Bad Image Errors

Inactive
By JulieAnne
Mar 24, 2011
Topic Status:
Not open for further replies.
  1. I also have the bad image errors causing me grief on my computer. I have followed the 8 step removal instructions but errors keep coming. I have pasted logs below & would really appreciate some help.

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6147

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 7.0.5730.11

    24/03/2011 4:00:40 PM
    mbam-log-2011-03-24 (16-00-40).txt

    Scan type: Quick scan
    Objects scanned: 149530
    Time elapsed: 6 minute(s), 46 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 13
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 1
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EAB-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{25560540-9571-4D7B-9389-0F166788785A} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3DC201FB-E9C9-499C-A11F-23C360D7C3F8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9FF05104-B030-46FC-94B8-81276E4E27DF} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\(default) (Adware.Hotbar) -> Value: (default) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    c:\program files\antivirus 2009 (Rogue.AntiVirus2008) -> Quarantined and deleted successfully.

    Files Infected:
    c:\WINDOWS\system32\h4afrahh.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
    GMER 1.0.15.15570 - http://www.gmer.net
    Rootkit quick scan 2011-03-24 16:10:31
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 WDC_WD800BB-60JKA0 rev.05.01C05
    Running: m8wg6yfn.exe; Driver: C:\DOCUME~1\JULIEM~1\LOCALS~1\Temp\fwwcaaoc.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    ---- EOF - GMER 1.0.15 ----
    .
    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by Julie McCarthy at 16:17:13.37 on Thu 24/03/2011
    Internet Explorer: 7.0.5730.11
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1247.556 [GMT 11:00]
    .
    AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\AVG\AVG PC Tuneup 2011\BoostSpeed.exe
    C:\WINDOWS\Explorer.EXE
    svchost.exe
    C:\Program Files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\AVG\AVG10\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\Program Files\Speed Disk\nopdb.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\VTTimer.exe
    C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9TE.EXE
    C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
    C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
    C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
    C:\Documents and Settings\Julie McCarthy\My Documents\Mum's Ipod\iTunesHelper.exe
    C:\Program Files\AVG\AVG10\avgtray.exe
    C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
    C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe
    C:\Program Files\Clipsal Australia\Clipsal eCatalogue Edition 2\Clipsal_eCatalogue.exe
    C:\Program Files\SEC\Natural Color Pro\NCProTray.exe
    C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Julie McCarthy\My Documents\jess\bin\iPodService.exe
    C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
    C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\Program Files\Common Files\Nokia\NoA\nokiaaserver.exe
    C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    C:\Program Files\AVG\AVG10\avgnsx.exe
    C:\Program Files\AVG\AVG10\avgchsvx.exe
    C:\Program Files\AVG\AVG10\avgrsx.exe
    C:\Program Files\AVG\AVG10\avgcsrvx.exe
    C:\Program Files\AVG\AVG10\avgui.exe
    C:\Documents and Settings\Julie McCarthy\Desktop\dds.scr
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com.au/
    uSearch Page = hxxp://www.google.com
    uWindow Title = Internet Explorer from OptusNet
    uSearch Bar = hxxp://www.google.com/ie
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Settings,ProxyOverride = <local>;*.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
    mSearchAssistant = hxxp://www.google.com/ie
    uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    BHO: {02478d38-c3f9-4efb-9b51-7695eca05670} - Yahoo! Companion BHO
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Canon Easy-WebPrint EX BHO: {3785d0ad-bfff-47f6-bf5b-a587c162fed9} - c:\program files\canon\easy-webprint ex\ewpexbho.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
    BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: ST: {9394ede7-c8b5-483e-8773-474bf36af6e4} - c:\program files\msn apps\st\01.03.0000.1005\en-xu\stmain.dll
    BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar4.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
    BHO: MSNToolBandBHO: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\msn toolbar\01.02.5000.1021\en-us\msntb.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: MSN: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\msn toolbar\01.02.5000.1021\en-us\msntb.dll
    TB: Yahoo! Companion: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\ycomp5_5_7_0.dll
    TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll
    TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
    EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [<NO NAME>]
    uRun: [NokiaOviSuite2] c:\program files\nokia\nokia ovi suite\NokiaOviSuite.exe -tray
    mRun: [VTTimer] VTTimer.exe
    mRun: [Smapp] c:\program files\analog devices\soundmax\SMTray.exe
    mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
    mRun: [FaxCenterServer4_in_1] "c:\program files\lexmark 4200 series\fax\fm3032.exe" /s
    mRun: [Lexmark 4200 Series] "c:\program files\lexmark 4200 series\lxbmbmgr.exe"
    mRun: [EPSON PictureMate 500] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9TE.EXE /P21 "EPSON PictureMate 500" /O6 "USB002" /M "PictureMate 500"
    mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
    mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
    mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
    mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
    mRun: [IJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.exe
    mRun: [iTunesHelper] "c:\documents and settings\julie mccarthy\my documents\mum's ipod\iTunesHelper.exe"
    mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
    mRun: [NokiaMServer] c:\program files\common files\nokia\mplatform\NokiaMServer /watchfiles startup
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\clipsa~1.lnk - c:\program files\clipsal australia\clipsal ecatalogue edition 2\Clipsal_eCatalogue.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ncprot~1.lnk - c:\program files\sec\natural color pro\NCProTray.exe
    IE: &Search
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
    DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
    AppInit_DLLs: c:\progra~1\google\google~3\GOEC62~1.DLL
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 251728]
    R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 299984]
    R2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files\adobe\elements organizer 8.0\PhotoshopElementsFileAgent.exe [2009-10-9 169312]
    R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-1-6 6128720]
    R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
    S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2010-10-24 517448]
    S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2010-11-14 137344]
    .
    =============== Created Last 30 ================
    .
    2011-03-24 04:51:23 -------- d-----w- c:\docume~1\juliem~1\applic~1\Malwarebytes
    2011-03-24 04:51:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-03-24 04:51:09 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2011-03-24 04:50:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-03-24 04:50:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-03-17 07:29:27 -------- d-----w- c:\docume~1\juliem~1\applic~1\Uniblue
    2011-03-17 07:29:04 -------- d-----w- c:\program files\Uniblue
    2011-03-17 07:28:42 -------- d-----w- c:\docume~1\juliem~1\locals~1\applic~1\PackageAware
    2011-03-06 06:30:16 -------- d-----w- c:\docume~1\alluse~1\applic~1\CanonIJ
    2011-03-06 06:29:55 -------- d--h--w- c:\docume~1\alluse~1\applic~1\CanonIJScan
    2011-02-28 07:07:43 -------- d-----w- c:\windows\system32\XPSViewer
    2011-02-28 07:07:04 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
    2011-02-28 07:06:31 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
    2011-02-28 07:06:31 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
    2011-02-28 07:06:31 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
    2011-02-28 07:06:31 117760 ------w- c:\windows\system32\prntvpt.dll
    2011-02-28 07:06:30 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
    2011-02-28 07:06:30 575488 ------w- c:\windows\system32\xpsshhdr.dll
    2011-02-28 07:06:30 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
    2011-02-28 07:06:30 1676288 ------w- c:\windows\system32\xpssvcs.dll
    2011-02-27 00:56:26 -------- d-----w- c:\program files\Clipsal Australia
    2011-02-27 00:56:26 -------- d-----w- c:\docume~1\alluse~1\applic~1\Clipsal Australia
    .
    ==================== Find3M ====================
    .
    2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
    2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
    2011-02-02 10:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-02-02 08:19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
    2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
    2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
    2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
    .
    ============= FINISH: 16:21:34.60 ===============

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_11-03-05.01)
    .
    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume1
    Install Date: 13/03/2005 11:53:39 AM
    System Uptime: 24/03/2011 4:02:10 PM (0 hours ago)
    .
    Motherboard: ASUSTek Computer INC. | | A7V400-MX
    Processor: AMD Athlon(tm) | Socket A | 1194/133mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 75 GiB total, 38.528 GiB free.
    D: is CDROM ()
    F: is FIXED (NTFS) - 298 GiB total, 257.255 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
    Description: Nokia E52
    Device ID: ROOT\WPD\0000
    Manufacturer: Nokia
    Name: Nokia E52
    PNP Device ID: ROOT\WPD\0000
    Service: WUDFRd
    .
    ==== System Restore Points ===================
    .
    RP1560: 23/12/2010 7:59:29 PM - System Checkpoint
    RP1561: 25/12/2010 11:59:24 AM - System Checkpoint
    RP1562: 3/01/2011 6:00:33 PM - Software Distribution Service 3.0
    RP1563: 7/01/2011 2:19:35 PM - Software Distribution Service 3.0
    RP1564: 8/01/2011 2:40:49 PM - System Checkpoint
    RP1565: 9/01/2011 3:03:19 PM - System Checkpoint
    RP1566: 10/01/2011 4:00:38 PM - System Checkpoint
    RP1567: 12/01/2011 10:27:50 AM - System Checkpoint
    RP1568: 12/01/2011 6:01:26 PM - Software Distribution Service 3.0
    RP1569: 13/01/2011 6:36:52 PM - System Checkpoint
    RP1570: 15/01/2011 10:28:08 AM - System Checkpoint
    RP1571: 16/01/2011 12:19:20 PM - System Checkpoint
    RP1572: 17/01/2011 1:00:32 PM - System Checkpoint
    RP1573: 17/01/2011 1:20:29 PM - Software Distribution Service 3.0
    RP1574: 18/01/2011 2:52:08 PM - Software Distribution Service 3.0
    RP1575: 19/01/2011 4:48:59 PM - System Checkpoint
    RP1576: 20/01/2011 5:57:54 PM - System Checkpoint
    RP1577: 22/01/2011 1:22:55 PM - System Checkpoint
    RP1578: 23/01/2011 1:36:25 PM - System Checkpoint
    RP1579: 24/01/2011 3:03:22 PM - System Checkpoint
    RP1580: 25/01/2011 3:45:22 PM - System Checkpoint
    RP1581: 26/01/2011 4:34:40 PM - System Checkpoint
    RP1582: 27/01/2011 5:15:34 PM - System Checkpoint
    RP1583: 29/01/2011 5:38:28 PM - System Checkpoint
    RP1584: 30/01/2011 6:52:03 PM - System Checkpoint
    RP1585: 31/01/2011 7:36:28 PM - System Checkpoint
    RP1586: 1/02/2011 7:41:27 PM - System Checkpoint
    RP1587: 2/02/2011 8:24:15 PM - System Checkpoint
    RP1588: 3/02/2011 8:48:10 PM - System Checkpoint
    RP1589: 4/02/2011 8:54:33 PM - System Checkpoint
    RP1590: 5/02/2011 9:12:35 PM - System Checkpoint
    RP1591: 6/02/2011 9:50:40 PM - System Checkpoint
    RP1592: 8/02/2011 4:46:07 PM - System Checkpoint
    RP1593: 9/02/2011 6:00:52 PM - Software Distribution Service 3.0
    RP1594: 10/02/2011 6:21:43 PM - System Checkpoint
    RP1595: 11/02/2011 6:35:08 PM - System Checkpoint
    RP1596: 12/02/2011 6:36:17 PM - System Checkpoint
    RP1597: 13/02/2011 7:19:26 PM - System Checkpoint
    RP1598: 14/02/2011 7:37:04 PM - System Checkpoint
    RP1599: 15/02/2011 8:46:25 PM - System Checkpoint
    RP1600: 16/02/2011 9:35:01 PM - System Checkpoint
    RP1601: 17/02/2011 9:41:55 PM - System Checkpoint
    RP1602: 18/02/2011 9:45:21 PM - System Checkpoint
    RP1603: 19/02/2011 9:56:04 PM - System Checkpoint
    RP1604: 20/02/2011 10:32:21 PM - System Checkpoint
    RP1605: 21/02/2011 10:37:35 PM - System Checkpoint
    RP1606: 23/02/2011 8:04:32 PM - System Checkpoint
    RP1607: 24/02/2011 8:38:10 PM - System Checkpoint
    RP1608: 25/02/2011 9:19:41 PM - System Checkpoint
    RP1609: 26/02/2011 9:59:13 PM - System Checkpoint
    RP1610: 27/02/2011 11:54:25 AM - Removed Adobe Reader 9.
    RP1611: 27/02/2011 11:55:05 AM - Installed Adobe Reader 9.4.0.
    RP1612: 27/02/2011 11:56:23 AM - Installed Clipsal eCatalogue Edition 2.
    RP1613: 28/02/2011 5:39:09 PM - System Checkpoint
    RP1614: 28/02/2011 6:00:19 PM - Software Distribution Service 3.0
    RP1615: 28/02/2011 6:33:09 PM - Printer Driver Microsoft XPS Document Writer Installed
    RP1616: 1/03/2011 6:00:20 PM - Software Distribution Service 3.0
    RP1617: 2/03/2011 6:23:33 PM - System Checkpoint
    RP1618: 3/03/2011 7:23:15 PM - System Checkpoint
    RP1619: 4/03/2011 7:48:26 PM - System Checkpoint
    RP1620: 5/03/2011 8:39:30 PM - System Checkpoint
    RP1621: 6/03/2011 9:20:36 PM - System Checkpoint
    RP1622: 7/03/2011 9:27:03 PM - System Checkpoint
    RP1623: 8/03/2011 9:32:58 PM - System Checkpoint
    RP1624: 9/03/2011 9:59:12 PM - System Checkpoint
    RP1625: 9/03/2011 11:25:33 PM - Software Distribution Service 3.0
    RP1626: 10/03/2011 11:36:30 PM - System Checkpoint
    RP1627: 13/03/2011 11:25:07 AM - System Checkpoint
    RP1628: 14/03/2011 12:05:30 AM - Installed Java(TM) 6 Update 24
    RP1629: 15/03/2011 1:34:01 PM - System Checkpoint
    RP1630: 16/03/2011 7:18:33 PM - System Checkpoint
    RP1631: 16/03/2011 11:23:49 PM - Software Distribution Service 3.0
    RP1632: 18/03/2011 4:23:04 PM - System Checkpoint
    RP1633: 18/03/2011 6:00:19 PM - Software Distribution Service 3.0
    RP1634: 20/03/2011 7:49:33 PM - System Checkpoint
    RP1635: 21/03/2011 8:36:26 PM - System Checkpoint
    RP1636: 23/03/2011 4:46:48 PM - System Checkpoint
    .
    ==== Installed Programs ======================
    .
    .
    20 Hot Games Volume 2
    ABBYY FineReader 5.0 Sprint Plus
    Adobe Flash Player 10 ActiveX
    Adobe Photoshop Elements 8.0
    Adobe Reader 9.4.2
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    AVG 2011
    AVG PC Tuneup 2011
    BigPond Broadband ADSL FAQ
    BJ Printer Driver
    Bonjour
    Camera Support Core Library
    Camera Window DS
    Camera Window DVC
    Camera Window MC
    Canon Camera Support Core Library
    Canon Camera Window DC_DV 5 for ZoomBrowser EX
    Canon Camera Window DS for ZoomBrowser EX
    Canon Camera Window MC 5 for ZoomBrowser EX
    Canon Easy-WebPrint EX
    Canon IJ Network Scan Utility
    Canon IJ Network Tool
    Canon Inkjet Printer/Scanner/Fax Extended Survey Program
    Canon MovieEdit Task for ZoomBrowser EX
    Canon MP Navigator EX 3.0
    Canon MP640 series MP Drivers
    Canon PhotoRecord
    Canon RAW Image Task for ZoomBrowser EX
    Canon Utilities Easy-PhotoPrint EX
    Canon Utilities My Printer
    Canon Utilities PhotoStitch 3.1
    Canon Utilities Solution Menu
    Canon ZoomBrowser EX
    Cashflow Manager
    Cashflow Manager 5
    CD-LabelPrint
    Clipsal eCatalogue Edition 2
    Compatibility Pack for the 2007 Office system
    e-tax 2009
    e-tax 2010
    EPSON Attach To Email
    EPSON Easy Photo Print
    EPSON File Manager
    EPSON PRINT Image Framer Tool
    EPSON Printer Software
    EPSON Scan Assistant
    Facebook Plug-In
    Fly Fishing with Cortland
    Google Earth
    Google Toolbar for Internet Explorer
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    ImageMixer3
    iPod for Windows 2005-02-07
    iTunes
    J2SE Runtime Environment 5.0 Update 11
    J2SE Runtime Environment 5.0 Update 3
    J2SE Runtime Environment 5.0 Update 6
    Java Auto Updater
    Java(TM) 6 Update 2
    Java(TM) 6 Update 24
    Java(TM) 6 Update 3
    Java(TM) 6 Update 5
    Java(TM) 6 Update 7
    Java(TM) SE Runtime Environment 6 Update 1
    Jezzball Deluxe
    Lexmark 4200 Series
    Lexmark 4200 Series Fax Solutions
    Lexmark Fax Solutions
    LimeWire 4.12.6
    LiveReg (Symantec Corporation)
    LiveUpdate 2.6 (Symantec Corporation)
    Macromedia Shockwave Player
    Malwarebytes' Anti-Malware
    Maxtor Manager
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Age of Empires
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Basic Edition 2003
    Microsoft Silverlight
    Microsoft User-Mode Driver Framework Feature Pack 1.9
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    MobileMe Control Panel
    MovieEdit Task
    MSN
    MSN Toolbar
    MSVC80_x86_v2
    MSVC90_x86
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6.0 Parser (KB933579)
    Natural Color Pro
    Nero Suite
    Nokia Connectivity Cable Driver
    Nokia Ovi Suite
    Nokia Ovi Suite Software Updater
    Nokia PC Suite
    Norton Speed Disk 6.0 for Windows NT
    Norton Utilities 2002 for Windows
    Ovi Desktop Sync Engine
    OviMPlatform
    PC Connectivity Solution
    PhotoStitch
    PhotoStudio Expressions
    PIF DESIGNER
    PM500 User's Guide
    print@camerahouse
    QuickTime
    RAW Image Task 2.1
    S3 S3Display
    S3 S3Gamma2
    S3 S3Info2
    S3 S3Overlay
    Safari
    SAMSUNG CDMA Modem Driver Set
    Samsung Mobile phone USB driver Software
    SAMSUNG Mobile USB Modem 1.0 Software
    SAMSUNG Mobile USB Modem Software
    Samsung PC Studio
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Windows Internet Explorer 7 (KB2183461)
    Security Update for Windows Internet Explorer 7 (KB2360131)
    Security Update for Windows Internet Explorer 7 (KB2416400)
    Security Update for Windows Internet Explorer 7 (KB2482017)
    Security Update for Windows Internet Explorer 7 (KB928090)
    Security Update for Windows Internet Explorer 7 (KB931768)
    Security Update for Windows Internet Explorer 7 (KB933566)
    Security Update for Windows Internet Explorer 7 (KB937143)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB939653)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 7 (KB972260)
    Security Update for Windows Internet Explorer 7 (KB974455)
    Security Update for Windows Internet Explorer 7 (KB976325)
    Security Update for Windows Internet Explorer 7 (KB978207)
    Security Update for Windows Internet Explorer 7 (KB982381)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    SoundMAX
    Spelling Dictionaries Support For Adobe Reader 8
    The Sims Deluxe Edition
    TomTom HOME
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 7 (KB976749)
    Update for Windows Internet Explorer 7 (KB980182)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB971029)
    VC_MergeModuleToMSI
    VIA Rhine-Family Fast Ethernet Adapter
    VIA/S3G Display Driver
    WebFldrs XP
    Windows Driver Package - Nokia Modem (06/09/2010 4.5)
    Windows Driver Package - Nokia Modem (06/09/2010 7.01.0.7)
    Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
    Windows Genuine Advantage v1.3.0254.0
    Windows Live Messenger
    Windows Live Sign-in Assistant
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows XP Service Pack 3
    Yahoo! Toolbar
    .
    ==== Event Viewer Messages From Past Week ========
    .
    24/03/2011 4:13:27 PM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
    24/03/2011 4:05:21 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: uagp35
    24/03/2011 3:26:10 PM, error: Service Control Manager [7034] - The ServiceLayer service terminated unexpectedly. It has done this 1 time(s).
    24/03/2011 3:26:10 PM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
    24/03/2011 3:26:03 PM, error: Service Control Manager [7034] - The Speed Disk service service terminated unexpectedly. It has done this 1 time(s).
    24/03/2011 3:26:03 PM, error: Service Control Manager [7034] - The SoundMAX Agent Service service terminated unexpectedly. It has done this 1 time(s).
    24/03/2011 3:26:03 PM, error: Service Control Manager [7034] - The Maxtor Service service terminated unexpectedly. It has done this 1 time(s).
    24/03/2011 3:26:03 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    24/03/2011 3:26:03 PM, error: Service Control Manager [7034] - The Canon Inkjet Printer/Scanner/Fax Extended Survey Program service terminated unexpectedly. It has done this 1 time(s).
    24/03/2011 3:26:03 PM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
    24/03/2011 3:26:02 PM, error: Service Control Manager [7034] - The LexBce Server service terminated unexpectedly. It has done this 1 time(s).
    24/03/2011 3:26:02 PM, error: Service Control Manager [7034] - The InCD Helper service terminated unexpectedly. It has done this 1 time(s).
    24/03/2011 3:26:02 PM, error: Service Control Manager [7034] - The Adobe Active File Monitor V8 service terminated unexpectedly. It has done this 1 time(s).
    24/03/2011 3:26:02 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    .
    ==== End Of File ===========================
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Welcome to TechSpot, Julie Anne! Look like you may have visited the FunWebSearch site! Maybe for themes, cursors, wallpaper, Smileys and other 'fun' things that all bring malware with them! So- please do not visit that site or similar ones, especially while I'm trying to clean with system.

    Mbam found a variety of malware. Some entries for it were removed, but there will be others. But you need to do some Housekeeping first:

    1. Java: You have outdated versions on the system. All of these are vulnerabilities, so they need to be removed:
    J2SE Runtime Environment 5.0 Update 11
    J2SE Runtime Environment 5.0 Update 3
    J2SE Runtime Environment 5.0 Update 6
    Java Auto Updater
    Java(TM) 6 Update 2
    Java(TM) 6 Update 24>> this is the current version, but it will be removed. You will need to use the link to download v6u24 again.
    Java(TM) 6 Update 3
    Java(TM) 6 Update 5
    Java(TM) 6 Update 7
    Java(TM) SE Runtime Environment 6 Update 1

    Please download JavaRa and unzip it to your desktop.
    Important!
    ***Please close any instances of Internet Explorer before continuing!***
    • Double-click on JavaRa.exe to start the program.
    • From the drop-down menu, choose English and click on Select.
    • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
    • Click Yes when prompted. When JavaRa is done, a notice will appear that
      a logfile has been produced. Click OK.
    • A logfile will pop up. Please save it to a convenient location.
    Then download and install then most current version and update of Java Runtime Environment (JRE) HERE.
    ============================================
    P2P or 'file sharing Warning:> LimeWire
    Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall LimeWire for the following reasons:
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • File sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.
    Please read the information on P2P Warning to help you better understand these dangers.
    ===========================================
    I note 4 Symantec entries:
    LiveReg (Symantec Corporation)
    LiveUpdate 2.6 (Symantec Corporation)
    Norton Speed Disk 6.0 for Windows NT
    Norton Utilities 2002 for Windows

    If you are using only the utilities, okay. But live update is usually for the AV> Here is a tool you can run to remove the program if this has the AV:
    [*]Norton Removal Tool
    If you use this, please reboot the computer when through.
    ===========================================
    Combofix will pick up more entries, but you will have to uninstall AVG to run it.

    Download AppRemover and save to the desktop]
    How to Use AppRemover to Remove a Complete Security Application
    1. Double click the setup on the desktop> click Next
    2. Select “Remove Security Application”
    3. Let scan finish to determine security apps
    4. A screen like below will appear:
      http://www.appremover.com/about/chooseuninstall.gif/image_preview[/img[*] Click on [b]Next[/b] after choice has been made
      [*] Check the AVG program you want to uninstall
      [*] After uninstall shows complete, follow online prompts to Exit the program.[/list]
      [B]Temporary AV:[/B]
      [url=http://download.cnet.com/Avira-AntiVir-Personal-Free-Antivirus/3000-2239_4-10322935.html?part=dl-10322935&subj=dl&tag=button&cdlPid=11012914][b][color=blue]Avira-AntiVir-Personal-Free-Antivirus[/b][/color][/url]
      [URL="http://download.cnet.com/Avast-Free-Antivirus/3000-2239_4-10019223.html?part=dl-85737&subj=dl&tag=button"][B][COLOR="RoyalBlue"]Avast Free Version[/COLOR][/B][/URL]
      =========================================
      [b]Download Combofix from [url=http://www.bleepingcomputer.com/download/anti-virus/combofix]HERE[/url] or [url=http://www.forospyware.com/sUBs/ComboFix.exe]HERE[/b][/url] and save to the desktop[list]
      [*]Double click combofix.exe & follow the prompts.
      [*] ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      [b]**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.[/b]
      [*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
      [*]Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [*]Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [img]http://img.photobucket.com/albums/v706/ried7/whatnext.png
    5. .Click on Yes, to continue scanning for malware
    6. .If Combofix asks you to update the program, allow
    7. .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    8. .Close any open browsers.
    9. .Double click combofix.exe[​IMG] & follow the prompts to run.
    10. When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
  3. JulieAnne

    JulieAnne Newcomer, in training Topic Starter

    Thanks Bobbye

    I have gone through all the steps you suggested and will paste combofix log below. The only thing I had trouble with was the symantec entries which I have left as is. I went to the link but could not work out which tool was needed. None of them seemed to match my requirements. I have also noticed, when I uninstalled Limewire, that there still seemed to be multiple versions of Java. Not sure if I need to run JavaRa again or not. It did say it was completed at the end.

    I am pleased to report that the Bad Image errors seem to have ceased. Do I need to do anything else now or is my system now clean.

    ComboFix 11-03-25.01 - Julie McCarthy 26/03/2011 14:17:40.1.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1247.755 [GMT 11:00]
    Running from: c:\documents and settings\Julie McCarthy\Desktop\ComboFix.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    F:\Autorun.inf
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_USNJSVC
    -------\Service_usnjsvc
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-26 to 2011-03-26 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-26 02:27 . 2011-03-26 02:27 -------- d-----w- c:\documents and settings\Julie McCarthy\Logs
    2011-03-24 04:51 . 2011-03-24 04:51 -------- d-----w- c:\documents and settings\Julie McCarthy\Application Data\Malwarebytes
    2011-03-24 04:51 . 2010-12-20 07:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-03-24 04:51 . 2011-03-24 04:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-03-24 04:50 . 2011-03-24 04:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-03-24 04:50 . 2010-12-20 07:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-03-17 07:29 . 2011-03-17 07:29 -------- d-----w- c:\documents and settings\Julie McCarthy\Application Data\Uniblue
    2011-03-17 07:29 . 2011-03-17 07:29 -------- d-----w- c:\program files\Uniblue
    2011-03-17 07:28 . 2011-03-17 07:28 -------- d-----w- c:\documents and settings\Julie McCarthy\Local Settings\Application Data\PackageAware
    2011-03-13 13:05 . 2011-03-13 13:05 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
    2011-03-06 06:30 . 2011-03-06 06:30 -------- d-----w- c:\documents and settings\All Users\Application Data\CanonIJ
    2011-03-06 06:29 . 2011-03-06 06:34 -------- d-----w- c:\documents and settings\Julie McCarthy\Application Data\Canon
    2011-02-28 07:07 . 2011-02-28 07:07 -------- d-----w- c:\windows\system32\XPSViewer
    2011-02-28 07:07 . 2011-02-28 07:07 -------- d-----w- c:\program files\MSBuild
    2011-02-28 07:07 . 2011-02-28 07:07 -------- d-----w- c:\program files\Reference Assemblies
    2011-02-28 07:07 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
    2011-02-28 07:06 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
    2011-02-28 07:06 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
    2011-02-28 07:06 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
    2011-02-28 07:06 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
    2011-02-28 07:06 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
    2011-02-28 07:06 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
    2011-02-28 07:06 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
    2011-02-28 07:06 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
    2011-02-27 00:56 . 2011-02-27 01:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Clipsal Australia
    2011-02-27 00:56 . 2011-02-27 00:56 -------- d-----w- c:\program files\Clipsal Australia
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-09 13:53 . 2004-08-04 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
    2011-02-09 13:53 . 2004-08-04 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
    2011-02-02 10:40 . 2010-06-20 13:38 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-02-02 08:19 . 2007-05-19 13:29 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-02-02 07:58 . 2005-03-13 00:44 2067456 ----a-w- c:\windows\system32\mstscax.dll
    2011-01-27 11:57 . 2005-03-13 00:44 677888 ----a-w- c:\windows\system32\mstsc.exe
    2011-01-21 14:44 . 2004-08-04 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
    2011-01-07 14:09 . 2004-08-04 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:10 . 2004-08-04 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-26 68856]
    "NokiaOviSuite2"="c:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe" [2010-09-01 672632]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]
    "VTTimer"="VTTimer.exe" [2004-01-15 49152]
    "Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-04 143360]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "FaxCenterServer4_in_1"="c:\program files\Lexmark 4200 Series\Fax\fm3032.exe" [2004-01-22 151552]
    "Lexmark 4200 Series"="c:\program files\Lexmark 4200 Series\lxbmbmgr.exe" [2004-01-16 57344]
    "EPSON PictureMate 500"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9TE.EXE" [2004-10-17 98304]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-10-08 47904]
    "mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2008-07-21 169312]
    "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-03-23 1983816]
    "CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-17 767312]
    "IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2009-05-19 136544]
    "iTunesHelper"="c:\documents and settings\Julie McCarthy\My Documents\Mum's Ipod\iTunesHelper.exe" [2010-07-21 141608]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Clipsal eCatalogue Edition 2.lnk - c:\program files\Clipsal Australia\Clipsal eCatalogue Edition 2\Clipsal_eCatalogue.exe [2010-11-5 6238208]
    NCProTray.lnk - c:\program files\SEC\Natural Color Pro\NCProTray.exe [2007-8-28 49220]
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
    @="Service"
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ImageMixer HDD Camera Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ImageMixer HDD Camera Monitor.lnk
    backup=c:\windows\pss\ImageMixer HDD Camera Monitor.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Monitor.lnk
    backup=c:\windows\pss\Monitor.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
    backup=c:\windows\pss\MyWebSearch Email Plugin.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^Julie McCarthy^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
    path=c:\documents and settings\Julie McCarthy\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
    backup=c:\windows\pss\MyWebSearch Email Plugin.lnkStartup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^Julie McCarthy^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
    path=c:\documents and settings\Julie McCarthy\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
    backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
    2004-06-04 11:33 1400944 ------w- c:\program files\Ahead\InCD\InCD.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2010-07-21 05:53 141608 ----a-w- c:\documents and settings\Julie McCarthy\My Documents\Mum's Ipod\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mxomssmenu]
    2008-07-21 06:16 169312 ----a-w- c:\program files\Maxtor\OneTouch Status\MaxMenuMgr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-09-08 00:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
    2007-03-14 05:52 3770024 ----a-w- c:\program files\TomTom HOME\TomTomHOME.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\StubInstaller.exe"=
    "c:\\Program Files\\Microsoft Games\\Age of Empires\\Empires.exe"=
    "c:\\WINDOWS\\system32\\LEXPPS.EXE"=
    "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\MSN Messenger\\livecall.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Documents and Settings\\Julie McCarthy\\My Documents\\Mum's Ipod\\iTunes.exe"=
    .
    R2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [9/10/2009 5:45 AM 169312]
    S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [14/11/2010 2:19 PM 137344]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-02-18 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 02:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com.au/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Settings,ProxyOverride = <local>;*.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    .
    - - - - ORPHANS REMOVED - - - -
    .
    WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    SafeBoot-WudfPf
    SafeBoot-WudfRd
    MSConfigStartUp-My Web Search Bar Search Scope Monitor - c:\progra~1\MYWEBS~1\bar\2.bin\m3SrchMn.exe
    MSConfigStartUp-MyWebSearch Email Plugin - c:\progra~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
    AddRemove-{50316C0A-CC2A-460A-9EA5-F486E54AC17D}_is1 - c:\program files\AVG\AVG PC Tuneup 2011\unins000.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-26 14:27
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(1796)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
    c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
    c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng-us.nlr
    c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
    c:\program files\PhotoStudio Expressions\share\pihook.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Ahead\InCD\InCDsrv.exe
    c:\windows\system32\LEXBCES.EXE
    c:\windows\system32\LEXPPS.EXE
    c:\windows\system32\VTTimer.exe
    c:\program files\Lexmark 4200 Series\lxbmbmon.exe
    c:\program files\Common Files\Nokia\MPlatform\NokiaMServer.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Canon\IJPLM\IJPLMSVC.EXE
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Maxtor\Sync\SyncServices.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\program files\Analog Devices\SoundMAX\SMAgent.exe
    c:\program files\Speed Disk\nopdb.exe
    c:\documents and settings\Julie McCarthy\My Documents\jess\bin\iPodService.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\PC Connectivity Solution\ServiceLayer.exe
    c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe
    c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe
    c:\program files\Common Files\Nokia\NoA\nokiaaserver.exe
    .
    **************************************************************************
    .
    Completion time: 2011-03-26 14:34:13 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-03-26 03:34
    .
    Pre-Run: 42,260,746,240 bytes free
    Post-Run: 42,223,468,544 bytes free
    .
    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
    .
    - - End Of File - - 0358EC0143A4B93D268122A87E0B2CE7
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    A deletion in the Combofix log for Drive F indicates you may have been using a flash drive. You will need to disinfect it:

    These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.

    Please disinfect all movable drives
    1. Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
    2. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
      Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
    3. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    4. Wait until it has finished scanning and then exit the program.
    5. Reboot your computer when done.

    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
    =================
    Questions
    1. Which program do you want to keep for the antivirus? Do you plan to reinstall AVG?
    2. Are you using the Uniblue Registry Cleaner? I recommend it be uninstalled
    3. You have MyWebSearch email plug in loading. This is malware.

    Let me know about #1 and #2. I will set up script to remove the appropriate entries in Combofix.

    Just as an FYI: you are loading processes for many programs that don't need to start on boot and run in the background:
    Photo programs: Epsom
    Printers> Canon and Lexmark
    Lexmark Fax
    Canon scanner
    etc.
  5. JulieAnne

    JulieAnne Newcomer, in training Topic Starter

    Hi Bobbye

    I have completed disinfecting.
    In answer to your questions I have reinstalled the AVG, I am not using the UniBlue Registry Cleaner & have no idea as to where the MyWebSearch email plug has come from. I might add that although this computer is mine, I do have a couple of adult age children who also have access to this machine.
    Thanks again for your help.
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Okay then, let's get rid of the adware/spyware: Before you run the script below, remove any MyWebSearch and 180Search Assistant entries from the Startup menu using msconfig:
    • Click on Start> Run> type in msconfig> enter>
      [​IMG]
    • Click on Selective Startup
    • Choose the Startup tab:
      [​IMG]
      All images courtesy NetSquirrel
    • To expand the Command Column, (this shows what the process 'belongs' to) hold left mouse button down on the dividing line on frame above Location and move to the right to expand.
    • Uncheck any processes for MyWebSearch and 180SearchAssistant
    • Click on Apply> OK when finished.
    NOTE:
    When you reboot the system the first time after making changes using the msconfig utility, a nag message comes up that can be ignored and closed after checking 'don't show this message again.' Remain in Selective Startup to retain those changes.
    =========================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    Folder::
    c:\documents and settings\Julie McCarthy\Application Data\Uniblue
    c:\program files\Uniblue
    c:\documents and settings\All Users\Application Data\McAfee
    Registry::
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
    [HKLM\~\startupfolder\C:^Documents and Settings^Julie McCarthy^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\StubInstaller.exe"=-
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    Show Hidden Files and Folders in Windows 7:
    • Click on the Start button and select Computer
    • Press the Alt key on your keyboard and click on Tools
    • Select Folder Options
    • Click the View tab and make sure that Show hidden files and folders is selected under Hidden files and folders
    • Next, uncheck the box next to Hide protected operating system files (Recommended)
    • Then, uncheck the box next to Hide extensions for known filetypes
    • Click Apply then click OK
    ==================================
    Go right on to the following without a reboot:
    Part 1>Addons
    MyWebSearch Email Plugin and 180SearchAsistant:
    Check Addons in the browser tools> look in both the 'addons now on the system' and addons previously on the system> Highlight and Disable any addons for MyWebSearch and 180SearchAssistant.

    Note: This plugin appears both in the docs & settings Start Menu for All Users & Julie Anne.
    ===================================
    Part 2>Add/Remove Programs Feature
    1. Go to Start menu and click on Control Panel.
    2. Double-click on Add/Remove Programs icon.
    3. Scroll down to 180 Search Assistant and click on it to highlight.
    4. Do the same for any MyWebSearch entry
    5. Click on Uninstall button.
    Part 3>Removing 180 Search Assistant Remaining Files
    1. Go to Start menu and click on Search.
    2. Select All Files and Folders option.
    3. Type nCaseInstaller.class and hit Enter. Delete the found file.
    4. Repeat for 180AInstaller.class and ZangoInstaller.class files.
    5. Restart your computer.
    Part 4: Confirming removal.
    1. Go to Start menu and click on Search.
    2. Select All Files and Folders option.
    3. Enter msbb in "All or part of the file name:"
    4. Click "Search"
    5. Wait for full results.
    6. do a right click> Delete if any of the install files remain in "C:\Program Files\180Solutions" and prefetch files in "C:\WINDOWS\Prefetch".

    Important! Go back and rehide the files and folders!
    ==============================================
    Update Adobe Reader to current update. Uninstall any earlier updates as they are vulnerabilities.
  7. JulieAnne

    JulieAnne Newcomer, in training Topic Starter

    Hi Bobbye
    Have completed instructions, log pasted below.
    When I went through parts 1 -4 i didn't find any files to delete.

    ComboFix 11-04-02.03 - Julie McCarthy 03/04/2011 20:55:56.2.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1247.765 [GMT 10:00]
    Running from: c:\documents and settings\Julie McCarthy\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Julie McCarthy\Desktop\CFScript.txt
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Application Data\McAfee
    c:\documents and settings\All Users\Application Data\McAfee\MCLOGS\Common\MsiExec\MsiExec000.log
    c:\documents and settings\Julie McCarthy\Application Data\Uniblue
    c:\documents and settings\Julie McCarthy\Application Data\Uniblue\RegistryBooster\backup\20110317.183720.zip
    c:\documents and settings\Julie McCarthy\Application Data\Uniblue\RegistryBooster\error.log
    c:\documents and settings\Julie McCarthy\Application Data\Uniblue\RegistryBooster\history\20110317-183645_repair.xml
    c:\documents and settings\Julie McCarthy\Application Data\Uniblue\RegistryBooster\history\latest_scan_results.html
    c:\documents and settings\Julie McCarthy\Application Data\Uniblue\RegistryBooster\last_scan.dat
    c:\documents and settings\Julie McCarthy\Application Data\Uniblue\RegistryBooster\settings.dat
    c:\program files\Uniblue
    F:\autorun.inf
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-03-03 to 2011-04-03 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-28 08:42 . 2011-03-28 08:42 -------- d-sh--w- c:\documents and settings\Julie McCarthy\UserData
    2011-03-26 04:04 . 2011-03-26 04:04 -------- d-----w- c:\documents and settings\Julie McCarthy\Application Data\AVG10
    2011-03-26 03:59 . 2011-04-03 10:45 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
    2011-03-26 03:52 . 2011-03-31 11:15 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
    2011-03-26 02:27 . 2011-03-26 02:27 -------- d-----w- c:\documents and settings\Julie McCarthy\Logs
    2011-03-24 04:51 . 2011-03-24 04:51 -------- d-----w- c:\documents and settings\Julie McCarthy\Application Data\Malwarebytes
    2011-03-24 04:51 . 2010-12-20 07:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-03-24 04:51 . 2011-03-24 04:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-03-24 04:50 . 2011-03-24 04:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-03-24 04:50 . 2010-12-20 07:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-03-17 07:28 . 2011-03-17 07:28 -------- d-----w- c:\documents and settings\Julie McCarthy\Local Settings\Application Data\PackageAware
    2011-03-12 01:28 . 2011-03-12 01:28 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
    2011-03-06 06:30 . 2011-03-06 06:30 -------- d-----w- c:\documents and settings\All Users\Application Data\CanonIJ
    2011-03-06 06:29 . 2011-03-06 06:34 -------- d-----w- c:\documents and settings\Julie McCarthy\Application Data\Canon
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-09 13:53 . 2004-08-04 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
    2011-02-09 13:53 . 2004-08-04 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
    2011-02-02 10:40 . 2010-06-20 13:38 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-02-02 08:19 . 2007-05-19 13:29 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-02-02 07:58 . 2005-03-13 00:44 2067456 ----a-w- c:\windows\system32\mstscax.dll
    2011-01-27 11:57 . 2005-03-13 00:44 677888 ----a-w- c:\windows\system32\mstsc.exe
    2011-01-21 14:44 . 2004-08-04 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
    2011-01-07 14:09 . 2004-08-04 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-26 68856]
    "NokiaOviSuite2"="c:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe" [2010-09-01 672632]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]
    "VTTimer"="VTTimer.exe" [2004-01-15 49152]
    "Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-04 143360]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "FaxCenterServer4_in_1"="c:\program files\Lexmark 4200 Series\Fax\fm3032.exe" [2004-01-22 151552]
    "Lexmark 4200 Series"="c:\program files\Lexmark 4200 Series\lxbmbmgr.exe" [2004-01-16 57344]
    "EPSON PictureMate 500"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9TE.EXE" [2004-10-17 98304]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-10-08 47904]
    "mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2008-07-21 169312]
    "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-03-23 1983816]
    "CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-17 767312]
    "IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2009-05-19 136544]
    "iTunesHelper"="c:\documents and settings\Julie McCarthy\My Documents\Mum's Ipod\iTunesHelper.exe" [2010-07-21 141608]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Clipsal eCatalogue Edition 2.lnk - c:\program files\Clipsal Australia\Clipsal eCatalogue Edition 2\Clipsal_eCatalogue.exe [2010-11-5 6238208]
    NCProTray.lnk - c:\program files\SEC\Natural Color Pro\NCProTray.exe [2007-8-28 49220]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
    @="Service"
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ImageMixer HDD Camera Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ImageMixer HDD Camera Monitor.lnk
    backup=c:\windows\pss\ImageMixer HDD Camera Monitor.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Monitor.lnk
    backup=c:\windows\pss\Monitor.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
    backup=c:\windows\pss\MyWebSearch Email Plugin.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^Julie McCarthy^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
    path=c:\documents and settings\Julie McCarthy\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
    backup=c:\windows\pss\MyWebSearch Email Plugin.lnkStartup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^Julie McCarthy^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
    path=c:\documents and settings\Julie McCarthy\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
    backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
    2004-06-04 11:33 1400944 ------w- c:\program files\Ahead\InCD\InCD.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2010-07-21 05:53 141608 ----a-w- c:\documents and settings\Julie McCarthy\My Documents\Mum's Ipod\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mxomssmenu]
    2008-07-21 06:16 169312 ----a-w- c:\program files\Maxtor\OneTouch Status\MaxMenuMgr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-09-08 00:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
    2007-03-14 05:52 3770024 ----a-w- c:\program files\TomTom HOME\TomTomHOME.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\StubInstaller.exe"=
    "c:\\Program Files\\Microsoft Games\\Age of Empires\\Empires.exe"=
    "c:\\WINDOWS\\system32\\LEXPPS.EXE"=
    "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\MSN Messenger\\livecall.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Documents and Settings\\Julie McCarthy\\My Documents\\Mum's Ipod\\iTunes.exe"=
    .
    S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [14/11/2010 1:19 PM 137344]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-02-18 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 02:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com.au/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Settings,ProxyOverride = <local>;*.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    .
    - - - - ORPHANS REMOVED - - - -
    .
    URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-04-03 21:07
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    Completion time: 2011-04-03 21:17:13
    ComboFix-quarantined-files.txt 2011-04-03 11:17
    ComboFix2.txt 2011-03-26 03:34
    .
    Pre-Run: 41,484,107,776 bytes free
    Post-Run: 41,544,368,128 bytes free
    .
    - - End Of File - - 8B1CE3B3997F7133E3830E446CF91387
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    JulieAnne, this is still showing in the Combofix delete: F:\autorun.inf. Did you use the flash drive again on the system before it was disinfected? Or have you connected any other removable drive like a phone? That should be included in the flash disinfect> all movable drives.
  9. JulieAnne

    JulieAnne Newcomer, in training Topic Starter

    Hi Bobbye
    As far as I know nothing has been plugged in, in the last couple of weeks. I did plug in my ipod tonight but that's all I know of. What now?
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    What is the F Drive?
  11. JulieAnne

    JulieAnne Newcomer, in training Topic Starter

    The F drive appears to be the Maxtor external hard drive.
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Okay, that drive is infected. Please run the Flash Disinfector and follow prompts for other removable drives.
    First Combofox scan shows>((( Other Deletions )))F:\Autorun.inf
    Second Combofix scan, with the script shows deletions that I set up with script and also shows>(((Other Deletions)))F:\Autorun.inf>> again, not as 'previous.'

    This is being loaded from the Registry:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2008-07-21 169312]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mxomssmenu]
    2008-07-21 06:16 169312 ----a-w- c:\program files\Maxtor\OneTouch Status\MaxMenuMgr.exe


    This drive is being loaded on Startup. If it is infected and is connected to the computer, it can reinfect the computer.
    =================================
    Due to the extensive MyWebSearch infection and continuing entries, please do the following: Note: You may not find all of these entries. That's okay. Handle the ones you do find:

    First, uninstall the My Web Search option from Add/Remove Programs
    1) Click on Start, Settings, Control Panel
    2) Double click on Add/Remove Programs
    3) Find "My Web Search" in the list of installed programs and click on Change/Remove to uninstall it. You may also want to uninstall any of the following items associated with FunWebProducts if found:
    • My Web Search (Smiley Central or FWP product as applicable)
    • My Way Speedbar (Smiley Central or other FWP as applicable)
    • My Way Speedbar (AOL and Yahoo Messengers) (beta users only)
    • My Way Speedbar (Outlook, Outlook Express, and IncrediMail)
    • Search Assistant - My Way
    4) Reboot your Computer and run HijackThis
    ===========================================
    Download HijackThis and save to your desktop.
    • Extract it to a directory on your hard drive called c:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log. Save that log to your desktop.
    -----------------------------------------------------
    Reopen HijackThis to do system scan only.' Check each of the following if found:

    R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:program FilesMyWebSearchSrchAstt1.binMWSSRCAS.DLL
    O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:program FilesMyWebSearchSrchAstt1.binMWSSRCAS.DLL
    O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:program FilesMyWebSearchbar1.binMWSBAR.DLL
    O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:program FilesMyWebSearchbar1.binMWSBAR.DLL
    O4 - HKLM..Run: [MyWebSearch Email Plugin] C:pROGRA~1MYWEBS~1bar1.binmwsoemon.exe
    O4 - HKCU..Run: [MyWebSearch Email Plugin] C:pROGRA~1MYWEBS~1bar1.binmwsoemon.exe
    O4 - Startup: MyWebSearch Email Plugin.lnk=C:programFilesMyWebSearchbar1.bin MWSOEMON.EXE
    O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:program FilesMyWebSearchbar1.bin MWSOEMON.EXE
    O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p ZWYYYYYYYYUS
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/MyWebSearchInitialSetup1.0.0.8-2.cab


    Close all Windows except HijackThis and click on "Fix Checked"

    Delete program folders:
    Using Windows Explorer (Windows key + e)> Open My Computer> Local Drive(C)> double-click on the Program Files folder
    Right-click and delete the folders for:
    • FunWebProducts
    • MyWebSearch
    ============================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    Registry::
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
    [HKLM\~\startupfolder\C:^Documents and Settings^Julie McCarthy^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.

    MyWebSearch should now be completely uninstalled from your computer.

    Note: To prevent this in the uture, I advise you to also stay away from:
    Other FunWebProducts
    Smiley Central Removal
    Cursor Mania Removal
    FunBuddyIcons Removal
    My Mail Stationery Removal
    My Mail Signature Removal
    My Mail Stamps Removal
    Popular Screensavers Removal
    Webfetti Removal


    Let me know how you're doing.
  13. JulieAnne

    JulieAnne Newcomer, in training Topic Starter

    Hi Bobbye
    I have completed all suggested steps & I noticed that the log still has F:\Autorun.inf under deletions. Has this done the job or is the computer still infected?
    When I did the went to the add/remove programs, I didn't find any of the items you listed.
    I also didn't find anything with HijackThis.
    I found nothing in the program files.
    I did do a search for any files with My WebSearch or FunWebProducts in the name, and found 3 items which I deleted.
    The results of the ComboFix are pasted below.
    ComboFix 11-04-09.01 - Julie McCarthy 10/04/2011 16:27:08.3.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1247.767 [GMT 10:00]
    Running from: c:\documents and settings\Julie McCarthy\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Julie McCarthy\Desktop\CFScript.txt.1.txt
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Julie McCarthy\WINDOWS
    c:\hijackthis\HijackThis.exe
    F:\Autorun.inf
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-03-10 to 2011-04-10 )))))))))))))))))))))))))))))))
    .
    .
    2011-04-10 05:42 . 2011-04-10 05:42 -------- d-----w- c:\documents and settings\Julie McCarthy\Local Settings\Application Data\Temp
    2011-04-08 08:07 . 2011-04-08 08:07 -------- d-sh--w- c:\documents and settings\Julie McCarthy\UserData
    2011-04-07 12:42 . 2011-04-10 06:34 -------- d-----w- C:\HijackThis
    2011-04-05 12:03 . 2011-04-05 12:03 -------- d-----w- c:\program files\Bonjour
    2011-04-05 12:01 . 2011-04-05 13:38 -------- d-----w- c:\windows\SxsCaPendDel
    2011-04-05 11:59 . 2011-04-05 11:59 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll
    2011-04-05 11:59 . 2011-04-05 11:59 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll
    2011-04-05 11:59 . 2011-04-05 11:59 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
    2011-04-05 11:59 . 2011-04-05 11:59 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
    2011-04-05 11:59 . 2011-04-05 11:59 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll
    2011-04-05 11:59 . 2011-04-05 11:59 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
    2011-04-05 11:59 . 2011-04-05 11:59 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
    2011-04-05 11:58 . 2011-04-05 11:59 -------- d-----w- c:\program files\QuickTime
    2011-04-03 12:37 . 2011-04-03 12:37 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonIJEGV
    2011-04-03 12:28 . 2011-04-03 12:28 -------- d-----w- c:\program files\Common Files\Adobe AIR
    2011-03-26 04:04 . 2011-03-26 04:04 -------- d-----w- c:\documents and settings\Julie McCarthy\Application Data\AVG10
    2011-03-26 03:59 . 2011-04-10 06:13 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
    2011-03-26 03:52 . 2011-04-03 11:54 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
    2011-03-26 02:27 . 2011-03-26 02:27 -------- d-----w- c:\documents and settings\Julie McCarthy\Logs
    2011-03-24 04:51 . 2011-03-24 04:51 -------- d-----w- c:\documents and settings\Julie McCarthy\Application Data\Malwarebytes
    2011-03-24 04:51 . 2010-12-20 07:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-03-24 04:51 . 2011-03-24 04:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-03-24 04:50 . 2011-03-24 04:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-03-24 04:50 . 2010-12-20 07:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-03-17 07:28 . 2011-03-17 07:28 -------- d-----w- c:\documents and settings\Julie McCarthy\Local Settings\Application Data\PackageAware
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-09 13:53 . 2004-08-04 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
    2011-02-09 13:53 . 2004-08-04 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
    2011-02-02 10:40 . 2010-06-20 13:38 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-02-02 08:19 . 2007-05-19 13:29 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-02-02 07:58 . 2005-03-13 00:44 2067456 ----a-w- c:\windows\system32\mstscax.dll
    2011-01-27 11:57 . 2005-03-13 00:44 677888 ----a-w- c:\windows\system32\mstsc.exe
    2011-01-21 14:44 . 2004-08-04 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-04-03_11.08.00 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-04-10 06:18 . 2011-04-10 06:18 16384 c:\windows\Temp\Perflib_Perfdata_25c.dat
    + 2011-04-05 12:08 . 2011-02-18 06:36 41984 c:\windows\system32\DRVSTORE\usbaapl_05A32DBD3911A2EF4222EF5BE7BB535FAB37D6C4\usbaapl.sys
    + 2011-04-05 12:08 . 2010-04-19 10:29 18432 c:\windows\system32\DRVSTORE\netaapl_8A27A03003759CB01567E831096473C330131D64\netaapl.sys
    + 2010-10-07 02:23 . 2010-10-07 02:23 91424 c:\windows\system32\dnssd.dll
    - 2010-05-18 06:35 . 2010-05-18 06:35 91424 c:\windows\system32\dnssd.dll
    + 2011-04-03 12:28 . 2011-04-03 12:28 28160 c:\windows\Installer\107ca9.msi
    + 2010-11-10 02:49 . 2010-11-10 02:49 17304 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\ViewerPS.dll
    + 2010-11-10 02:49 . 2010-11-10 02:49 35736 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\reader_sl.exe
    + 2010-11-10 02:49 . 2010-11-10 02:49 84896 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\PDFPrevHndlr.dll
    + 2010-11-10 02:49 . 2010-11-10 02:49 94608 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\eula.exe
    + 2010-11-10 02:49 . 2010-11-10 02:49 49064 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\acrotextextractor.exe
    + 2010-11-10 02:49 . 2010-11-10 02:49 17824 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AcroRd32Info.exe
    + 2010-11-10 02:49 . 2010-11-10 02:49 62376 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\acroiehelpershim.dll
    + 2010-11-10 02:49 . 2010-11-10 02:49 64928 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AcroIEHelper.dll
    + 2010-11-10 02:49 . 2010-11-10 02:49 63384 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\Acrofx32.dll
    + 2010-10-07 02:23 . 2010-10-07 02:23 197920 c:\windows\system32\dnssdX.dll
    - 2010-05-18 06:35 . 2010-05-18 06:35 197920 c:\windows\system32\dnssdX.dll
    + 2010-10-07 02:23 . 2010-10-07 02:23 107808 c:\windows\system32\dns-sd.exe
    - 2010-05-18 06:35 . 2010-05-18 06:35 107808 c:\windows\system32\dns-sd.exe
    + 2011-04-05 12:02 . 2011-04-05 12:02 811520 c:\windows\Installer\61c59.msi
    + 2011-04-05 12:04 . 2011-04-05 12:04 897024 c:\windows\Installer\{C73F2967-062E-48F2-A462-D335B8950183}\SafariIco.exe
    + 2011-04-05 12:14 . 2011-04-05 12:14 380928 c:\windows\Installer\{2A697B53-0DE3-42DA-B41D-C3F804B1C538}\iTunesIco.exe
    + 2010-11-10 02:49 . 2010-11-10 02:49 390552 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\pdfshell.dll
    + 2010-11-10 02:49 . 2010-11-10 02:49 101288 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\PDFPrevHndlrShim.exe
    + 2010-11-10 02:49 . 2010-11-10 02:49 135568 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\nppdf32.dll
    + 2010-11-10 02:49 . 2010-11-10 02:49 681872 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\JP2KLib.dll
    + 2010-11-10 02:49 . 2010-11-10 02:49 104344 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AiodLite.dll
    + 2010-11-10 02:49 . 2010-11-10 02:49 702352 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AcroPDF.dll
    + 2010-11-10 02:49 . 2010-11-10 02:49 294808 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\acrobroker.exe
    + 2010-11-10 02:49 . 2010-11-10 02:49 205720 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\a3dutils.dll
    + 2011-04-05 12:08 . 2011-02-18 06:36 4184352 c:\windows\system32\DRVSTORE\usbaapl_05A32DBD3911A2EF4222EF5BE7BB535FAB37D6C4\usbaaplrc.dll
    + 2011-04-05 12:08 . 2010-04-19 10:29 1461992 c:\windows\system32\DRVSTORE\netaapl_8A27A03003759CB01567E831096473C330131D64\wdfcoinstaller01009.dll
    + 2011-04-05 12:14 . 2011-04-05 12:14 5448704 c:\windows\Installer\62539.msi
    + 2011-04-05 12:08 . 2011-04-05 12:08 3085312 c:\windows\Installer\61d70.msi
    + 2011-04-05 12:05 . 2011-04-05 12:05 1710592 c:\windows\Installer\61cd9.msi
    + 2011-04-05 12:04 . 2011-04-05 12:04 3140608 c:\windows\Installer\61cb7.msi
    + 2011-04-05 12:03 . 2011-04-05 12:03 1984000 c:\windows\Installer\61c80.msi
    + 2011-04-05 11:59 . 2011-04-05 11:59 9472000 c:\windows\Installer\61c25.msi
    + 2011-04-03 12:02 . 2011-04-03 12:02 3272704 c:\windows\Installer\41cf70.msi
    + 2011-04-03 11:59 . 2011-04-03 11:59 1611776 c:\windows\Installer\41cf6c.msi
    + 2011-04-03 12:32 . 2011-04-03 12:32 2283008 c:\windows\Installer\107e8e.msi
    + 2010-11-10 02:49 . 2010-11-10 02:49 2207632 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\rt3d.dll
    + 2010-11-10 02:49 . 2010-11-10 02:49 6222744 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\authplay.dll
    + 2010-11-10 02:49 . 2010-11-10 02:49 5503368 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AGM.dll
    + 2010-11-10 02:49 . 2010-11-10 02:49 1216416 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AdobeCollabSync.exe
    + 2010-11-10 02:49 . 2010-11-10 02:49 1289624 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AcroRd32.exe
    + 2011-01-30 20:44 . 2011-01-30 20:44 12425728 c:\windows\Installer\107e8f.msp
    + 2010-11-10 02:49 . 2010-11-10 02:49 23724952 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AcroRd32.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-26 68856]
    "NokiaOviSuite2"="c:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe" [2010-09-01 672632]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]
    "VTTimer"="VTTimer.exe" [2004-01-15 49152]
    "Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-04 143360]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "FaxCenterServer4_in_1"="c:\program files\Lexmark 4200 Series\Fax\fm3032.exe" [2004-01-22 151552]
    "Lexmark 4200 Series"="c:\program files\Lexmark 4200 Series\lxbmbmgr.exe" [2004-01-16 57344]
    "EPSON PictureMate 500"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9TE.EXE" [2004-10-17 98304]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-10-08 47904]
    "mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2008-07-21 169312]
    "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-03-23 1983816]
    "CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-17 767312]
    "IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2009-05-19 136544]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
    "iTunesHelper"="c:\documents and settings\Julie McCarthy\My Documents\Mum's Ipod\iTunesHelper.exe" [2011-03-07 421160]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Clipsal eCatalogue Edition 2.lnk - c:\program files\Clipsal Australia\Clipsal eCatalogue Edition 2\Clipsal_eCatalogue.exe [2010-11-5 6238208]
    NCProTray.lnk - c:\program files\SEC\Natural Color Pro\NCProTray.exe [2007-8-28 49220]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
    @="Service"
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ImageMixer HDD Camera Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ImageMixer HDD Camera Monitor.lnk
    backup=c:\windows\pss\ImageMixer HDD Camera Monitor.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Monitor.lnk
    backup=c:\windows\pss\Monitor.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
    backup=c:\windows\pss\MyWebSearch Email Plugin.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^Julie McCarthy^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
    path=c:\documents and settings\Julie McCarthy\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
    backup=c:\windows\pss\MyWebSearch Email Plugin.lnkStartup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^Julie McCarthy^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
    path=c:\documents and settings\Julie McCarthy\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
    backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
    2004-06-04 11:33 1400944 ------w- c:\program files\Ahead\InCD\InCD.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2011-03-07 05:33 421160 ----a-w- c:\documents and settings\Julie McCarthy\My Documents\Mum's Ipod\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mxomssmenu]
    2008-07-21 06:16 169312 ----a-w- c:\program files\Maxtor\OneTouch Status\MaxMenuMgr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-11-29 07:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
    2007-03-14 05:52 3770024 ----a-w- c:\program files\TomTom HOME\TomTomHOME.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\StubInstaller.exe"=
    "c:\\Program Files\\Microsoft Games\\Age of Empires\\Empires.exe"=
    "c:\\WINDOWS\\system32\\LEXPPS.EXE"=
    "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\MSN Messenger\\livecall.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Documents and Settings\\Julie McCarthy\\My Documents\\Mum's Ipod\\iTunes.exe"=
    .
    R2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [9/10/2009 4:45 AM 169312]
    S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [14/11/2010 1:19 PM 137344]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-02-18 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 02:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com.au/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Settings,ProxyOverride = <local>;*.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    .
    - - - - ORPHANS REMOVED - - - -
    .
    URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-04-10 16:35
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    Completion time: 2011-04-10 16:38:50
    ComboFix-quarantined-files.txt 2011-04-10 06:38
    ComboFix2.txt 2011-04-03 11:17
    ComboFix3.txt 2011-03-26 03:34
    .
    Pre-Run: 41,557,463,040 bytes free
    Post-Run: 41,548,886,016 bytes free
    .
    - - End Of File - - D4E70B25C2C225AC184750C4B6DEF341
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    First: Don't be upset because you could find some of the entries! That's a good thing- it means they have been removed. Sometimes a removal doesn't include all the entries so we look for them to delete if present. That's why we add to HijackThis "if found."

    I am puzzled by these entries. According to your log, You have had QuickTime on the system since 2010. But the following shows the program installed again on 2011-04-05 11:59
    c:\program files\QuickTime
    And the most puzzling of all is that all of the following plugins for QuickTime, on the same date, were added to Internet Explorer but the plugs ins are for Firefox!. See the np at the beginning of each .dll file? That refers to Firefox!
    c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll
    c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll
    c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
    c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
    c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll
    c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
    c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
    [/b]
    The plugins are all related to QuickTime.
    But I see a Registry entry for an earlier datw:
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
    ===============================
    About MyWebSearch Email Plugin I'd like you to run HijackThis: I should see this in that log and can instruct you in what to check for removal:
    Download HijackThis and save to your desktop.
    • Extract it to a directory on your hard drive called c:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
  15. JulieAnne

    JulieAnne Newcomer, in training Topic Starter

    Hi Bobbye
    HijackThis log pasted below.

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 11:09:03 PM, on 11/04/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.17095)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\VTTimer.exe
    C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
    C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9TE.EXE
    C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
    C:\Program Files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
    C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
    C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe
    C:\Documents and Settings\Julie McCarthy\My Documents\Mum's Ipod\iTunesHelper.exe
    C:\Program Files\AVG\AVG10\avgtray.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\AVG\AVG10\avgwdsvc.exe
    C:\Program Files\Clipsal Australia\Clipsal eCatalogue Edition 2\Clipsal_eCatalogue.exe
    C:\Program Files\SEC\Natural Color Pro\NCProTray.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Maxtor\Sync\SyncServices.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\Program Files\Speed Disk\nopdb.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    C:\Program Files\AVG\AVG10\avgnsx.exe
    C:\Documents and Settings\Julie McCarthy\My Documents\jess\bin\iPodService.exe
    C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
    C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
    C:\Program Files\Common Files\Nokia\NoA\nokiaaserver.exe
    C:\PROGRA~1\AVG\AVG10\avgrsx.exe
    C:\Program Files\AVG\AVG10\avgcsrvx.exe
    C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
    C:\Documents and Settings\Julie McCarthy\Desktop\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Canon Easy-WebPrint EX BHO - {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexbho.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
    O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll
    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll (file missing)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
    O3 - Toolbar: Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll
    O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe" /s
    O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
    O4 - HKLM\..\Run: [EPSON PictureMate 500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9TE.EXE /P21 "EPSON PictureMate 500" /O6 "USB002" /M "PictureMate 500"
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
    O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
    O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
    O4 - HKLM\..\Run: [IJNetworkScanUtility] C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
    O4 - HKLM\..\Run: [NokiaMServer] C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles startup
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Documents and Settings\Julie McCarthy\My Documents\Mum's Ipod\iTunesHelper.exe"
    O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - HKCU\..\Run: [NokiaOviSuite2] C:\Program Files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe -tray
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Clipsal eCatalogue Edition 2.lnk = C:\Program Files\Clipsal Australia\Clipsal eCatalogue Edition 2\Clipsal_eCatalogue.exe
    O4 - Global Startup: NCProTray.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.optusnet.com.au/
    O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7B295DE9-84EF-437E-A9C1-498858A51F99}: Domain = vic.bigpond.net.au
    O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Adobe Active File Monitor V8 (AdobeActiveFileMonitor8.0) - Adobe Systems Incorporated - C:\Program Files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe
    O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Canon Inkjet Printer/Scanner/Fax Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
    O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Documents and Settings\Julie McCarthy\My Documents\jess\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
    O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
    O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)

    --
    End of file - 12106 bytes
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    I had hope I'd see MyWebSearch email plugin in HJT, but no such luck! So we're going to try one more way to remove it where it's hiding:

    Using Windows Explorer (Windows key + E) go to My Computer> Double click on Local Drive(C)> Click on Windows> Find the pss folder and double click to open> you will see entries similar to these: Do not click on any of these entries
    Look for MyWebSearch Email Plugin> if found, do a right click> Delete. If you see more than one entry (it shows in All Users and JulieMcCarthy's account) do the right click> Delete

    If it's not there, don't worry.

    Also look in the Documents & Settings folders> Startup entries for both All Users and Julie McC for the same MyWebSearch Email plugin. If you see this in either folder, do the same right click> Delete.

    Again, if it's not there, don't worry.
    ===================================================
    Are you aware that you are loading 3 printers/scanners/copiers/faxes?
    Lexmark,Canon and Epsom. Are you using all three of these? If not, you should uninstall those you are not using. Then let me know which you took off and I'll include script to remove any remaining entries.

    Do any of the malware related problems remain?
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.