Malware issues

**wildhorseAnnie** · 2008-07-10, 03:12

I have run spybot and uncovered the following Malware that I need assistance with removing.

Command Service

Smitfraud-C.CoreService

The spybot software was able to clean up about 100+ issues that the laptop had, but these two remain.

OuterInfo was found and removed.

Unit has had WinXP re-installed and now the USB ports are not totally functioning.

When a usb drive is plugged in the "ding" is heard that the system has found the drive but it does not show in the "My Computer" listings

The usb ports were functioning before OuterInfo malware was removed and the the WinXP re-install.

This machine is a mess . .I am just trying to avoid having to re-format and re-install the whole shooting match.

I do have a HJT log as follows below:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:02:31 PM, on 7/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\UGF0dGkgU21pdGg\command.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Symantec Shared\coShared\CW\1.0\CWDefScn.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\mrofinu572.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Documents and Settings\Patti Smith\Application Data\SpeedRunner\SpeedRunner.exe
C:\Documents and Settings\Patti Smith\Application Data\Microsoft\Windows\tbihtd.exe
C:\PROGRA~1\COMMON~1\zfqi\zfqim.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\GetModule\GetModule19.exe
C:\Program Files\GetPack\GetPack19.exe
C:\Program Files\mjc\mjc.exe
C:\Program Files\Sakora\Sakora.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\COMMON~1\zfqi\zfqia.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\PROGRA~1\COMMON~1\zfqi\zfqil.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: Helper Class - {3670A914-63C2-4E67-8C9B-370AE1922143} - C:\Program Files\BChanger\bchanger.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {8862345E-3556-476B-8E62-3944E6A54339} - C:\WINDOWS\system32\tuvUMgdc.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A6C54318-5AC7-477D-B0A7-49AF5189300C} - C:\WINDOWS\system32\efcDSlLc.dll
O2 - BHO: {ac61a2c8-1da6-821a-1664-534d29523caa} - {aac32592-d435-4661-a128-6ad18c2a16ca} - C:\WINDOWS\system32\pvoaqb.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AcctMgr] "C:\Program Files\Common Files\Symantec Shared\coShared\CIM\1.0\AcctMgr.exe" /startup
O4 - HKLM\..\Run: [ncoOSCheck] C:\Program Files\Norton Confidential\osCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [{98-8B-BB-B1-DW}] C:\WINDOWS\system32\wTMP\idevdpll.exe DWram
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C88332017491394662E901F3D293320221C46402788A1B8FA5FA5C664DFC5B3A2FBB4EB59BDD6717359926033AAC
O4 - HKLM\..\Run: [SBI] C:\Documents and Settings\Patti Smith\Local Settings\Temporary Internet Files\Content.IE5\C1TIBXOJ\installer_sbd_en[1].exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [48c98b1e] rundll32.exe "C:\WINDOWS\system32\woqunxhd.dll",b
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [BM4bfab882] Rundll32.exe "C:\WINDOWS\system32\iukjrhgi.dll",s
O4 - HKLM\..\RunOnce: [SpybotDeletingA4280] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8181] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk_tobedeleted"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpeedRunner] C:\Documents and Settings\Patti Smith\Application Data\SpeedRunner\SpeedRunner.exe
O4 - HKCU\..\Run: [SfKg6wIP] C:\Documents and Settings\Patti Smith\Application Data\Microsoft\Windows\tbihtd.exe
O4 - HKCU\..\Run: [zfqi] C:\PROGRA~1\COMMON~1\zfqi\zfqim.exe
O4 - HKCU\..\Run: [GetModule19] "C:\Program Files\GetModule\GetModule19.exe"
O4 - HKCU\..\Run: [GetPack19] "C:\Program Files\GetPack\GetPack19.exe"
O4 - HKCU\..\Run: [mjc] C:\Program Files\mjc\mjc.exe
O4 - HKCU\..\Run: [Sakora] C:\Program Files\Sakora\Sakora.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\wTMP\idevdpll.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?1b6a899e607242c6bd7578c4b527079d
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?1b6a899e607242c6bd7578c4b527079d
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O20 - Winlogon Notify: efcDSlLc - C:\WINDOWS\SYSTEM32\efcDSlLc.dll
O20 - Winlogon Notify: jkhhh - jkhhh.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\UGF0dGkgU21pdGg\command.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\ComPlus Applications\rteleci.html

--
End of file - 14226 bytes

**pskelley** · 2008-07-11, 13:43

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
This can be a tough infection to remove so do not expect fast or easy.

Patti, is Spybot S&D the only tool you have run so far? It would not cause USB issues, you have a good mess here, where did you get all of this junk?

Reformat is an option, but I believe we can clean it if you will follow directions, but it will be work!

Make sure you read the directions and that word wrap is turned off in notepad.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

Remove any old copies of combofix before you proceed.
Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop

Download ComboFix from Here to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Tutorial
http://www.bleepingcomputer.com/comb...o-use-combofix

Thanks...Phil

**wildhorseAnnie** · 2008-07-15, 20:04

Be it known. .this is not my PC . .belongs to one of my co-workers . .who let her son use her PC . .

I will start on the first step that you have supplied . .tonight . .hopefully.

My post got lost in all the others . .basically. .I could not "find myself"

**pskelley** · 2008-07-15, 20:31

At the top of this page is "Thread Tools" click that and then on the drop down menu choose Subscribe to the thread (you should have been subscribed when you posted) A notification will come in email whenever I respond to the topic. Make sure you don't have mail from Safer Networking going to junk mail, best to add us to your address book until we finish.

Thanks

**wildhorseAnnie** · 2008-07-16, 02:09

Good Evening, took me a bit . .

Hope I did this correctly

Here is the combofix log

ComboFix 08-07-14.2 - Patti Smith 2008-07-15 18:56:52.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.137 [GMT -4:00]
Running from: D:\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Patti Smith\Application Data\SpeedRunner
C:\Documents and Settings\Patti Smith\Application Data\SpeedRunner\config.cfg
C:\Documents and Settings\Patti Smith\Application Data\SpeedRunner\SpeedRunner.exe
C:\Documents and Settings\Patti Smith\Application Data\SpeedRunner\SRUninstall.exe
C:\Documents and Settings\Patti Smith\My Documents\FNTS~1
C:\Documents and Settings\Patti Smith\My Documents\STEM32~1
C:\Documents and Settings\Patti Smith\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Patti Smith\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Patti Smith\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Program Files\AntiSpywareMaster
C:\Program Files\Common Files\racle~1
C:\Program Files\Common Files\zfqi
C:\Program Files\Common Files\zfqi\zfqia.exe
C:\Program Files\Common Files\zfqi\zfqia.lck
C:\Program Files\Common Files\zfqi\zfqid\class-barrel
C:\Program Files\Common Files\zfqi\zfqid\vocabulary
C:\Program Files\Common Files\zfqi\zfqid\zfqic.dll
C:\Program Files\Common Files\zfqi\zfqih
C:\Program Files\Common Files\zfqi\zfqil.exe
C:\Program Files\Common Files\zfqi\zfqil.lck
C:\Program Files\Common Files\zfqi\zfqim.exe
C:\Program Files\Common Files\zfqi\zfqim.lck
C:\Program Files\Common Files\zfqi\zfqip.exe
C:\Program Files\Common Files\zfqi\zfqip.lck
C:\Program Files\ComPlus Applications\qucano.dll
C:\Program Files\crosof~1.net
C:\Program Files\GetModule
C:\Program Files\GetModule\dicik.gz
C:\Program Files\GetModule\GetModule18.exe
C:\Program Files\GetModule\GetModule19.exe
C:\Program Files\GetModule\kwdik.gz
C:\Program Files\GetPack
C:\Program Files\GetPack\dictame.gz
C:\Program Files\GetPack\GetPack18.exe
C:\Program Files\GetPack\GetPack19.exe
C:\Program Files\GetPack\trgtame.gz
C:\Program Files\ISM
C:\Program Files\ISM\ism.exe
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\mjc
C:\Program Files\mjc\mjc.exe
C:\Program Files\QdrPack
C:\Program Files\QdrPack\bostrupd.exe
C:\Program Files\QdrPack\QdrPack16.exe
C:\Program Files\QdrPack\QdrPack17.exe
C:\Program Files\QdrPack\wadsvupd.exe
C:\Program Files\Sakora
C:\Program Files\Sakora\Sakora.exe
C:\Program Files\Spcron
C:\Program Files\Spcron\Spc.dll
C:\Program Files\Temporary
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\BM4bfab882.txt
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\racle~1
C:\WINDOWS\system\oeminfo.ini
C:\WINDOWS\system32\aigchqff.dll
C:\WINDOWS\system32\ajbxcqve.ini
C:\WINDOWS\system32\auksrbbj.ini
C:\WINDOWS\system32\awjjsetv.dll
C:\WINDOWS\system32\b1
C:\WINDOWS\system32\b1\cbwa3ui.exe
C:\WINDOWS\system32\bdssnemc.dll
C:\WINDOWS\system32\bejirmhx.dll
C:\WINDOWS\system32\beqbshwj.ini
C:\WINDOWS\system32\bkcnrbrc.ini
C:\WINDOWS\system32\bqgkjrfr.dll
C:\WINDOWS\system32\brysidvk.ini
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\bxnmhysv.dll
C:\WINDOWS\system32\cbacabqh.ini
C:\WINDOWS\system32\cfplxfxj.dll
C:\WINDOWS\system32\ckfqtaxd.dll
C:\WINDOWS\system32\crbrnckb.dll
C:\WINDOWS\system32\cvcjgfyy.dll
C:\WINDOWS\system32\cwhuqcvt.dll
C:\WINDOWS\system32\decykfur.dll
C:\WINDOWS\system32\dhxnuqow.ini
C:\WINDOWS\system32\dlpqyctf.dll
C:\WINDOWS\system32\dobe~1
C:\WINDOWS\system32\dpuioxag.dll
C:\WINDOWS\system32\ebhflfto.dll
C:\WINDOWS\system32\eelfnawq.dll
C:\WINDOWS\system32\efcDSlLc.dll
C:\WINDOWS\system32\efdilebm.dll
C:\WINDOWS\system32\egsahpiq.ini
C:\WINDOWS\system32\erllwlso.dll
C:\WINDOWS\system32\evqcxbja.dll
C:\WINDOWS\system32\fguytmpx.dll
C:\WINDOWS\system32\fuoyelgl.dll
C:\WINDOWS\system32\g14.exe
C:\WINDOWS\system32\gcpicrxp.dll
C:\WINDOWS\system32\giksapoa.dll
C:\WINDOWS\system32\gqdniwmo.dll
C:\WINDOWS\system32\hfooouks.dll
C:\WINDOWS\system32\hqbacabc.dll
C:\WINDOWS\system32\hxqyxiva.exe
C:\WINDOWS\system32\iblwahjw.dll
C:\WINDOWS\system32\icidyila.dll
C:\WINDOWS\system32\idcbqq.dll
C:\WINDOWS\system32\iomkyxjs.dll
C:\WINDOWS\system32\isbjnoft.dll
C:\WINDOWS\system32\itfmcgod.exe
C:\WINDOWS\system32\iukjrhgi.dll
C:\WINDOWS\system32\ixikmxsi.dll
C:\WINDOWS\system32\jbbrskua.dll
C:\WINDOWS\system32\jcupifup.dll
C:\WINDOWS\system32\jwhsbqeb.dll
C:\WINDOWS\system32\jxfxlpfc.ini
C:\WINDOWS\system32\kgwdvtdu.dll
C:\WINDOWS\system32\kuvhbwxk.dll
C:\WINDOWS\system32\kvdisyrb.dll
C:\WINDOWS\system32\lcnttkdm.exe
C:\WINDOWS\system32\lcyhwjpf.exe
C:\WINDOWS\system32\lqsrwajr.dll
C:\WINDOWS\system32\lrbysbxn.dll
C:\WINDOWS\system32\lylkvfll.dll
C:\WINDOWS\system32\mbelidfe.ini
C:\WINDOWS\system32\mchjxbyx.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mdiqpibe.dll
C:\WINDOWS\system32\mmivbske.exe
C:\WINDOWS\system32\mnetqwsk.dll
C:\WINDOWS\system32\mqrlfecy.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\mykvriid.dll
C:\WINDOWS\system32\n3
C:\WINDOWS\system32\n3\predircom3.exe
C:\WINDOWS\system32\ntmuiyey.dll
C:\WINDOWS\system32\nxbsybrl.ini
C:\WINDOWS\system32\nxgefqnd.dll
C:\WINDOWS\system32\ofyxewye.dll
C:\WINDOWS\system32\ohdlbwsg.dll
C:\WINDOWS\system32\opvyxejc.dll
C:\WINDOWS\system32\otkwvsoc.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pdaeohmr.dll
C:\WINDOWS\system32\pqhtcaub.dll
C:\WINDOWS\system32\pvoaqb.dll
C:\WINDOWS\system32\qiphasge.dll
C:\WINDOWS\system32\qisxtoyv.dll
C:\WINDOWS\system32\qoareyth.ini
C:\WINDOWS\system32\qscctlav.dll
C:\WINDOWS\system32\qwanflee.ini
C:\WINDOWS\system32\qwptfwaq.exe
C:\WINDOWS\system32\qwrrykat.ini
C:\WINDOWS\system32\qxygkber.dll
C:\WINDOWS\system32\qyrcfkcy.dll
C:\WINDOWS\system32\rebkgyxq.ini
C:\WINDOWS\system32\rekkwjyo.dll
C:\WINDOWS\system32\rjawrsql.ini
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\system32\scmnxymt.exe
C:\WINDOWS\system32\sks~1
C:\WINDOWS\system32\skuooofh.ini
C:\WINDOWS\system32\takyrrwq.dll
C:\WINDOWS\system32\tbqwcemw.dll
C:\WINDOWS\system32\tsfirrxn.dll
C:\WINDOWS\system32\uausfdwt.exe
C:\WINDOWS\system32\ucvjkdjm.ini
C:\WINDOWS\system32\upquskpv.ini
C:\WINDOWS\system32\vccncflv.dll
C:\WINDOWS\system32\vuensgch.dll
C:\WINDOWS\system32\vyffgyjy.ini
C:\WINDOWS\system32\vyotxsiq.ini
C:\WINDOWS\system32\wibkwotd.exe
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\woqunxhd.dll
C:\WINDOWS\system32\wxdnfdba.exe
C:\WINDOWS\system32\xdgkmdqg.dll
C:\WINDOWS\system32\xdriwhrg.ini
C:\WINDOWS\system32\xlmlamna.dll
C:\WINDOWS\system32\xlxwfpuy.dll
C:\WINDOWS\system32\xpmanqmv.dll
C:\WINDOWS\system32\xpmtyugf.ini
C:\WINDOWS\system32\yayVnNfd.dll
C:\WINDOWS\system32\ycdisymv.dll
C:\WINDOWS\system32\ydnndbfb.dll
C:\WINDOWS\system32\yjygffyv.dll
C:\WINDOWS\system32\yyfgjcvc.ini
C:\WINDOWS\system32\yyfwghfx.dll
C:\WINDOWS\UGF0dGkgU21pdGg\
C:\WINDOWS\UGF0dGkgU21pdGg\\asappsrv.dll
C:\WINDOWS\UGF0dGkgU21pdGg\\command.exe
C:\WINDOWS\UGF0dGkgU21pdGg\\o3IXx340oZYDx30.vbs
C:\WINDOWS\UGF0dGkgU21pdGg\command.exe
C:\WINDOWS\zfqi
C:\WINDOWS\zfqi\wu
C:\WINDOWS\zfqi\zfqi.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR
-------\Service_cmdService

((((((((((((((((((((((((( Files Created from 2008-06-15 to 2008-07-15 )))))))))))))))))))))))))))))))
.

2008-07-15 19:36 . 2008-07-15 19:36 <DIR> d-------- C:\temp\tn3
2008-07-15 19:36 . 2008-07-15 19:36 49,159 --a------ C:\WINDOWS\system32\rwwnw64d.exe
2008-07-15 19:36 . 2008-07-15 19:36 32 --a------ C:\WINDOWS\system32\msnav32.ax
2008-07-09 20:36 . 2008-07-09 20:39 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-07-09 20:26 . 2008-07-15 18:05 0 --a------ C:\WINDOWS\system32\atmtd.dll.tmp
2008-07-07 21:11 . 2005-10-14 14:45 135,168 --a------ C:\WINDOWS\system32\igfxres.dll
2008-07-07 21:10 . 2008-07-07 21:10 13,646 --a------ C:\WINDOWS\system32\wpa.bak
2008-07-07 21:07 . 2008-07-07 21:07 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-07-07 20:54 . 2004-08-04 08:00 131,584 --a--c--- C:\WINDOWS\system32\dllcache\pmxviceo.dll
2008-07-07 20:53 . 2004-08-04 08:00 187,938 --a--c--- C:\WINDOWS\system32\dllcache\c_20005.nls
2008-07-07 20:52 . 2004-05-13 00:39 876,653 --a--c--- C:\WINDOWS\system32\dllcache\fp4awel.dll
2008-07-07 20:50 . 2008-07-07 20:50 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-07-07 20:50 . 2008-07-07 20:50 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-07-07 20:50 . 2008-07-07 20:50 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-07-07 20:50 . 2008-07-07 20:50 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-07-07 20:50 . 2008-07-07 20:50 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-07-07 20:49 . 2004-08-04 08:00 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe
2008-07-07 20:39 . 2004-08-04 08:00 2,012,670 --a--c--- C:\WINDOWS\system32\dllcache\NT5.CAT
2008-07-07 20:01 . 2008-07-07 20:15 <DIR> d-------- C:\VundoFix Backups
2008-07-07 19:52 . 2008-07-07 19:52 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-07 18:39 . 2008-07-07 18:39 <DIR> d-------- C:\Documents and Settings\Patti Smith\Application Data\RegSweep
2008-07-07 16:26 . 2008-07-07 16:26 <DIR> d-------- C:\WINDOWS\dell
2008-06-25 11:47 . 2008-06-25 08:47 41,984 --a------ C:\WINDOWS\b156.exe
2008-06-24 17:32 . 2008-06-24 17:32 <DIR> d-------- C:\Program Files\BChanger
2008-06-22 09:43 . 2008-06-22 09:43 41,984 -ra------ C:\WINDOWS\mrofinu572.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-15 22:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-09 22:53 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-07 23:30 8,438 ----a-w C:\Documents and Settings\Patti Smith\Application Data\wklnhst.dat
2008-06-13 11:05 95,232 ----a-w C:\WINDOWS\b152.exe
2008-06-11 21:10 --------- d-----w C:\Program Files\iCheck
2008-06-01 21:50 --------- d-----w C:\Documents and Settings\Guest\Application Data\Symantec
2008-05-16 11:30 231,424 ----a-w C:\WINDOWS\b148.exe
2008-05-12 10:43 68,096 ----a-w C:\WINDOWS\b155.exe
2008-04-26 16:39 37,376 ----a-w C:\WINDOWS\mrofinu1000106.exe
2006-08-06 00:42 77,120 ----a-w C:\Documents and Settings\Patti Smith\Application Data\GDIPFONTCACHEV1.DAT
2007-08-09 17:08 8,784 ----a-w C:\Program Files\mozilla firefox\plugins\ractrlkeyhook.dll
2007-08-09 17:10 245,408 ----a-w C:\Program Files\mozilla firefox\plugins\unicows.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59 115816]
"AcctMgr"="C:\Program Files\Common Files\Symantec Shared\coShared\CIM\1.0\AcctMgr.exe" [2006-11-27 21:43 591488]
"ncoOSCheck"="C:\Program Files\Norton Confidential\osCheck.exe" [2006-11-27 21:40 120488]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-12-22 22:27 180269]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30 517768]
"{98-8B-BB-B1-DW}"="c:\windows\system32\rwwnw64d.exe" [2008-07-15 19:36 49159]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 06:00 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 06:00 44032]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 08:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 08:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 08:00 455168]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 14:49 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 14:46 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 14:50 114688]

C:\Documents and Settings\Patti Smith\Start Menu\Programs\Startup\
DW_Start.lnk - C:\WINDOWS\system32\rwwnw64d.exe [2008-07-15 19:36:49 49159]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\ComPlus Applications\rteleci.html
FriendlyName=

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Verizon Online Support Center.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Verizon Online Support Center.lnk
backup=C:\WINDOWS\pss\Verizon Online Support Center.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell Wireless Manager UI]
C:\WINDOWS\system32\WLTRAY [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 08:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2005-03-04 12:26 606208 C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2005-05-15 03:04 332800 C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--a------ 2005-02-23 17:19 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2005-01-12 15:54 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-17 00:11 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-10-14 14:46 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-10-14 14:50 114688 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-10-14 14:49 94208 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2006-07-07 19:15 600896 C:\Program Files\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-02-16 17:15 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
--a------ 2006-07-07 19:14 576320 C:\Program Files\Microsoft IntelliType Pro\itype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--a------ 2001-08-17 00:41 28738 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
--a------ 2002-05-18 13:04 327680 C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgrWired]
--a------ 2004-12-09 14:58 86016 C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2003-11-19 18:48 32881 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2004-05-14 01:35 536576 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
--a------ 2004-05-13 11:23 98304 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-12-22 22:27 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\msncall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 termddd;termddd;C:\WINDOWS\system32\drivers\termddd.sys [2008-04-26 12:39]
R2 CWMonitor;Symantec Crimeware Protection Driver;C:\Program Files\Common Files\Symantec Shared\coShared\CW\1.0\Monitor.sys [2006-10-05 10:41]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-27 03:14:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-15 23:25:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-07-07 22:40:02 C:\WINDOWS\Tasks\RegSweep Scheduled Scan.job"
- C:\Program Files\RegSweep\RegSweep.ex
- C:\Program Files\RegSweep
.
- - - - ORPHANS REMOVED - - - -

BHO-{8862345E-3556-476B-8E62-3944E6A54339} - C:\WINDOWS\system32\tuvUMgdc.dll
HKCU-Run-GetModule19 - C:\Program Files\GetModule\GetModule19.exe
HKCU-Run-GetPack19 - C:\Program Files\GetPack\GetPack19.exe
HKCU-Run-mjc - C:\Program Files\mjc\mjc.exe
HKCU-Run-Sakora - C:\Program Files\Sakora\Sakora.exe
HKLM-Run-48c98b1e - C:\WINDOWS\system32\woqunxhd.dll
HKLM-Run-BM4bfab882 - C:\WINDOWS\system32\iukjrhgi.dll
Notify-jkhhh - jkhhh.dll
MSConfigStartUp-DXDllRegExe - dxdllreg.exe

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-15 19:36:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\rwwnw64d.exe 49159 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\Common Files\Symantec Shared\coShared\CW\1.0\CWDefScn.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-07-15 19:41:48 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-15 23:41:17

Pre-Run: 12,942,577,664 bytes free
Post-Run: 13,691,314,176 bytes free

417 --- E O F --- 2008-04-12 12:55:24

and now for the hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:01:38 PM, on 7/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\coShared\CW\1.0\CWDefScn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\igfxsrvc.exe
c:\windows\system32\rwwnw64d.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AcctMgr] "C:\Program Files\Common Files\Symantec Shared\coShared\CIM\1.0\AcctMgr.exe" /startup
O4 - HKLM\..\Run: [ncoOSCheck] C:\Program Files\Norton Confidential\osCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [{98-8B-BB-B1-DW}] c:\windows\system32\rwwnw64d.exe DWram
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?1b6a899e607242c6bd7578c4b527079d
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?1b6a899e607242c6bd7578c4b527079d
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\ComPlus Applications\rteleci.html

--
End of file - 11370 bytes

**pskelley** · 2008-07-16, 02:54

Thanks for returning your information and yes Patti, you have a very infected computer on your hands. Where did you get it infected this bad? Look at the files under Other Deletions in the combofix log that were removed and that will give you an idea of the infection.
Be sure to read and follow all directions carefully and in the numbered order.

1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

3) Open notepad and copy/paste the text in the codebox below into it:

Code:

File::
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\atmtd.dll.tmp
C:\WINDOWS\mrofinu572.exe

Folder::
C:\temp\tn3
C:\VundoFix Backups

Save this as CFScript

Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)

4) Start > Control Panel > Add Remove programs and uninstall MyWaySearch (or anything that looks like it)

5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O4 - HKLM\..\Run: [{98-8B-BB-B1-DW}] c:\windows\system32\rwwnw64d.exe DWram
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O24 - Desktop Component 0: (no name) - C:\Program Files\ComPlus Applications\rteleci.html

Close all programs but HJT and all browser windows, then click on "Fix Checked"

6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart and post the combofix log from CFScript, a new HJT log and some feedback from you. How if the computer running now?

Thanks...Phil

**wildhorseAnnie** · 2008-07-16, 03:18

I did review that "Other Deletions" section.
Patti's computer has most definitely been places . ..and apparently unprotected to boot. She had Norton on it but I highly doubt it was running.

I will have to postpone the next step until tomorrow evening. It's after 9 pm here and I have to be up at 4am to be in to work at 6.

Thanks for all your assistance to this point.

BTW - I'm the Helpdesk in the IT Dept. at my place of employ . .That's how I end up unraveling others computer issues . .after work. I can't stress enough to our users how important good antivirus software is and the attention they should pay to keeping it up to date and running.

And this lady wants to get another computer . .for the son that messed up this one . .Oh . .joy . .

**pskelley** · 2008-07-16, 13:17

Thanks for the feedback and that is not a problem. I hope you told her to keep the computer plugged unless you plug it in. This junk will download more and all of 015 items are malware sites that have access to her "Trusted Zone".

Phil

**wildhorseAnnie** · 2008-07-17, 01:15

She is on vacation and her laptop is here at my place. Since it is configured for her highspeed access and all I have available is dial up it's not making any connection to the internet. Any of the tools have to be downloaded by my pc and saved to a cd (since that is the only drive it recognizes that I can used to move the tools onto the machine).

**pskelley** · 2008-07-17, 01:30

I am not quite sure what you are telling me. Perhaps it would be better to close this topic and you can post again when all parties are prepared to cooperate in the cleanup. Many folks are waiting for anyone who can help them just now.

Thanks

Thread: Malware issues

Thread Tools

Display

Malware issues

malware

Malware Removal

Malware issues

Malware issues

Posting Permissions