Active Google Hijack?

Zedi · 2008/12/30

[Active] Google Hijack?

Hi!

I'm on the "house PC" here and found a problem today and I'm unable to get rid of it. All was working fine this morning but when I came back the computer got infected. I think this problem has been discussed before (http://www.windowsbbs.com/malware-virus-removal/75463-resolved-unable-clean-remove-virus.html) but not 100% sure if it's the same one... However we did insert a usb stick and right after that the problems began! (already cleaned the usb stick with flash disinfector but we inserted the usb stick before and never had problems after that and never used it on other computers for the last weeks)

This is the problem:
Google looks like its hijacked, the results refer me to "wierd" sites which are totally unrelated.

NOD pointed out a problem and I deleted it, I don't have the message anymore since I thought all was good but it wasn't. However from the other thread (since I searched with Yahoo (which worked fine) for the message and came here) I got this: a variant of Win32/Pacex.Gen virus

In the meanwhile I ran Malwarebytes which deleted heaps of infected stuff (see log)

I downloaded AVG and it found nothing.

ad-aware found 1 thing (MRU object and removed it)

I also scanned with Hijack This and nothing irregular came up.

So basically I tried most free things and whatever it comes up with doesn't solve the problem.

How do I tackle this problem effectively? I'm not that great with computers so the please keep it as simple as possible!

Malwarebytes log:
Malwarebytes' Anti-Malware 1.31
Database version: 1580
Windows 5.1.2600 Service Pack 3

12/31/2008 11:47:39 AM
mbam-log-2008-12-31 (11-47-38).txt

Scan type: Quick Scan
Objects scanned: 46661
Time elapsed: 11 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 142
Registry Values Infected: 7
Registry Data Items Infected: 0
Folders Infected: 20
Files Infected: 94

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\funwebproducts.datacontrol (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c8cecde3-1ae1-4c4a-ad82-6d5b00212144} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{17de5e5e-bfe3-4e83-8e1f-8755795359ec} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1f52a5fa-a705-4415-b975-88503b291728} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a626cdbd-3d13-4f78-b819-440a28d7e8fc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.datacontrol.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historykillerscheduler (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{8ca01f0e-987c-49c3-b852-2f1ac4a7094c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1093995a-ba37-41d2-836e-091067c4ad17} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{120927bf-1700-43bc-810f-fab92549b390} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{247a115f-06c2-4fb3-967d-2d62d3cf4f0a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e53e2cb-86db-4a4a-8bd9-ffeb7a64df82} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{90449521-d834-4703-bb4e-d3aa44042ff8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{991aac62-b100-47ce-8b75-253965244f69} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{bbabdc90-f3d5-4801-863a-ee6ae529862d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d6ff3684-ad3b-48eb-bbb4-b9e6c5a355c1} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{eb9e5c1c-b1f9-4c2b-be8a-27d6446fdaf8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0f8ecf4f-3646-4c3a-8881-8e138ffcaf70} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b813095c-81c0-4e40-aa14-67520372b987} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c9d7be3e-141a-4c85-8cd6-32461f3df2c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{cff4ce82-3aa2-451f-9b77-7165605fb835} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historykillerscheduler.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historyswattercontrolbar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historyswattercontrolbar.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.htmlmenu (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{e47caee0-deea-464a-9326-3f2801535a4d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e1656ed-f60e-4597-b6aa-b6a58e171495} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.htmlmenu.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.htmlmenu.2 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.iecookiesmanager (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.iecookiesmanager.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.killerobjmanager (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.killerobjmanager.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswatterbarbutton (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{8e6f1830-9607-4440-8530-13be7c4b1d14} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{63d0ed2b-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{63d0ed2d-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8e6f1832-9607-4440-8530-13be7c4b1d14} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a9571378-68a1-443d-b082-284f960c6d17} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswatterbarbutton.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswattersettingscontrol (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswattersettingscontrol.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.chatsessionplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.chatsessionplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.htmlpanel (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.htmlpanel.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.outlookaddin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.outlookaddin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.settingsplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.settingsplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.toolbarplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.toolbarplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\screensavercontrol.screensaverinstaller (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\screensavercontrol.screensaverinstaller.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{07b18eaa-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{07b18eac-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e3537fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e720451-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e720453-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6e74766c-4d93-4cc0-96d1-47b8e07ff9ca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{72ee7f04-15bd-4845-a005-d6711144d86a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d291-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d293-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d295-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d297-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{de38c398-b328-4f4c-a3ad-1b5e4ed93477} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e342af55-b78a-4cd0-a2bb-da7f52d9d25e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e342af55-b78a-4cd0-a2bb-da7f52d9d25f} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e79dfbc9-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e79dfbcb-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f87d7fb5-9dc5-4c8c-b998-d8dfe02e2978} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{00a6faf6-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1E0DE227-5CE4-4ea3-AB0C-8B03E1AA76BC} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3e720452-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{53ced2d0-5e9a-4761-9005-648404e6f7e5} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7473d292-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7473d294-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7473d296-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{84da4fdf-a1cf-4195-8688-3e961f505983} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{938aa51a-996c-4884-98ce-80dd16a5c9da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{adb01e81-3c79-4272-a0f1-7b2be7a782dc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d9fffb27-d62a-4d64-8cec-1ff006528805} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{0d26bc71-a633-4e71-ad31-eadc3a1b6a3a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{07b18ea0-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{29d67d3c-509a-4544-903f-c8c1b8236554} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3e720450-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{7473d290-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e79dfbc0-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{f42228fb-e84e-479e-b922-fbbd096e792c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3e720452-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7473d294-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyWebSearch bar Uninstall (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Outlook\Addins\MyWebSearch.OutlookAddin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Word\Addins\MyWebSearch.OutlookAddin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{00a6faf6-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyWebSearch Email Plugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\ (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media\WMSDK\Sources\f3PopularScreensavers (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\2.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\3.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Avatar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Avatar\COMMON (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Game (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\icons (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Message (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\SrchAstt (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\SrchAstt\3.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver\Images (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\MyWebSearch\bar\3.bin\F3DTACTL.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\3.bin\F3HISTSW.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\3.bin\F3HTMLMU.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\3.bin\F3POPSWT.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\3.bin\F3HTTPCT.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\3.bin\F3REPROX.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\f3PSSavr.scr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\2.bin\F3REPROX.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\3.bin\F3BKGERR.JPG (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\3.bin\F3SPACER.WMV (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\3.bin\F3WALLPP.DAT (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\3.bin\F3WPHOOK.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\3.bin\FWPBUDDY.PNG (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\3.bin\M3FFXTBR.MANIFEST (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\3.bin\M3IMPIPE.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\3.bin\M3NTSTBR.MANIFEST (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\3.bin\M3SKPLAY.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Avatar\COMMON.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\avatar.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\bgfadel.gif (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\bgfader.gif (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\common-x.css (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\common.css (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\cornerbl.gif (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\cornerbr.gif (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\ext_def.gif (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\ext_roll.gif (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\include.js (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\index.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\loader.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\loading.gif (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\logo.gif (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\max_def.gif (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\max_roll.gif (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\min_def.gif (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\min_roll.gif (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\noflash.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\res_def.gif (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\res_roll.gif (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\spacer.gif (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\spacer.swf (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\topgrad.gif (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\window.ico (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\096DEAC4 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\096E1A12.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\096E25AA.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\096E2E65.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\096E3AA9.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\096E517D.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\0F7B2F03.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\0F7B35C9.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\0F7B3BD4.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\0F7C94AD.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\0F7CAD27.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\0F9368CB.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\0F936DCC.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\0F9378A9.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\0F937C72 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\1379528D (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\25776A96 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\files.ini (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Game\CHESS.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Game\REVERSI.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\History\search2 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\icons\CM.ICO (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\icons\MFC.ICO (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\icons\PSS.ICO (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\icons\SMILEY.ICO (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\icons\WB.ICO (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\icons\ZWINKY.ICO (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Message\COMMON.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\COMMON.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\DOG.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\FISH.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\KUNGFU.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\LIFEGARD.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\MAID.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\MAILBOX.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\OPERA.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\ROBOT.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\SEDUCT.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\SURFER.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\prevcfg2.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache\AvatarSmallBtn-new.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache\AvatarSmallBtn.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache\FunBuddyIconBtn.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache\MailStampBtn.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn-new.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache\MyStationeryBtn.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.

noahdfear · 2008/12/30

Welcome to WindowsBBS Zedi

Please download DDS and save it to your desktop.

Disable any script blocking protection

Double click dds.scr to run the tool.

When done, DDS will open two (2) logs:

DDS.txt

Attach.txt

Save both reports to your desktop.

Please include the contents of both logs in your next reply. The scan will instruct you to post the attach log as an attachment. No need for that though ..... just post it as you would any other log.

Zedi · 2008/12/30

thanks for the quick reply!

here is the log:

DDS (Version 1.1.0) - NTFSx86
Run by xxx at 15:39:03.71 on Wed 12/31/2008
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_03

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.au/
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZJfox000&fl=0&ptb=OcjgQAtJAhyOarO7VWVKyg&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&st=sb&searchfor={searchTerms}
uInternet Connection Wizard,ShellNext = hxxp://www.unwired.com.au/
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
TB: WebTranslator: {bfc32e1d-ee75-4a48-bc60-104e11ee2431} - c:\progra~1\pctran~1\webie.dll
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
uRun: [kava] c:\windows\system32\kavo.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
uRun: [DrvMon.exe] c:\windows\system32\DrvMon.exe
mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
mRun: [SiSUSBRG] c:\windows\SiSUSBrg.exe
mRun: [nod32kui] "c:\program files\eset\nod32kui.exe" /WAITSERVICE
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_03\bin\jusched.exe "
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E59EB121-F339-4851-A3BA-FE49C35617C2} - c:\program files\icq6\ICQ.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {BFC32E1D-EE75-4A48-BC60-104E11EE2431} - {BFC32E1D-EE75-4A48-BC60-104E11EE2431} {BFC32E1D-EE75-4A48-BC60-104E11EE2431} - {bfc32e1d-ee75-4a48-bc60-104e11ee2431}\inprocserver32 does not exist!
IE: {CC963627-B1DC-40E0-B52A-CF21EE748450} - {CC963627-B1DC-40E0-B52A-CF21EE748450} - c:\progra~1\pctran~1\webie.dll
IE: {CC963627-B1DC-40E0-B52A-CF21EE748451} - {CC963627-B1DC-40E0-B52A-CF21EE748451} - c:\progra~1\pctran~1\webie.dll
IE: {CC963627-B1DC-40E0-B52A-CF21EE748452} - {CC963627-B1DC-40E0-B52A-CF21EE748452} - c:\progra~1\pctran~1\webie.dll
LSP: c:\windows\system32\imon.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: avgrsstx.dll
LSA: Authentication Packages = msv1_0 nwprovau

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\xxx\applic~1\mozilla\firefox\profiles\tbgv8r2b.default\
FF - prefs.js: browser.startup.homepage - www.google.com.au
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll

============= SERVICES / DRIVERS ===============

=============== Created Last 30 ================

2008-12-31 14:37 76,040 a------- c:\windows\system32\drivers\avgtdix.sys
2008-12-31 14:37 10,520 a------- c:\windows\system32\avgrsstx.dll
2008-12-31 14:37 97,928 a------- c:\windows\system32\drivers\avgldx86.sys
2008-12-31 14:37 <DIR> --d----- c:\windows\system32\drivers\Avg
2008-12-31 14:37 <DIR> --d----- c:\program files\AVG
2008-12-31 14:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2008-12-31 13:37 <DIR> --d----- c:\program files\Trend Micro
2008-12-31 13:17 <DIR> --d----- c:\documents and settings\xxx\.housecall6.6
2008-12-31 12:00 <DIR> --d----- c:\program files\Lavasoft
2008-12-31 11:34 <DIR> --d----- c:\docume~1\xxx\applic~1\Malwarebytes
2008-12-31 11:33 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-31 11:33 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-31 11:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-31 11:33 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-30 18:55 54,156 a---h--- c:\windows\QTFont.qfn
2008-12-30 18:55 1,409 a------- c:\windows\QTFont.for
2008-12-22 17:44 <DIR> --d----- c:\windows\system32\scripting
2008-12-22 17:44 <DIR> --d----- c:\windows\l2schemas
2008-12-22 17:44 <DIR> --d----- c:\windows\system32\bits
2008-12-22 17:40 <DIR> --d----- c:\windows\ServicePackFiles
2008-12-12 21:25 <DIR> --dsh--- c:\windows\ftpcache
2008-12-12 18:17 286,720 -c------ c:\windows\system32\dllcache\gdi32.dll

==================== Find3M ====================

2008-12-22 17:46 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-10-23 23:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-17 07:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-03 21:02 247,326 a------- c:\windows\system32\strmdll.dll

============= FINISH: 15:41:56.53 ===============

I don't want to change too much since it isn't my computer... I do want to have it fixed when the owner comes back though!

Zedi · 2008/12/30

oh I forgot to post the attach file:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Version 1.0)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 5/8/2005 1:24:05 AM
System Uptime: 12/31/2008 2:32:37 PM (1 hours ago)

Motherboard: ASUSTek Computer INC. | | A7S8X-MX
Processor: AMD Sempron(tm) 2200+ | Socket A | 1500/166mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 16 GiB total, 2.5 GiB free.
D: is FIXED (NTFS) - 59 GiB total, 45.287 GiB free.
E: is CDROM (CDFS)

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP330: 11/10/2008 9:09:59 PM - System Checkpoint
RP331: 11/11/2008 10:30:46 PM - System Checkpoint
RP332: 11/12/2008 11:48:50 PM - System Checkpoint
RP333: 11/13/2008 9:29:39 AM - Software Distribution Service 3.0
RP334: 11/14/2008 12:22:45 PM - System Checkpoint
RP335: 11/15/2008 9:24:34 PM - System Checkpoint
RP336: 12/12/2008 11:13:32 PM - Software Distribution Service 3.0
RP337: 12/13/2008 4:40:59 PM - Software Distribution Service 3.0
RP338: 12/14/2008 5:12:43 PM - System Checkpoint
RP339: 12/15/2008 6:19:33 PM - System Checkpoint
RP340: 12/16/2008 6:48:13 PM - System Checkpoint
RP341: 12/18/2008 10:05:16 AM - Software Distribution Service 3.0
RP342: 12/19/2008 11:55:15 AM - System Checkpoint
RP343: 12/21/2008 10:12:58 AM - System Checkpoint
RP344: 12/22/2008 5:23:39 PM - Software Distribution Service 3.0
RP345: 12/22/2008 5:27:46 PM - Software Distribution Service 3.0
RP346: 12/23/2008 5:40:27 PM - System Checkpoint
RP347: 12/24/2008 5:53:23 PM - System Checkpoint
RP348: 12/25/2008 7:24:06 PM - System Checkpoint
RP349: 12/26/2008 8:00:48 PM - System Checkpoint
RP350: 12/27/2008 8:15:34 PM - System Checkpoint
RP351: 12/28/2008 9:16:50 PM - System Checkpoint
RP352: 12/29/2008 10:35:00 PM - System Checkpoint
RP353: 12/31/2008 11:59:43 AM - Installed Ad-Aware
RP354: 12/31/2008 2:37:18 PM - Installed AVG Free 8.0

==== Installed Programs ======================

2007 Microsoft Office Suite Service Pack 1 (SP1)
Ad-Aware
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
AVG Free 8.0
CA eTrust PestPatrol
Codec Pack - All In 1 6.0.3.0
e-tax 2008
eMule
FastStone Image Viewer 3.3
FinePixViewer Resource
FinePixViewer Ver.5.0
Foxit Reader
FUJIFILM USB Driver
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
ICQ6
ImageMixer VCD2 LE for FinePix
iPod for Windows 2006-03-23
iTunes
IZArc 3.81
Java(TM) 6 Update 3
Malwarebytes' Anti-Malware
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2005 Redistributable
Microsoft XML Parser
Mozilla Firefox (3.0.5)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
MYOB Accounting Plus v13.5
Nero OEM
neroxml
NOD32 antivirus system
NOD32 FiX v2.1
PC Translator 2004 Komplet
QuickTime
rajÃ¨e beta48
RAW FILE CONVERTER LE
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB958439)
Security Update for Microsoft Office Excel 2007 (KB958437)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
SiS 900 PCI Fast Ethernet Adapter Driver
SiS VGA Utilities
Skype™ 3.8
Software Update for Web Folders
SoundMAX
TuneUp Utilities 2007
Unwired
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb958619)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
VCRedistSetup
VideoLAN VLC media player 0.8.6c
Winamp
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Live Messenger
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

12/26/2008 4:09:20 PM, error: Dhcp [1002] - The IP address lease 192.168.1.165 for the Network Card with network address 0011D8B3FB22 has been denied by the DHCP server 192.168.1.5 (The DHCP Server sent a DHCPNACK message).

==== End Of File ===========================

the DDS file:
DDS (Version 1.1.0) - NTFSx86
Run by xxx at 15:39:03.71 on Wed 12/31/2008
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_03

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.au/
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZJfox000&fl=0&ptb=OcjgQAtJAhyOarO7VWVKyg&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&st=sb&searchfor={searchTerms}
uInternet Connection Wizard,ShellNext = hxxp://www.unwired.com.au/
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
TB: WebTranslator: {bfc32e1d-ee75-4a48-bc60-104e11ee2431} - c:\progra~1\pctran~1\webie.dll
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
uRun: [kava] c:\windows\system32\kavo.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
uRun: [DrvMon.exe] c:\windows\system32\DrvMon.exe
mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
mRun: [SiSUSBRG] c:\windows\SiSUSBrg.exe
mRun: [nod32kui] "c:\program files\eset\nod32kui.exe" /WAITSERVICE
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_03\bin\jusched.exe "
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E59EB121-F339-4851-A3BA-FE49C35617C2} - c:\program files\icq6\ICQ.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {BFC32E1D-EE75-4A48-BC60-104E11EE2431} - {BFC32E1D-EE75-4A48-BC60-104E11EE2431} {BFC32E1D-EE75-4A48-BC60-104E11EE2431} - {bfc32e1d-ee75-4a48-bc60-104e11ee2431}\inprocserver32 does not exist!
IE: {CC963627-B1DC-40E0-B52A-CF21EE748450} - {CC963627-B1DC-40E0-B52A-CF21EE748450} - c:\progra~1\pctran~1\webie.dll
IE: {CC963627-B1DC-40E0-B52A-CF21EE748451} - {CC963627-B1DC-40E0-B52A-CF21EE748451} - c:\progra~1\pctran~1\webie.dll
IE: {CC963627-B1DC-40E0-B52A-CF21EE748452} - {CC963627-B1DC-40E0-B52A-CF21EE748452} - c:\progra~1\pctran~1\webie.dll
LSP: c:\windows\system32\imon.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: avgrsstx.dll
LSA: Authentication Packages = msv1_0 nwprovau

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\xxx\applic~1\mozilla\firefox\profiles\tbgv8r2b.default\
FF - prefs.js: browser.startup.homepage - www.google.com.au
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll

============= SERVICES / DRIVERS ===============

=============== Created Last 30 ================

2008-12-31 14:37 76,040 a------- c:\windows\system32\drivers\avgtdix.sys
2008-12-31 14:37 10,520 a------- c:\windows\system32\avgrsstx.dll
2008-12-31 14:37 97,928 a------- c:\windows\system32\drivers\avgldx86.sys
2008-12-31 14:37 <DIR> --d----- c:\windows\system32\drivers\Avg
2008-12-31 14:37 <DIR> --d----- c:\program files\AVG
2008-12-31 14:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2008-12-31 13:37 <DIR> --d----- c:\program files\Trend Micro
2008-12-31 13:17 <DIR> --d----- c:\documents and settings\xxx\.housecall6.6
2008-12-31 12:00 <DIR> --d----- c:\program files\Lavasoft
2008-12-31 11:34 <DIR> --d----- c:\docume~1\xxx\applic~1\Malwarebytes
2008-12-31 11:33 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-31 11:33 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-31 11:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-31 11:33 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-30 18:55 54,156 a---h--- c:\windows\QTFont.qfn
2008-12-30 18:55 1,409 a------- c:\windows\QTFont.for
2008-12-22 17:44 <DIR> --d----- c:\windows\system32\scripting
2008-12-22 17:44 <DIR> --d----- c:\windows\l2schemas
2008-12-22 17:44 <DIR> --d----- c:\windows\system32\bits
2008-12-22 17:40 <DIR> --d----- c:\windows\ServicePackFiles
2008-12-12 21:25 <DIR> --dsh--- c:\windows\ftpcache
2008-12-12 18:17 286,720 -c------ c:\windows\system32\dllcache\gdi32.dll

==================== Find3M ====================

2008-12-22 17:46 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-10-23 23:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-17 07:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-03 21:02 247,326 a------- c:\windows\system32\strmdll.dll

============= FINISH: 15:41:56.53 ===============

noahdfear · 2008/12/30

Please visit the following webpage for instructions for downloading and running ComboFix

How to use ComboFix

Download ComboFix by sUBs from here, saving the file to your desktop.

Disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

Close all open programs and windows

Double click ComboFix.exe and follow the prompts.

It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

**NOTE - I recommend you allow the Recovery Console to be downloaded and installed if or when prompted.

Zedi · 2008/12/30

It gave warnings about active programs but I shut them down following the instructions on the link, it did however still gave the warning!

anyhow here is the log:

ComboFix 08-12-30.01 - xxx 2008-12-31 16:08:12.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.479.199 [GMT 11:00]
Running from: c:\documents and settings\xxx\Desktop\ComboFix2.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated)
* Created a new restore point
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\xxx\Application Data\FunWebProducts
c:\documents and settings\xxx\Application Data\FunWebProducts\Data\xxx\avatar.dat
c:\documents and settings\xxx\Application Data\FunWebProducts\Data\xxx\register.dat
c:\documents and settings\xxx\Application Data\FunWebProducts\Data\xxx\zbucks.dat
c:\windows\system\system.exe

.
((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-31 )))))))))))))))))))))))))))))))
.

2008-12-31 14:37 . 2008-12-31 14:39 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-12-31 14:37 . 2008-12-31 14:37 <DIR> d-------- c:\program files\AVG
2008-12-31 14:37 . 2008-12-31 16:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-31 14:37 . 2008-12-31 14:37 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-12-31 14:37 . 2008-12-31 14:37 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-12-31 14:37 . 2008-12-31 14:37 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-12-31 13:37 . 2008-12-31 13:37 <DIR> d-------- c:\program files\Trend Micro
2008-12-31 13:17 . 2008-12-31 14:30 <DIR> d-------- c:\documents and settings\xxx\.housecall6.6
2008-12-31 12:00 . 2008-12-31 12:00 <DIR> d-------- c:\program files\Lavasoft
2008-12-31 11:59 . 2008-12-31 12:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-31 11:34 . 2008-12-31 11:34 <DIR> d-------- c:\documents and settings\xxx\Application Data\Malwarebytes
2008-12-31 11:33 . 2008-12-31 11:34 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-31 11:33 . 2008-12-31 11:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-31 11:33 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-31 11:33 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-30 18:55 . 2008-12-30 18:55 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-30 18:55 . 2008-12-30 18:55 1,409 --a------ c:\windows\QTFont.for
2008-12-24 10:39 . 2008-12-24 10:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2008-12-22 17:44 . 2008-12-22 17:44 <DIR> d-------- c:\windows\system32\scripting
2008-12-22 17:44 . 2008-12-22 17:44 <DIR> d-------- c:\windows\system32\bits
2008-12-22 17:44 . 2008-12-22 17:44 <DIR> d-------- c:\windows\l2schemas
2008-12-22 17:40 . 2008-12-22 17:45 <DIR> d-------- c:\windows\ServicePackFiles
2008-12-12 21:25 . 2008-12-12 21:25 <DIR> d--hs---- c:\windows\ftpcache
2008-12-12 18:52 . 2008-12-31 15:02 <DIR> d-------- c:\documents and settings\xxx\Application Data\U3
2008-12-12 18:17 . 2008-10-23 23:36 286,720 -----c--- c:\windows\system32\dllcache\gdi32.dll
2008-11-13 04:30 . 2008-10-24 22:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-03 09:43 . 2008-11-09 08:21 172 --a------ c:\windows\MYOBP.INI
2008-11-03 09:43 . 2008-11-09 08:21 117 --a------ c:\windows\SwDrvs.ini
2008-11-03 09:43 . 2008-11-09 08:21 40 --a------ c:\windows\MYOB.INI
2008-11-03 09:40 . 2008-11-03 09:40 0 --a------ c:\windows\drvxl32.INI
2008-11-03 09:40 . 2008-11-03 09:40 0 --a------ c:\windows\drvwp32.INI
2008-11-03 09:40 . 2008-11-03 09:40 0 --a------ c:\windows\drvwd32.INI
2008-11-03 09:36 . 2008-11-03 09:36 <DIR> d-------- c:\program files\MYOB
2008-11-03 09:36 . 2008-11-03 13:51 <DIR> d-------- C:\myob135

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-31 05:14 --------- d-----w c:\program files\Unwired
2008-12-31 00:57 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-31 00:19 --------- d-----w c:\program files\MSN Messenger
2008-12-29 12:07 --------- d-----w c:\documents and settings\xxx\Application Data\Skype
2008-12-29 05:04 --------- d-----w c:\documents and settings\xxx\Application Data\skypePM
2008-12-12 12:18 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-08 21:21 --------- d-----w c:\program files\ICQ6
2008-11-08 21:21 --------- d-----w c:\program files\FinePixViewer
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 03:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 03:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 03:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 03:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 03:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 03:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 03:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 03:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 03:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 03:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-30 05:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"msnmsgr "= "c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"DrvMon.exe "= "c:\windows\system32\DrvMon.exe" [2007-05-15 53248]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG "= "c:\windows\SiSUSBrg.exe" [2002-07-12 106496]
"nod32kui "= "c:\program files\Eset\nod32kui.exe" [2007-12-18 949376]
"REGSHAVE "= "c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"SunJavaUpdateSched "= "c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2007-12-22 155648]
"AVG8_TRAY "= "c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-31 1261336]
"SiSPower "= "SiSPower.dll" [2004-09-02 c:\windows\system32\SiSPower.dll]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Unwired Launchpad.lnk - c:\program files\Unwired\UwSCT.exe [2005-01-11 200704]
Utility Tray.lnk - c:\windows\system32\sistray.exe [2007-12-18 331776]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive "= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs "=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux "= wdmaud.sys

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
backup=c:\windows\pss\Exif Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eTrustPPAP]
--a------ 2007-12-18 18:23 131072 c:\program files\CA\eTrust PestPatrol\PPActiveDetection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-02-23 15:45 278528 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-01-19 12:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-22 18:13 155648 c:\program files\QuickTime\qttask.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ICQ "= "c:\program files\ICQ6\ICQ.exe" silent
"MsnMsgr "= "c:\program files\MSN Messenger\MsnMsgr.Exe" /background
"Skype "= "c:\program files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\ICQ6\\ICQ.exe "=
"c:\\Program Files\\Unwired\\UwWiz.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\Program Files\\eMule\\emule.exe "=
"c:\\Program Files\\Messenger\\msmsgs.exe "=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
"c:\\Program Files\\MSN Messenger\\livecall.exe "=
"c:\\Program Files\\Skype\\Phone\\Skype.exe "=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe "=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe "=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-12-31 97928]
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2007-12-18 15424]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-12-31 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-31 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-12-31 76040]
S3 gsplittm;gsplittm;\??\c:\docume~1\xxx\LOCALS~1\Temp\gsplittm.sys []

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{02e6ec6d-9896-11dd-85a5-0011d8b3fb22}]
\Shell\AutoRun\command - F:\loaderw.exe /no hidden

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{102bc82f-f3d8-11dc-84db-0011d8b3fb22}]
\Shell\AutoRun\command - F:\30ed3.exe
\Shell\explore\Command - F:\30ed3.exe
\Shell\open\Command - F:\30ed3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cc2a4586-c821-11dd-8600-0011d8b3fb22}]
\Shell\AutoRun\command - g:\__stickydrive\StickyDrive.exe
\Shell\StickyDrive\Command - g:\__stickydrive\StickyDrive.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e6f7cc7c-b1ca-11dc-84ce-0011d8b3fb22}]
\Shell\AutoRun\command - F:\AutoTransfer.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-26 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2007-08-02 19:35]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
MSConfigStartUp-MyWebSearch Plugin - c:\progra~1\MYWEBS~1\bar\3.bin\M3PLUGIN.DLL
MSConfigStartUp-NBKeyScan - c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZJfox000&fl=0&ptb=OcjgQAtJAhyOarO7VWVKyg&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&st=sb&searchfor={searchTerms}
uInternet Connection Wizard,ShellNext = hxxp://www.unwired.com.au/
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748450} - {CC963627-B1DC-40E0-B52A-CF21EE748450} - c:\progra~1\PCTRAN~1\webie.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748451} - {CC963627-B1DC-40E0-B52A-CF21EE748451} - c:\progra~1\PCTRAN~1\webie.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748452} - {CC963627-B1DC-40E0-B52A-CF21EE748452} - c:\progra~1\PCTRAN~1\webie.dll
LSP: c:\windows\system32\imon.dll
FF - ProfilePath - c:\documents and settings\xxx\Application Data\Mozilla\Firefox\Profiles\tbgv8r2b.default\
FF - prefs.js: browser.startup.homepage - www.google.com.au
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-31 16:15:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}]
@Owner=Administrators
@Denied: (A 2) (Everyone)
@Denied: (A 2) (S-1-5-7)
@= "FlashProp Class "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}\InprocServer32]
@Owner=Administrators
@= "c:\\WINDOWS\\system32\\Macromed\\Flash\\Flash9b.ocx "
"ThreadingModel "= "Apartment "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}\Programmable]
@Owner=Administrators
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(592)
c:\windows\system32\imon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\ESET\nod32krn.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\windows\system32\WgaTray.exe
.
**************************************************************************
.
Completion time: 2008-12-31 16:18:59 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-31 05:18:50

Pre-Run: 2,614,681,600 bytes free
Post-Run: 2,603,393,024 bytes free

227 --- E O F --- 2008-12-22 06:51:14

noahdfear · 2009/01/01

You have a flash drive infection. Please download Flash_Disinfector by sUBs and save it to your desktop:

NOTE: In the event you already have Flash_Disinfector, this is a new version that I need you to download.

Plug in your USB flash drive.

Double-click Flash_Disinfector.exe to run it.

Follow any prompts that may appear.

Your desktop will vanish for a while, and then reappear. This is normal.

Wait until the program has finished scanning, then please exit the program. If you use more than 1 flash drive, run the tool with each plugged in.

Next, once again, disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)
Code:
Driver::
gsplittm
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{02e6ec6d-9896-11dd-85a5-0011d8b3fb22}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{102bc82f-f3d8-11dc-84db-0011d8b3fb22}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cc2a4586-c821-11dd-8600-0011d8b3fb22}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e6f7cc7c-b1ca-11dc-84ce-0011d8b3fb22}]
Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

**NOTE - Allow ComboFix to update if prompted.

Zedi · 2009/01/01

First of all a happy new year to all of you!

Back to the problems:
How do I close NOD32? I followed the link you previously gave me and clicked "quit" but combofix still said it was active...

Does it matters which encoding CFScript.txt uses? It saves itself as encoding: ANSI

another question; we got a laptop yesterday (yay for generous parents who like to support their traveling kids), is it safe to use the usb stick in that computer now that I disinfected it? Furthermore which anti spyware/virus do you recommend for this laptop? it has a trialversion at the moment and I'm not sure if I want to pay for a full version if free antivirus like AVG and Ad-Aware do the job too.

noahdfear · 2009/01/01

The ansi format is fine.

Nod32 is one of the more pita apps when it comes to disabling it. See if this helps.

Flash drive should be safe to use in any computer. Flash_Disinfector writes info to the drive to protect it.

AVG and Ad-aware are both fine apps, though my own recommendation these days, from personal experience, is the Kaspersky Internet Security suite. Not free, but very affordable.

Zedi · 2009/01/01

my version of nod is 2.7 I don't have such a control panel

noahdfear · 2009/01/01

Maybe this?

Zedi · 2009/01/01

that seemed to help

The log:

ComboFix 08-12-31.01 - xxx 2009-01-02 13:07:25.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.479.189 [GMT 11:00]
Running from: c:\documents and settings\xxx\Desktop\ComboFix2.exe
Command switches used :: c:\documents and settings\xxx\Desktop\CFScript.txt
AV: ESET NOD32 antivirus system 2.70 *On-access scanning disabled* (Updated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GSPLITTM
-------\Service_gsplittm

((((((((((((((((((((((((( Files Created from 2008-12-02 to 2009-01-02 )))))))))))))))))))))))))))))))
.

2009-01-01 10:13 . 2009-01-01 10:14 <DIR> d-------- c:\program files\Google
2009-01-01 02:19 . 2009-01-01 02:19 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-31 14:37 . 2008-12-31 14:37 <DIR> d-------- c:\program files\AVG
2008-12-31 14:37 . 2008-12-31 16:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-31 13:37 . 2008-12-31 13:37 <DIR> d-------- c:\program files\Trend Micro
2008-12-31 13:17 . 2008-12-31 14:30 <DIR> d-------- c:\documents and settings\xxx\.housecall6.6
2008-12-31 12:00 . 2008-12-31 12:00 <DIR> d-------- c:\program files\Lavasoft
2008-12-31 11:59 . 2008-12-31 12:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-31 11:34 . 2008-12-31 11:34 <DIR> d-------- c:\documents and settings\xxx\Application Data\Malwarebytes
2008-12-31 11:33 . 2008-12-31 11:34 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-31 11:33 . 2008-12-31 11:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-31 11:33 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-31 11:33 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-30 18:55 . 2008-12-30 18:55 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-30 18:55 . 2008-12-30 18:55 1,409 --a------ c:\windows\QTFont.for
2008-12-24 10:39 . 2008-12-24 10:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2008-12-23 07:25 . 2008-05-09 21:53 512,000 -----c--- c:\windows\system32\dllcache\jscript.dll
2008-12-23 07:25 . 2008-05-09 21:53 430,080 -----c--- c:\windows\system32\dllcache\vbscript.dll
2008-12-23 07:25 . 2008-05-09 21:53 180,224 -----c--- c:\windows\system32\dllcache\scrobj.dll
2008-12-23 07:25 . 2008-05-09 21:53 172,032 -----c--- c:\windows\system32\dllcache\scrrun.dll
2008-12-23 07:25 . 2008-05-08 22:24 155,648 -----c--- c:\windows\system32\dllcache\wscript.exe
2008-12-23 07:25 . 2008-05-09 19:45 135,168 -----c--- c:\windows\system32\dllcache\cscript.exe
2008-12-23 07:25 . 2008-05-09 21:53 90,112 -----c--- c:\windows\system32\dllcache\wshext.dll
2008-12-22 17:44 . 2008-12-22 17:44 <DIR> d-------- c:\windows\system32\scripting
2008-12-22 17:44 . 2008-12-22 17:44 <DIR> d-------- c:\windows\system32\bits
2008-12-22 17:44 . 2008-12-22 17:44 <DIR> d-------- c:\windows\l2schemas
2008-12-22 17:40 . 2008-12-22 17:45 <DIR> d-------- c:\windows\ServicePackFiles
2008-12-12 21:25 . 2008-12-12 21:25 <DIR> d--hs---- c:\windows\ftpcache
2008-12-12 18:52 . 2008-12-31 15:02 <DIR> d-------- c:\documents and settings\xxx\Application Data\U3
2008-12-12 18:17 . 2008-10-23 23:36 286,720 -----c--- c:\windows\system32\dllcache\gdi32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-02 02:02 --------- d-----w c:\program files\Unwired
2009-01-02 01:47 --------- d-----w c:\documents and settings\xxx\Application Data\Skype
2009-01-02 00:49 --------- d-----w c:\documents and settings\xxx\Application Data\skypePM
2008-12-31 15:19 --------- d-----w c:\program files\Java
2008-12-31 00:57 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-31 00:19 --------- d-----w c:\program files\MSN Messenger
2008-12-12 12:18 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-08 21:21 --------- d-----w c:\program files\ICQ6
2008-11-08 21:21 --------- d-----w c:\program files\FinePixViewer
2008-11-02 22:36 --------- d-----w c:\program files\MYOB
.

((((((((((((((((((((((((((((( snapshot@2008-12-31_16.17.19.53 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-14 00:12:15 139,264 ----a-w c:\windows\system32\cscript.exe
+ 2008-05-09 08:45:51 135,168 ----a-w c:\windows\system32\cscript.exe
- 2008-04-14 00:12:01 1,306,624 -c----w c:\windows\system32\dllcache\msxml6.dll
+ 2008-09-10 01:14:56 1,307,648 -c----w c:\windows\system32\dllcache\msxml6.dll
- 2007-09-24 11:30:28 135,168 ----a-w c:\windows\system32\java.exe
+ 2008-12-31 15:19:22 144,792 ----a-w c:\windows\system32\java.exe
- 2007-09-24 11:30:30 135,168 ----a-w c:\windows\system32\javaw.exe
+ 2008-12-31 15:19:22 144,792 ----a-w c:\windows\system32\javaw.exe
- 2007-09-24 12:31:42 139,264 ----a-w c:\windows\system32\javaws.exe
+ 2008-12-31 15:19:22 148,888 ----a-w c:\windows\system32\javaws.exe
- 2008-04-14 00:11:56 512,000 ----a-w c:\windows\system32\jscript.dll
+ 2008-05-09 10:53:39 512,000 ----a-w c:\windows\system32\jscript.dll
- 2008-04-14 00:12:01 1,306,624 ----a-w c:\windows\system32\msxml6.dll
+ 2008-09-10 01:14:56 1,307,648 ----a-w c:\windows\system32\msxml6.dll
- 2008-04-14 00:12:05 180,224 ----a-w c:\windows\system32\scrobj.dll
+ 2008-05-09 10:53:39 180,224 ----a-w c:\windows\system32\scrobj.dll
- 2008-04-14 00:12:05 172,032 ----a-w c:\windows\system32\scrrun.dll
+ 2008-05-09 10:53:40 172,032 ----a-w c:\windows\system32\scrrun.dll
- 2007-11-30 11:18:51 17,272 ------w c:\windows\system32\spmsg.dll
+ 2007-11-30 12:39:22 17,272 ------w c:\windows\system32\spmsg.dll
- 2008-04-14 00:12:08 434,176 ----a-w c:\windows\system32\vbscript.dll
+ 2008-05-09 10:53:40 430,080 ----a-w c:\windows\system32\vbscript.dll
- 2008-04-14 00:12:41 155,648 ----a-w c:\windows\system32\wscript.exe
+ 2008-05-08 11:24:44 155,648 ----a-w c:\windows\system32\wscript.exe
- 2008-04-14 00:12:10 90,112 ----a-w c:\windows\system32\wshext.dll
+ 2008-05-09 10:53:40 90,112 ----a-w c:\windows\system32\wshext.dll
+ 2009-01-02 02:10:57 16,384 ----atw c:\windows\temp\Perflib_Perfdata_114.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"msnmsgr "= "c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"DrvMon.exe "= "c:\windows\system32\DrvMon.exe" [2007-05-15 53248]
"swg "= "c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2009-01-01 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG "= "c:\windows\SiSUSBrg.exe" [2002-07-12 106496]
"nod32kui "= "c:\program files\Eset\nod32kui.exe" [2007-12-18 949376]
"REGSHAVE "= "c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-01-01 136600]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2007-12-22 155648]
"SiSPower "= "SiSPower.dll" [2004-09-02 c:\windows\system32\SiSPower.dll]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Unwired Launchpad.lnk - c:\program files\Unwired\UwSCT.exe [2005-01-11 200704]
Utility Tray.lnk - c:\windows\system32\sistray.exe [2007-12-18 331776]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive "= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux "= wdmaud.sys

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
backup=c:\windows\pss\Exif Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eTrustPPAP]
--a------ 2007-12-18 18:23 131072 c:\program files\CA\eTrust PestPatrol\PPActiveDetection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-02-23 15:45 278528 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-01-19 12:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-22 18:13 155648 c:\program files\QuickTime\qttask.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ICQ "= "c:\program files\ICQ6\ICQ.exe" silent
"MsnMsgr "= "c:\program files\MSN Messenger\MsnMsgr.Exe" /background
"Skype "= "c:\program files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\ICQ6\\ICQ.exe "=
"c:\\Program Files\\Unwired\\UwWiz.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\Program Files\\eMule\\emule.exe "=
"c:\\Program Files\\Messenger\\msmsgs.exe "=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
"c:\\Program Files\\MSN Messenger\\livecall.exe "=
"c:\\Program Files\\Skype\\Phone\\Skype.exe "=

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2007-12-18 15424]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2008-12-26 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2007-08-02 19:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZJfox000&fl=0&ptb=OcjgQAtJAhyOarO7VWVKyg&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&st=sb&searchfor={searchTerms}
uInternet Connection Wizard,ShellNext = hxxp://www.unwired.com.au/
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748450} - {CC963627-B1DC-40E0-B52A-CF21EE748450} - c:\progra~1\PCTRAN~1\webie.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748451} - {CC963627-B1DC-40E0-B52A-CF21EE748451} - c:\progra~1\PCTRAN~1\webie.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748452} - {CC963627-B1DC-40E0-B52A-CF21EE748452} - c:\progra~1\PCTRAN~1\webie.dll
LSP: c:\windows\system32\imon.dll
FF - ProfilePath - c:\documents and settings\xxx\Application Data\Mozilla\Firefox\Profiles\tbgv8r2b.default\
FF - prefs.js: browser.startup.homepage - www.google.com.au
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-02 13:11:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(580)
c:\windows\system32\imon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\WgaTray.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\ESET\nod32krn.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
.
**************************************************************************
.
Completion time: 2009-01-02 13:14:12 - machine was rebooted [xxx]
ComboFix-quarantined-files.txt 2009-01-02 02:13:51
ComboFix2.txt 2008-12-31 15:16:26
ComboFix3.txt 2008-12-31 05:19:12

Pre-Run: 3,316,162,560 bytes free
Post-Run: 3,361,361,920 bytes free

203 --- E O F --- 2008-12-31 16:01:06

btw when the computer restarted it gave a warning about one of the discs is FAT (H: which is my usb stick) what does that mean?

noahdfear · 2009/01/01

Not sure why you would get a message about the usb drive, but FAT is the file format of the drive. Most likely your system is on NTFS, but FAT is standard for many flash drives. I would disregard it.

The log looks good. Lets get an online scan. Please do an online scan with Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.

Please be patient as this can take several minutes.

Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.

Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.

Click View scan report at the bottom.

Click the Save Report As... button.

Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs.

Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Post the Kaspersky log here.

Zedi · 2009/01/01

unfortunately Google still doesn't work like it should

doing the scan now though and I'll see what turns up...

noahdfear · 2009/01/01

Highlight and copy the contents of the code box below.
Code:
reg delete  "HKCU\Software\Microsoft\Internet Explorer\Main" /v SearchMigratedDefaultUrl
exit
cls
Click Start>Run and type cmd then hit enter to open a command window. Right click in the command window and select paste. The command window will close on it's own.

Close all open browsers then reopen and see if Google results are normal.

Zedi · 2009/01/01

looks like a persistent little bugger since Google is still redirecting to wrong sites

however the window didn't close on it's own. This is what it showed:

C:\Documents and settings\xxx>reg delete "HKCU\Software\Microsoft\Internet Explorer\Main" /v SearchMigratedDefaultUrl

Delete the registry value SearchMigratedDefaultUrl <Y/N> exit

The operation completed successfully

C:\Documents and settings\xxx>cls

if I right click again it pastes and does close...

is it because I'm using firefox? I tried IE too and Google doesn't work there either

noahdfear · 2009/01/01

It didn't close on it's own the first time because I forgot to include an /f switch on the command, which would have caused the value to be deleted without prompting you with a y/n option. Suspect you answered Y and subsequent runs close on their own because the value is already gone and needs no confirmation.

Is this IE that Google results are redirected, or FF?

If IE, click Tools>Internet Options>Programs tab>Reset Web Settings button.
Close all browsers and re-open to test.

Zedi · 2009/01/01

both in IE and FF. I'm using FF for browsing atm (though I don't know what the other people here do...)

I couldn't answer in the run screen, guess it did it by itself?

I can't find reset web settings button under the Program tab, I can see a Reset Internet Explorer Settings under the Advanced tab

Zedi · 2009/01/01

I just had an idea and uninstalled FF and installed it again which seem to have worked... The google searchbar in IE works fine too but the site itself still directs me to wrong sites, same goes for the 'normal' searchbar in IE.

edit: It was still bugged, however the results of the mozilla ad-ons which I looked for came up higher in the search results than all the wrong sites! However an earlier search looked like it did work, but not 100% sure anymore

should I reset the settings of IE or uninstall and reinstall it too? I also noticed there are 2 IE shortcuts on the desktop. 1 of them (the one on the 'original' place) shows the properties (location, size, date last used etc), the other one does not and only shows internet properties... Is that normal?

edit2: I did the reset and it didn't work

noahdfear · 2009/01/01

I'll have to switch over to an operating system running IE7. In the menatime, lets get one more scan. Download GMER

Right click and extract it to it's own folder on the desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for "˜Show Allâ€™.
Click on Scan.
When the scan has completed, click Copy and paste the results (if any) into this topic.

Log in or Sign up

Active Google Hijack?

Zedi Inactive Thread Starter

noahdfear Inactive

Zedi Inactive Thread Starter

Zedi Inactive Thread Starter

noahdfear Inactive

Zedi Inactive Thread Starter

noahdfear Inactive

Zedi Inactive Thread Starter

noahdfear Inactive

Zedi Inactive Thread Starter

noahdfear Inactive

Zedi Inactive Thread Starter

noahdfear Inactive

Zedi Inactive Thread Starter

noahdfear Inactive

Zedi Inactive Thread Starter

noahdfear Inactive

Zedi Inactive Thread Starter

Zedi Inactive Thread Starter

noahdfear Inactive

Share This Page

Log in or Sign up

Active Google Hijack?

Zedi Inactive Thread Starter

noahdfear Inactive

Zedi Inactive Thread Starter

Zedi Inactive Thread Starter

noahdfear Inactive

Zedi Inactive Thread Starter

noahdfear Inactive

Zedi Inactive Thread Starter

noahdfear Inactive

Zedi Inactive Thread Starter

noahdfear Inactive

Zedi Inactive Thread Starter

noahdfear Inactive

Zedi Inactive Thread Starter

noahdfear Inactive

Zedi Inactive Thread Starter

noahdfear Inactive

Zedi Inactive Thread Starter

Zedi Inactive Thread Starter

noahdfear Inactive

Share This Page

Useful Searches