005
TurboTax ItsDeductible 2006
TValue 5
Verizon Online
Verizon Online Support Center
VideoLAN VLC media player 0.8.6d
Viewpoint Media Player
WebCyberCoach 3.2 Dell
WexTech AnswerWorks
Windows Genuine Advantage v1.3.0254.0
Windows Live Messenger
Windows Live Outlook Toolbar (Windows Live Toolbar)
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Live Toolbar Feed Detector (Windows Live Toolbar)
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10
WinRAR archiver
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Toolbar
pskelley
2008-07-22, 01:32
Hi Ann, I am looking for security issues and malware programs. It's a good time for the owner to look for installed programs that are no longer used, but I doubt they are there to do that. I do not see a lot, but I do see this:
Here is what I see:
1) Viewpoint Media Player << aol installs this without being asked, most folks don't know it is even there, much less often running and uses valuable resources.
For your information, Viewpoint is installed by aol probably without your knowledge. I suggest you uninstall this resource waster in Add Remove programs.
http://www.greatis.com/appdata/u/v/viewmgr.exe.htm
http://www.spywareinfo.com/newsletter/archives/2005/nov4.php#viewpoint
http://www.clickz.com/news/article.php/3561546
2) Avira AntiVir PersonalEdition Classic
Since there are using Symantec, I see no reason not to uninstall this program, but it is your call.
3) Java 2 Runtime Environment, SE v1.4.2_03 <<< Java is BADLY out of date, see this information:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
4) TurboTax Deluxe 2007, TurboTax ItsDeductible 2005, TurboTax ItsDeductible 2006I question the need for these out of date programs?
5) Spybot - Search & Destroy 1.4 <<< old Spybot, I would update to the newest version before you return the computer, here is the information:
Spybot-S&D 1.6 has arrived! 8. July 2008
http://www.safer-networking.org/en/
http://www.safer-networking.org/en/news/2008-07-08.html
6) They have a lot of other programs that are probably out of date and dangerous. If you want a freeware program to help with this, try this one:
https://psi.secunia.com/ The program runs with reminders from the System Tray but I personally turn in off in MSConfig and start it myself when I want a check: http://www.netsquirrel.com/msconfig/msconfig_xp.html
7) Before we finish, we need to address this important issue:
I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not have access to Recovery Console via a Windows CD, I strongly advise you to install this tool.
If you do not wish to install RC, let me know so I can continue with the cleanup.
If you install RC, post the C:\*CF-RC.txt*.
Since we do not need to scan with combofix, click NO
http://img.photobucket.com/albums/v666/sUBs/RC_whatnext.gif
http://img.photobucket.com/albums/v666/sUBs/RC_AllDone.gif
Thanks
wildhorseAnnie
2008-07-22, 03:53
removed the following:
1) Viewpoint Media Player
2) Avira AntiVir PersonalEdition Classic - system has Norton Confidential and Norton Protection Center . .but I have reservations about that
3) Java 2 Runtime Environment, SE v1.4.2_03
5) Spybot - Search & Destroy 1.4
the following will remain until Patti can take off:
4) TurboTax
Patti needs to leave the Turbo Tax programs on as she has tax info that she has not taken off on CD .
Installed newest version of Spybot -
Here is the first Mbam-log-
Malwarebytes' Anti-Malware 1.22
Database version: 972
Windows 5.1.2600 Service Pack 2
6:29:46 PM 7/21/2008
mbam-log-7-21-2008 (18-29-46).txt
Scan type: Full Scan (C:\|)
Objects scanned: 108992
Time elapsed: 1 hour(s), 11 minute(s), 52 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 122
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\icheck (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\GetModule (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\GetPack (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\WINDOWS\system32\pnVes01 (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wTMP (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\iCheck (Trojan.Agent) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\system32\drivers\termddd.sys (Rootkit.Agent) -> Delete on reboot.
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator.MOMSLAPTOP\Local Settings\Temporary Internet Files\Content.IE5\4NWJY0TH\kb713501[1] (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator.MOMSLAPTOP\Local Settings\Temporary Internet Files\Content.IE5\4O69KIPP\kb767887[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator.MOMSLAPTOP\Local Settings\Temporary Internet Files\Content.IE5\4O69KIPP\moorate[1] (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator.MOMSLAPTOP\Local Settings\Temporary Internet Files\Content.IE5\NLEM0GNQ\kriv[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator.MOMSLAPTOP\Local Settings\Temporary Internet Files\Content.IE5\REGJAC3X\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator.MOMSLAPTOP\Local Settings\Temporary Internet Files\Content.IE5\REGJAC3X\kb456456[2] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator.MOMSLAPTOP\Local Settings\Temporary Internet Files\Content.IE5\REGJAC3X\glas[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Patti Smith\Application Data\Microsoft\Windows\tbihtd.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\Online Services\meqota821058.dll (Adware.TTC) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\components\srff.dll (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Documents and Settings\Patti Smith\Application Data\SpeedRunner\SRUninstall.exe.vir (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\Common Files\zfqi\zfqid\zfqic.dll.vir (Adware.TargetServer) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\GetModule\GetModule18.exe.vir (Adware.ISM) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\GetPack\GetPack18.exe.vir (Adware.ISM) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\GetPack\GetPack19.exe.vir (Adware.ISM) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\ISM\ism.exe.vir (Adware.SearchAid) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\mjc\mjc.exe.vir (Adware.MJC) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\QdrPack\bostrupd.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\QdrPack\QdrPack16.exe.vir (Adware.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\QdrPack\QdrPack17.exe.vir (Adware.ISM) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\QdrPack\wadsvupd.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\Sakora\Sakora.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\Spcron\Spc.dll.vir (Adware.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\VundoFix Backups\tuvUMgdc.dll.bad.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\bdssnemc.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\jcupifup.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\jwhsbqeb.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\kgwdvtdu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\cwhuqcvt.dll.vir (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\dpuioxag.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\eelfnawq.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\efcDSlLc.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\erllwlso.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\evqcxbja.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\fuoyelgl.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\g14.exe.vir (Adware.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\hfooouks.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\icidyila.dll.vir (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\lcnttkdm.exe.vir (Adware.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\lylkvfll.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\iomkyxjs.dll.vir (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\mdiqpibe.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\qisxtoyv.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\tbqwcemw.dll.vir (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\pqhtcaub.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\pvoaqb.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\takyrrwq.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\vuensgch.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\woqunxhd.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\yayVnNfd.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\ycdisymv.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\yjygffyv.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\n3\predircom3.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\UGF0dGkgU21pdGg\asappsrv.dll.vir (Adware.CommAd) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000098.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000099.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000101.exe (Spyware.TargetSaver) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000102.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000148.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000150.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000151.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000152.exe (Adware.MJC) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000153.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000154.dll (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000155.exe (Adware.SearchAid) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000157.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000158.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000159.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000160.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000167.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000168.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000169.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000170.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000171.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000174.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000184.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000186.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000187.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000189.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000190.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000192.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000196.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000206.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000207.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000208.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000214.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000228.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000230.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000232.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000239.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000243.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000245.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000251.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000216.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000252.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000287.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000254.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000281.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000283.exe (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000294.dll (Adware.TargetServer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000295.dll (Adware.CommAd) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP6\A0000460.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP6\A0000461.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\b103.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\b116.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\b148.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\b149.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\b152.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\b155.exe (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\b156.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\b157.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\b999.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pnVes01\pnVes011065.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\iCheck\Uninstall.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\{24e1a0e2-948d-41fb-7012-268bdbd28a4a}.dll-uninst.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\{24e1a0e2-948d-41fb-7012-268bdbd28a4a}.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\core.cache.dsk (Rootkit.Agent) -> Delete on reboot.
C:\Documents and Settings\Guest\Start Menu\Programs\Startup\DW_Start.lnk (Malware.Links) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Start Menu\Programs\Startup\Deewoo.lnk (Malware.Links) -> Quarantined and deleted successfully.
since I had 4 items that it said it could not remove until a reboot . I rebooted and then ran the Malwarebytes again and this is the log from the 2nd run thru.
Malwarebytes' Anti-Malware 1.22
Database version: 972
Windows 5.1.2600 Service Pack 2
7:29:28 PM 7/21/2008
mbam-log-7-21-2008 (19-29-28).txt
Scan type: Full Scan (C:\|)
Objects scanned: 109255
Time elapsed: 53 minute(s), 4 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
pskelley
2008-07-22, 04:03
Thanks, much of what MBAM found is either in the combofix quarantine or infected System Restore files. Both areas will be addressed as soon as you have Recovery Console installed or let me know you have a Windows Operating System CD and don't need to install it.
Thanks
wildhorseAnnie
2008-07-23, 13:53
Thanks,
Do have the operating system CD's for this unit
Ann
pskelley
2008-07-23, 17:02
Thanks for that information, remove combofix from the computer:
Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
Clean infected System Restore files:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
Post a HJT log and some feedback about performance.
Thanks
wildhorseAnnie
2008-07-24, 02:36
Performance appears to be good.
Can't find the CD creator software, can't get thumb drive to work in the USB ports . .the ports recognize the drive but it does not show up in MY Computer.
Funny though . .plug in a printer to any usb port and it works just fine.
Here is the latest HJT log .
let me know what you think . . .
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:42:39 PM, on 7/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\coShared\CW\1.0\CWDefScn.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AcctMgr] "C:\Program Files\Common Files\Symantec Shared\coShared\CIM\1.0\AcctMgr.exe" /startup
O4 - HKLM\..\Run: [ncoOSCheck] C:\Program Files\Norton Confidential\osCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?1b6a899e607242c6bd7578c4b527079d
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?1b6a899e607242c6bd7578c4b527079d
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\ComPlus Applications\rteleci.html
--
End of file - 10131 bytes
pskelley
2008-07-24, 03:40
This: O24 - Desktop Component 0: (no name) - C:\Program Files\ComPlus Applications\rteleci.html
keeps bothering me because the rteleci.html does not Google, do you know what that is? If not:
C:\Program Files\ComPlus Applications\rteleci.html <<< Navigate to and delete that file.
I don't see any issues in the rest of that HJT log.
Can't find the CD creator software <<< not sure what you are saying here? Missing from the computer? CD is lost?
can't get thumb drive to work in the USB ports <<< and the printer will work when plugged in but the thumb drive is not recognized by the computer when plugged into the SAME USB port?
Try a new Thumb drive? Is there any error message? When plugged in with the thumb drive, do this:
Right click MyComputer > Choose Properties > Hardware tab > Device Manager tab > look for any indications of a problem, it would be red or yellow if there is an issue.
Thanks
wildhorseAnnie
2008-07-24, 04:10
O24 . ..rteleci.html - the HJT finds that line but I am not able to find it when I drill down C:\Program Files\ComPlus Applications\rteleci.html
CD burner software - none found on the unit, no CD with it on it.
Recommend a good freeware program??
USB ports . .been thru all the wizards and troubleshooters on the system . .now thinking it is a 1.0 / 2.0 compatibility issue. My units are all 2.0
this laptop is about 3 years old.
thanks for your assistance
calling it quits for tonight .
Ann
wildhorseAnnie
2008-07-24, 04:11
O24 . ..rteleci.html - the HJT finds that line but I am not able to find it when I drill down C:\Program Files\ComPlus Applications\rteleci.html
CD burner software - none found on the unit, no CD with it on it.
Recommend a good freeware program??
USB ports . .been thru all the wizards and troubleshooters on the system . .now thinking it is a 1.0 / 2.0 compatibility issue. My units are all 2.0
this laptop is about 3 years old.
thanks for your assistance
calling it quits for tonight .
Ann
pskelley
2008-07-24, 13:57
the HJT finds that line but I am not able to find it when I drill down
Make sure all files and folders are visible:
Prefetch info: http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html
Use Search Companion to find our if it is even there:
Start > Search > All Files And Folder > Allow some time, you have a lot of files to search through.
http://www.google.com/search?hl=en&q=free+CD+burner+software+&btnG=Google+Search
wildhorseAnnie
2008-07-24, 19:20
did the search . .did not find . . .
ran HJT again . .line does not appear in the report now . .
Thanks
Ann
pskelley
2008-07-28, 15:05
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
http://www.malwarecomplaints.info/
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.