TechSpot

Possible Google Redirect Virus?

Solved
By frogtag
Oct 13, 2010
Topic Status:
Not open for further replies.
  1. Hi,

    To sum up quickly. I had AVG and it ran out. Short gap of time. I got Norton360. Did a scan. It said I had a Trojan. After that point google went bananas, redirecting to random search engine pages, 404 and google forbidden pages. I also tried to download Spybot but it wouldn't let me. I did a little surfing and it came up with a possibility of it being the google redirect virus?

    I found this site as being the most helpful in peoples plights, specifically this link http://www.techspot.com/vb/topic143807.html , however every site i've been on says not to use combifix without supervision. So can anyone help me please?

    If it helps I'm using Windows XP and re-formatting is not an option because this computer didn't come with the XP discs.
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Welcome to TechSpot! I'll help with the malware, but I need to have some information:

    Please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    When you have finished, paste the logs into your next reply. Okay to use multiple posts if needed.

    Important!
    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

    About Combofix. It's a good program, but a very powerful one and using it without supervision can cause problems. While we frequently do recommend it, it's only after we've seen the preliminary logs and then, only if it's the appropriate scan to run at that time.
  3. frogtag

    frogtag TS Rookie Topic Starter

    First of all thank you for your welcome and for replying to my thread. I'm currently working through the 8 step list. I'm on step 3 installing Malwarebytes' Anti-Maleware, which it has done, but it won't launch? Are there compatibility problems with older computers? Not sure what to do?

    I've checked system requirements for MAM and my computer has the specs required?
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    What happens when you try to run Mbam? Any error message? What?
  5. frogtag

    frogtag TS Rookie Topic Starter

    Sorry not being overly helpful :)

    I downloaded the main MBAM and it installed, ok. Then nothing. No launch. No screens. Nothing. The cursor momentarily shows the hourglass icon, the hard disk light glows orange for a couple seconds, but nothing. Task manager doesn't show any active programs for MBAM. I tried to run it from the desktop, instead of after the install. Again nothing at all. I even uninstalled. Downloaded the mirrorsite #2 version and it did the same thing, nothing.

    In case it makes a difference. I have Packard Bell Ever Safe, ATI & Norton 360 running in the background (at least these are the things i'm aware of)
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please run the following:
    Please download randmbam.exe

    It will try to create random names and shortcuts for Malwarebytes Anti Malware(MBAM) if you have it installed already.

    Once done, try running a scan again. If the scan works, you do not need to check the Event Viewer.
    =====================================
    If it still won't scan, proceed to the following:
    Check the Event Viewer for an error that corresponds to the time that you attempt but fail to get Mbam to run. Errors are time coded. Force the issue if needed by trying the scan again> note the time it fails on the computer clock, the do the following:

    Start> Run> type in eventvwr

    Do this on each the System and the Applications logs:
    [1]. Click to open the log>
    [2]. Look for the Error>
    [3] .Right click on the Error> Properties>
    [4]. Click on Copy button, top right, below the down arrow >
    [5]. Paste here (Ctrl V)
    [6].NOTES
    • You can ignore Warnings and Information Events.
    • If you have a recurring Error with same ID#, same Source and same Description, only one copy is needed.
    • You don't need to include the lines of code in the box below the Description, if any.
    • Please do not copy the entire Event log.
  7. frogtag

    frogtag TS Rookie Topic Starter

    Sorry for the delay in response, but it took all weekend to scan my computer with GMER.
    Step 1 ... Norton 360 scan was no problem.
    Step 2 ... TFC no problem (281mb of temp files!)
    Step 3 ... The randmbam.exe worked fine.
    ------------------------------
    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4052

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    16/10/2010 08:25:12
    mbam-log-2010-10-16 (08-25-12).txt

    Scan type: Quick scan
    Objects scanned: 129654
    Time elapsed: 18 minute(s), 9 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 2
    Registry Keys Infected: 153
    Registry Values Infected: 9
    Registry Data Items Infected: 2
    Folders Infected: 18
    Files Infected: 96

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    C:\Program Files\Internet Explorer\msimg32.dll (Adware.MyWebSearch) -> Delete on reboot.
    C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (Adware.MyWebSearch) -> Delete on reboot.

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\TypeLib\{07b18ea0-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{07b18eaa-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{07b18eac-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{f87d7fb5-9dc5-4c8c-b998-d8dfe02e2978} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{53ced2d0-5e9a-4761-9005-648404e6f7e5} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{00a6faf6-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf6-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\funwebproducts.datacontrol (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\TypeLib\{c8cecde3-1ae1-4c4a-ad82-6d5b00212144} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{17de5e5e-bfe3-4e83-8e1f-8755795359ec} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{1f52a5fa-a705-4415-b975-88503b291728} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{a626cdbd-3d13-4f78-b819-440a28d7e8fc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\funwebproducts.datacontrol.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\funwebproducts.historykillerscheduler (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\TypeLib\{8ca01f0e-987c-49c3-b852-2f1ac4a7094c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{1093995a-ba37-41d2-836e-091067c4ad17} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{120927bf-1700-43bc-810f-fab92549b390} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{247a115f-06c2-4fb3-967d-2d62d3cf4f0a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{3e53e2cb-86db-4a4a-8bd9-ffeb7a64df82} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{90449521-d834-4703-bb4e-d3aa44042ff8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{991aac62-b100-47ce-8b75-253965244f69} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{bbabdc90-f3d5-4801-863a-ee6ae529862d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{d6ff3684-ad3b-48eb-bbb4-b9e6c5a355c1} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{eb9e5c1c-b1f9-4c2b-be8a-27d6446fdaf8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{0f8ecf4f-3646-4c3a-8881-8e138ffcaf70} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{b813095c-81c0-4e40-aa14-67520372b987} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{c9d7be3e-141a-4c85-8cd6-32461f3df2c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{cff4ce82-3aa2-451f-9b77-7165605fb835} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\funwebproducts.historykillerscheduler.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\funwebproducts.historyswattercontrolbar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\funwebproducts.historyswattercontrolbar.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\funwebproducts.htmlmenu (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\TypeLib\{e47caee0-deea-464a-9326-3f2801535a4d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{3e1656ed-f60e-4597-b6aa-b6a58e171495} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\funwebproducts.htmlmenu.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\funwebproducts.htmlmenu.2 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\funwebproducts.iecookiesmanager (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\funwebproducts.iecookiesmanager.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\funwebproducts.killerobjmanager (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\funwebproducts.killerobjmanager.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\funwebproducts.popswatterbarbutton (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\TypeLib\{8e6f1830-9607-4440-8530-13be7c4b1d14} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{63d0ed2b-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{63d0ed2d-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{8e6f1832-9607-4440-8530-13be7c4b1d14} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{a9571378-68a1-443d-b082-284f960c6d17} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\funwebproducts.popswatterbarbutton.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\funwebproducts.popswattersettingscontrol (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\funwebproducts.popswattersettingscontrol.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\mywebsearch.chatsessionplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\TypeLib\{e79dfbc0-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{72ee7f04-15bd-4845-a005-d6711144d86a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{e79dfbc9-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{e79dfbcb-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\mywebsearch.chatsessionplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\mywebsearch.htmlpanel (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\TypeLib\{3e720450-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{3e720451-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{3e720453-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{3e720452-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3e720452-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\mywebsearch.htmlpanel.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\mywebsearch.outlookaddin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{adb01e81-3c79-4272-a0f1-7b2be7a782dc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\mywebsearch.outlookaddin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\TypeLib\{7473d290-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{7473d291-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{7473d293-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{7473d295-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{7473d297-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{7473d292-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{7473d294-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7473d294-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{7473d296-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\mywebsearchtoolbar.settingsplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\mywebsearchtoolbar.settingsplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\mywebsearchtoolbar.toolbarplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\mywebsearchtoolbar.toolbarplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\screensavercontrol.screensaverinstaller (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\TypeLib\{29d67d3c-509a-4544-903f-c8c1b8236554} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{2e3537fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{938aa51a-996c-4884-98ce-80dd16a5c9da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\screensavercontrol.screensaverinstaller.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{6e74766c-4d93-4cc0-96d1-47b8e07ff9ca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{de38c398-b328-4f4c-a3ad-1b5e4ed93477} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{e342af55-b78a-4cd0-a2bb-da7f52d9d25e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{e342af55-b78a-4cd0-a2bb-da7f52d9d25f} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{1e0de227-5ce4-4ea3-ab0c-8b03e1aa76bc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{84da4fdf-a1cf-4195-8688-3e961f505983} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{d9fffb27-d62a-4d64-8cec-1ff006528805} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\TypeLib\{0d26bc71-a633-4e71-ad31-eadc3a1b6a3a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Typelib\{f42228fb-e84e-479e-b922-fbbd096e792c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MyWebSearchService (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Online Add-on (Trojan.Zlob) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Outlook\Addins\MyWebSearch.OutlookAddin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Word\Addins\MyWebSearch.OutlookAddin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE Safety Features (Trojan.Zlob) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Information Center (Trojan.Zlob) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyWebSearch bar Uninstall (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\my web search bar search scope monitor (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mywebsearch email plugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{00a6faf6-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\(default) (Adware.Hotbar) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media\WMSDK\Sources\f3popularscreensavers (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\funwebproducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mywebsearch plugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.132,93.188.160.12 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0c23ec19-4d52-4ceb-b902-bcd5016d8e0e}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.132,93.188.160.12 -> Quarantined and deleted successfully.

    Folders Infected:
    C:\Program Files\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\FunWebProducts\ScreenSaver (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\FunWebProducts\ScreenSaver\Images (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\FunWebProducts\Shared (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\FunWebProducts\Shared\Cache (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch (Adware.MyWebSearch) -> Delete on reboot.
    C:\Program Files\MyWebSearch\bar (Adware.MyWebSearch) -> Delete on reboot.
    C:\Program Files\MyWebSearch\bar\1.bin (Adware.MyWebSearch) -> Delete on reboot.
    C:\Program Files\MyWebSearch\bar\Avatar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Cache (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Game (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\icons (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Message (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Message\COMMON (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Notifier (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\Video Add-on (Trojan.Zlob) -> Quarantined and deleted successfully.

    Files Infected:
    C:\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL (Adware.MyWebSearch) -> Delete on reboot.
    C:\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE (Adware.MyWebSearch) -> Delete on reboot.
    C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE (Adware.MyWebSearch) -> Delete on reboot.
    C:\Program Files\Internet Explorer\msimg32.dll (Adware.MyWebSearch) -> Delete on reboot.
    C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (Adware.MyWebSearch) -> Delete on reboot.
    C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL (Adware.MyWebSearch) -> Delete on reboot.
    C:\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\M3MSG.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\f3PSSavr.scr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\F3BKGERR.JPG (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\F3SPACER.WMV (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\F3WALLPP.DAT (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\FWPBUDDY.PNG (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\M3HIGHIN.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\M3MEDINT.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.MANIFEST (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\MWSSVC.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Avatar\COMMON.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Cache\00036226.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Cache\0005334C (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Cache\001E8DF5.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Cache\001E9057.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Cache\001E93A3.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Cache\001E9642.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Cache\007FBD6A (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Cache\files.ini (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Game\CHESS.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Game\REVERSI.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\History\search3 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\icons\CM.ICO (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\icons\MFC.ICO (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\icons\PSS.ICO (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\icons\SMILEY.ICO (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\icons\WB.ICO (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\icons\ZWINKY.ICO (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Message\COMMON.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Message\COMMON\ask_logo.gif (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Message\COMMON\autoup.gif (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Message\COMMON\autoup.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Message\COMMON\center.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Message\COMMON\index.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Message\COMMON\mid_dots.gif (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Message\COMMON\mws_logo.gif (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Message\COMMON\protect.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Message\COMMON\shocked.gif (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Message\COMMON\stop.gif (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Message\COMMON\systray.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Message\COMMON\systrayp.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Message\COMMON\tp_grad.gif (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Message\COMMON\warn.gif (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Notifier\COMMON.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Notifier\DOG.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Notifier\FISH.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Notifier\KUNGFU.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Notifier\LIFEGARD.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Notifier\MAID.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Notifier\MAILBOX.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Notifier\OPERA.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Notifier\ROBOT.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Notifier\SEDUCT.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Notifier\SURFER.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Settings\prevcfg2.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Settings\setting2.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Settings\settings.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\Video Add-on\ot.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
    C:\Program Files\Video Add-on\Thumbs.db (Trojan.Zlob) -> Quarantined and deleted successfully.
    C:\Program Files\Video Add-on\ts.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
    ------------------------------

    Step 4 ... GMER was a bit of a problem. I had to turn of Devices because it crashed. I rebboted, scanned the rest. Took 12 hours and crashed! So had to scan bit by bit and cut-n-paste into one file. If there's anything missing please let me know. Everything was scanned except Devices. I also included a warning I had, about a suspicious modification, and added it to the top of the log.

    ------------------------------
    GMER 1.0.15.15319 - http://www.gmer.net
    Rootkit scan 2010-10-17 07:53:37
    Windows 5.1.2600 Service Pack 3
    Running: hunpe535.exe; Driver: C:\DOCUME~1\Ben\LOCALS~1\Temp\aflyiaog.sys

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    Device -> \Driver\atapi \Device\Harddisk0\DR0 82E01EC5

    ---- Files - GMER 1.0.15 ----

    File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

    ---- System - GMER 1.0.15 ----

    SSDT 82237050 ZwAlertResumeThread
    SSDT 822CEE08 ZwAlertThread
    SSDT FF7E51A8 ZwAllocateVirtualMemory
    SSDT 81F06050 ZwAssignProcessToJobObject
    SSDT 8230C218 ZwConnectPort
    SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xB5BB2210]
    SSDT FF7D84C0 ZwCreateMutant
    SSDT FF7D1F40 ZwCreateSymbolicLinkObject
    SSDT 82E6D0B0 ZwCreateThread
    SSDT 822E6050 ZwDebugActiveProcess
    SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xB5BB2490]
    SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xB5BB29F0]
    SSDT FF7E5400 ZwDuplicateObject
    SSDT FF7E49B0 ZwFreeVirtualMemory
    SSDT 823023C8 ZwImpersonateAnonymousToken
    SSDT 822B8998 ZwImpersonateThread
    SSDT 82E36178 ZwLoadDriver
    SSDT 8230BC90 ZwMapViewOfSection
    SSDT 82100050 ZwOpenEvent
    SSDT FF7E56A0 ZwOpenProcess
    SSDT 822451D0 ZwOpenProcessToken
    SSDT 82100340 ZwOpenSection
    SSDT FF7E5550 ZwOpenThread
    SSDT FF7D26B0 ZwProtectVirtualMemory
    SSDT 822BB630 ZwResumeThread
    SSDT 82305E08 ZwSetContextThread
    SSDT FF7E45D0 ZwSetInformationProcess
    SSDT 822D9050 ZwSetSystemInformation
    SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xB5BB2C40]
    SSDT 821E9128 ZwSuspendProcess
    SSDT 822426E0 ZwSuspendThread
    SSDT 822CF3E0 ZwTerminateProcess
    SSDT 822FBA90 ZwTerminateThread
    SSDT 822BAE08 ZwUnmapViewOfSection
    SSDT FF7E4DC0 ZwWriteVirtualMemory

    ---- Kernel code sections - GMER 1.0.15 ----

    .rsrc C:\WINDOWS\system32\drivers\aic78u2.sys entry point in ".rsrc" section [0xF850C114]
    ? SYMDS.SYS The system cannot find the file specified. !
    ? SYMEFA.SYS The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    ? C:\Program Files\Winamp\winampa.exe[440] C:\WINDOWS\system32\WS2_32.dll IMAGE_DOS_SIGNATURE not found;

    ---- Files - GMER 1.0.15 ----

    File C:\WINDOWS\system32\drivers\aic78u2.sys suspicious modification

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xE2 0x63 0x26 0xF1 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x71 0x3B 0x04 0x66 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0xFF 0x7C 0x85 0xE0 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x3E 0x1E 0x9E 0xE0 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xF5 0x1D 0x4D 0x73 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xB0 0x18 0xED 0xA7 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x31 0x77 0xE1 0xBA ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0xAA 0x52 0xC6 0x00 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0xF6 0x0F 0x4E 0x58 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0xB1 0xCD 0x45 0x5A ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0xE3 0x0E 0x66 0xD5 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0x6C 0x43 0x2D 0x1E ...

    ---- EOF - GMER 1.0.15 ----
  8. frogtag

    frogtag TS Rookie Topic Starter

    Step 5 ... DDS was no problems either

    ------------------------------

    DDS (Ver_10-10-10.03) - NTFSx86
    Run by Ben at 9:26:48.56 on 18/10/2010
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.71 [GMT 1:00]

    AV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton 360 *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

    ============== Running Processes ===============

    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
    C:\Program Files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\apps\ABoard\ABoard.exe
    C:\Program Files\Packard Bell EverSafe\TrayControl.exe
    C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Winamp\winampa.exe
    C:\WINDOWS\PixArt\PAC207\Monitor.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\apps\ABoard\AOSD.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Ben\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.co.uk/
    uInternet Connection Wizard,ShellNext = hxxp://securityresponse.symantec.com/avcenter/vinfodb.html?prodid=nav2003
    uInternet Settings,ProxyOverride = *.local
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\4.3.0.5\coIEPlg.dll
    BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\4.3.0.5\IPSBHO.DLL
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
    BHO: Search Assistant: {f0626a63-410b-45e2-99a1-3f2475b2d695} - c:\program files\sgpsa\BHO.dll
    BHO: Fast Browser Search Toolbar Helper: {fcbccb87-9224-4b8d-b117-f56d924beb18} - c:\program files\fast browser search\ie\FBStoolbar.dll
    TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
    TB: Fast Browser Search Toolbar: {1bb22d38-a411-4b13-a746-c2a4f4ec7344} - c:\program files\fast browser search\ie\FBStoolbar.dll
    TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\4.3.0.5\coIEPlg.dll
    TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
    TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [EPSON Stylus SX400 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiege.exe /fu "c:\windows\temp\E_S61.tmp" /EF "HKCU"
    mRun: [ATIPTA] "c:\ati technologies\ati control panel\atiptaxx.exe"
    mRun: [ACTIVBOARD] c:\apps\aboard\ABoard.exe
    mRun: [NovaNet-WEB Tray Control] c:\program files\packard bell eversafe\TrayControl.exe
    mRun: [VCSPlayer] "c:\program files\virtual cd v4 sdk\system\vcsplay.exe"
    mRun: [CleanEasyImg] c:\apps\easydvd\cleanall.exe
    mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
    mRun: [PinnacleDriverCheck] c:\windows\system32\PSDrvCheck.exe -CheckReg
    mRun: [USB2Check] RUNDLL32.EXE "c:\windows\system32\PCLECoInst.dll",CheckUSBController
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
    mRun: [Item Viewer] c:\diablo\itemview.exe /register
    mRun: [PAC207_Monitor] c:\windows\pixart\pac207\Monitor.exe
    mRun: [Monitor] c:\windows\pixart\pac207\Monitor.exe
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\packar~1.lnk - c:\program files\packard bell eversafe\TrayControl.exe
    IE: &Search
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} - hxxp://www.digitalwebbooks.com/reader/dbplugin.cab
    DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
    DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1193166580614
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
    DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - hxxp://www.driveragent.com/files/driveragent.cab
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: AtiExtEvent - Ati2evxx.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

    ============= SERVICES / DRIVERS ===============

    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0403000.005\symds.sys [2010-10-12 328752]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0403000.005\symefa.sys [2010-10-12 173104]
    R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\bashdefs\20101001.001\BHDrvx86.sys [2010-10-2 692272]
    R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0403000.005\cchpx86.sys [2010-10-12 501888]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0403000.005\ironx86.sys [2010-10-12 116784]
    R1 vcsmpdrv;vcsmpdrv;c:\windows\system32\drivers\vcsmpdrv.sys [2003-8-15 49232]
    R2 N360;Norton 360;c:\program files\norton 360\engine\4.3.0.5\ccsvchst.exe [2010-10-12 126392]
    R2 VCSSecS;Virtual CD v4 Security service (SDK - Version);c:\program files\virtual cd v4 sdk\system\vcssecs.exe [2003-8-15 139264]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-10-11 102448]
    R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\ipsdefs\20101012.001\IDSXpx86.sys [2010-9-15 341880]
    R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20101013.039\NAVENG.SYS [2010-10-14 86064]
    R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20101013.039\NAVEX15.SYS [2010-10-14 1371184]
    S3 gkmixern;gkmixern;\??\c:\docume~1\ben\locals~1\temp\gkmixern.sys --> c:\docume~1\ben\locals~1\temp\gkmixern.sys [?]
    S3 map730c;map730c;c:\windows\system32\drivers\map730c.sys [2007-2-13 24784]
    S3 map730m;map730m;c:\windows\system32\drivers\map730m.sys [2007-2-13 25044]
    S3 map730u;map730u;c:\windows\system32\drivers\map730u.sys [2007-2-13 56320]
    S3 PAC207;Sweex Webcam USB;c:\windows\system32\drivers\PFC027.SYS [2007-10-25 616064]

    =============== Created Last 30 ================

    2010-10-16 07:01:41 -------- d-----w- c:\docume~1\ben\applic~1\Malwarebytes
    2010-10-15 08:02:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-10-15 08:02:24 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2010-10-15 08:02:23 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-10-15 08:02:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-10-12 07:10:17 361904 ----a-w- c:\windows\system32\drivers\n360\0403000.005\symtdi.sys
    2010-10-12 07:10:17 339504 ----a-w- c:\windows\system32\drivers\n360\0403000.005\symtdiv.sys
    2010-10-12 07:10:17 173104 ----a-w- c:\windows\system32\drivers\n360\0403000.005\symefa.sys
    2010-10-12 07:10:16 501888 ----a-w- c:\windows\system32\drivers\n360\0403000.005\cchpx86.sys
    2010-10-12 07:10:16 43696 ----a-w- c:\windows\system32\drivers\n360\0403000.005\srtspx.sys
    2010-10-12 07:10:16 328752 ----a-r- c:\windows\system32\drivers\n360\0403000.005\symds.sys
    2010-10-12 07:10:16 325680 ----a-w- c:\windows\system32\drivers\n360\0403000.005\srtsp.sys
    2010-10-12 07:10:16 116784 ----a-w- c:\windows\system32\drivers\n360\0403000.005\ironx86.sys
    2010-10-12 07:09:16 -------- d-----w- c:\windows\system32\drivers\n360\0403000.005
    2010-10-11 15:08:26 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
    2010-10-11 15:08:26 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2010-10-11 15:06:33 -------- d-----w- c:\windows\system32\drivers\N360
    2010-10-11 15:06:28 -------- d-----w- c:\program files\Norton 360
    2010-10-11 15:06:26 -------- d-----w- c:\docume~1\alluse~1\applic~1\Norton
    2010-10-11 15:04:47 -------- d-----w- c:\program files\NortonInstaller
    2010-10-11 15:04:47 -------- d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
    2010-09-22 17:10:52 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll

    ==================== Find3M ====================

    2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
    2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
    2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2006-11-20 08:01:08 163840 ----a-w- c:\program files\common files\AMCap.exe

    ============= FINISH: 9:30:29.14 ===============


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-10-10.03)

    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume2
    Install Date: 30/08/2003 16:50:00
    System Uptime: 18/10/2010 09:14:45 (0 hours ago)

    Motherboard: NEC COMPUTERS INTERNATIONAL | | PALOMAR (MS-6763)
    Processor: Intel(R) Pentium(R) 4 CPU 2.60GHz | Socket 478 | 2600/200mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (NTFS) - 72 GiB total, 7.182 GiB free.
    D: is CDROM ()
    E: is CDROM ()

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP939: 14/07/2010 13:27:18 - Software Distribution Service 3.0
    RP940: 17/07/2010 10:24:08 - System Checkpoint
    RP941: 02/08/2010 14:48:42 - System Checkpoint
    RP942: 03/08/2010 15:56:20 - Software Distribution Service 3.0
    RP943: 09/08/2010 11:37:33 - System Checkpoint
    RP944: 11/08/2010 09:03:51 - Software Distribution Service 3.0
    RP945: 13/08/2010 11:21:08 - System Checkpoint
    RP946: 19/08/2010 11:32:04 - System Checkpoint
    RP947: 21/08/2010 10:08:34 - System Checkpoint
    RP948: 23/08/2010 12:44:07 - System Checkpoint
    RP949: 24/08/2010 12:44:45 - System Checkpoint
    RP950: 25/08/2010 22:36:33 - System Checkpoint
    RP951: 30/08/2010 11:11:40 - System Checkpoint
    RP952: 01/09/2010 10:07:56 - System Checkpoint
    RP953: 02/09/2010 13:36:02 - Software Distribution Service 3.0
    RP954: 03/09/2010 14:13:23 - System Checkpoint
    RP955: 04/09/2010 07:33:03 - Removed UFO Aftermath
    RP956: 07/09/2010 07:38:33 - System Checkpoint
    RP957: 09/09/2010 07:34:37 - System Checkpoint
    RP958: 12/09/2010 11:36:17 - System Checkpoint
    RP959: 14/09/2010 11:51:54 - System Checkpoint
    RP960: 15/09/2010 13:22:07 - Software Distribution Service 3.0
    RP961: 17/09/2010 09:11:36 - System Checkpoint
    RP962: 19/09/2010 11:29:09 - System Checkpoint
    RP963: 23/09/2010 14:42:17 - System Checkpoint
    RP964: 25/09/2010 18:05:42 - System Checkpoint
    RP965: 27/09/2010 23:40:40 - Removed Instant DVD Recorder
    RP966: 29/09/2010 09:00:14 - Software Distribution Service 3.0
    RP967: 03/10/2010 11:40:18 - System Checkpoint
    RP968: 05/10/2010 22:52:31 - Configured Studio 10
    RP969: 05/10/2010 22:55:01 - Removed Studio 10
    RP970: 05/10/2010 22:54:23 - Configured PRODUCT_NAME
    RP971: 08/10/2010 09:24:06 - Software Distribution Service 3.0
    RP972: 11/10/2010 07:39:25 - System Checkpoint
    RP973: 11/10/2010 15:47:31 - Removed AVG 9.0
    RP974: 11/10/2010 15:57:55 - Removed AVG 9.0
    RP975: 11/10/2010 16:00:34 - Installed AVG 9.0
    RP976: 14/10/2010 11:53:17 - System Checkpoint

    ==== Installed Programs ======================


    15 Puzzle
    ABBYY FineReader 6.0 Sprint
    Acrobat.com
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player Plugin
    Adobe Reader 9.4.0
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    ATI - Software Uninstall Utility
    ATI Display Driver
    Basketball
    Battle.net
    Bde
    Blobs
    Bonjour
    Bowling Mania Special Edition
    Box Attack
    Brain Twister
    C++ AIO For Dummies
    Camera RAW Plug-In for EPSON Creativity Suite
    Charmed
    Checkers
    Chess
    CM 03-04
    Color Wheel
    Corel Paint Shop Pro X
    Craps Special Edition
    Critical Update for Windows Media Player 11 (KB959772)
    Curse Client
    Dark Tiles
    DiscAPI (Studio 10)
    Drop
    eGames Master's Edition 151
    Electronic Arts Product Registration
    English Solitaire
    EPSON Attach To Email
    EPSON Easy Photo Print
    EPSON File Manager
    EPSON Logiciel imprimante
    EPSON Scan
    EPSON Scan Assistant
    EPSON Stylus SX200_SX400_TX200_TX400 Manual
    EPSON Stylus SX400 Series Printer Uninstall
    EPSON Web-To-Page
    Fairy Chess
    Family Tree Maker Version 16
    Fast Browser Search (My Web Tattoo)
    Fishing Special Edition
    FM Modifier 2.0
    Football Manager 2006
    Foto Breakout
    Four Field Kono
    FreeRIP v3.091
    Galaxy of Games 201
    GearDrvs
    Gems 3D
    GENViewer Lite 1.14
    Go-Moku
    Halma
    Hip
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Format SDK (KB902344)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976002-v5)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    InterActual Player
    iTunes
    Java(TM) 6 Update 17
    Java(TM) 6 Update 6
    Jigsaw USA Special Edition
    Keno Craze Special Edition
    King Solitaire
    Kingpin: Life of Crime
    Knights Tour
    LiveReg (Symantec Corporation)
    LiveUpdate (Symantec Corporation)
    Mahjong Match
    Mahjongg Empire Special Edition
    Mahjongg Master 3 Special Edition
    Malwarebytes' Anti-Malware
    Max Solitaire
    Maze
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Base Smart Card Cryptographic Service Provider Package
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Document Explorer 2005
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office 97, Professional Edition
    Microsoft Silverlight
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Express Edition - ENU
    Microsoft Windows SDK for Visual Studio 2008 Express Tools for .NET Framework
    Microsoft Windows SDK for Visual Studio 2008 Express Tools for Win32
    Microsoft Windows SDK for Visual Studio 2008 Headers and Libraries
    Microsoft Works 7.0
    MobileMe Control Panel
    Morris
    Mosby's Medical Encyclopedia
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6.0 Parser (KB933579)
    MVP Solitaire Clubs Edition
    MVP Word Search
    MyHeritage Family Tree Builder
    NCH Toolbox
    Nim
    Norton 360
    Oblivion
    Packard Bell Companion
    Packard Bell EverSafe
    Packard Bell InfoCentre
    PCFriendly
    Photo Match All
    Pinnacle Instant DVD Recorder
    PowerDVD
    Professor Wilde
    Puzzle Master 2 Special Edition
    QuickTime
    RAPID
    Rings of the Magi
    Runtime 8.0 Libraries
    Safari
    SAMSUNG CDMA Modem Driver Set
    SAMSUNG Mobile Modem Driver Set
    Samsung Mobile phone USB driver Software
    SAMSUNG Mobile USB Modem 1.0 Software
    SAMSUNG Mobile USB Modem Software
    Samsung PC Studio
    Samsung PC Studio 3
    Secret Circuit
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Step By Step Interactive Training (KB898458)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB939653)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows Media Player 9 (KB917734)
    Security Update for Windows Media Player 9 (KB936782)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165-v2)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    Shockwave
    Skype™ 4.2
    Sliding Coins
    Snake Arena Special Edition
    Sonic RecordNow DX
    Sony Picture Utility
    Star Solitaire
    Studio 10
    Tafl
    Tai Match
    The Complete Interactive Cookbook
    TicTacToe
    TOSHIBA Bluetooth Stack for Windows
    TurnOff
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB968220)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Vodafone 804SS USB driver Software
    VoiceOver Kit
    WA Update v3.50 beta2
    WavePad Sound Editor
    WC003V3 Sweex Foldable Webcam
    WebFldrs XP
    Wild Wild
    Winamp
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Imaging Component
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Presentation Foundation
    Windows XP Service Pack 3
    WinRAR archiver
    WinZip
    Word Wiz
    World of Warcraft
    WWTBAM 2nd Edition
    XML Paper Specification Shared Components Pack 1.0
    Xvid 1.2.2 final uninstall

    ==== Event Viewer Messages From Past Week ========

    18/10/2010 09:27:03, error: Service Control Manager [7016] - The SmartLinkService service has reported an invalid current state 0.
    17/10/2010 08:42:29, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    17/10/2010 08:42:15, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.
    16/10/2010 08:29:34, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: abp480n5 adpu160m agpCPQ Aha154x aic78u2 aic78xx AliIde alim1541 amdagp amsint asc asc3350p asc3550 cbidf cd20xrnt CmdIde Cpqarray dac2w2k dac960nt dpti2o hpn i2omp ini910u IntelIde mraid35x perc2 perc2hib ql1080 Ql10wnt ql12160 ql1240 ql1280 sisagp Sparrow symc810 symc8xx sym_hi sym_u3 TosIde ultra viaagp ViaIde
    14/10/2010 12:49:30, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
    14/10/2010 12:49:30, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
    14/10/2010 12:03:38, error: Service Control Manager [7034] - The Virtual CD v4 Security service (SDK - Version) service terminated unexpectedly. It has done this 1 time(s).
    14/10/2010 12:03:38, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
    14/10/2010 12:03:37, error: Service Control Manager [7034] - The SmartLinkService service terminated unexpectedly. It has done this 1 time(s).
    14/10/2010 12:03:36, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    14/10/2010 12:03:36, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
    14/10/2010 12:03:36, error: Service Control Manager [7034] - The Ati HotKey Poller service terminated unexpectedly. It has done this 1 time(s).
    14/10/2010 12:03:36, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    14/10/2010 09:05:01, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
    14/10/2010 09:02:12, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the ShellHWDetection service.
    11/10/2010 15:55:58, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the service.
    11/10/2010 15:55:28, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the avgfws9 service.
    11/10/2010 15:54:46, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the WebClient service to connect.
    11/10/2010 15:54:46, error: Service Control Manager [7000] - The WebClient service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    11/10/2010 12:31:07, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the AVG WatchDog service to connect.
    11/10/2010 12:31:07, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the AVG Firewall service to connect.
    11/10/2010 12:31:07, error: Service Control Manager [7000] - The AVG WatchDog service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    11/10/2010 12:31:07, error: Service Control Manager [7000] - The AVG Firewall service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

    ==== End Of File ===========================
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Good job! That 'suspicious file' is a sign of a rootkit. You also have a few other infections. MyWebSearch permeates a system with a gazillion entries (very 'non-technical but accurate description!) > Mbam removed them, hopefully all. If you have been to the FunWebSite looking for Smilies, 3D screenSavers or other cosmetic enhancements for the system> STOP- and don't go back.

    There are some entries to be removed, so I'd like you to run Combofix. I'll be setting up some script in the meantime.

    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
  10. frogtag

    frogtag TS Rookie Topic Starter

    I turned off Norton360 anti-virus and tried to run ComboFix. Tried it twice but like with MBAM nothing happened. A run program prompt came up and I accepted, but then nothing happened. Also nothing in Task Manager.
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Run the following, then try Combofix again:

    Please download and run the tool below named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
    • Rkill.com
    • Rkill.scr
    • Rkill.pif
    • Rkill.exe
    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run then try to immediately run the following>>>>.

    Please download exeHelper by Raktor and save it to your desktop.
    • Double-click on exeHelper.com or exeHelper.scr to run the fix tool.
    • A black window should pop up, press any key to close once the fix is completed.
    • A log file called exehelperlog.txt will be created and should open at the end of the scan)
    • A copy of that log will also be saved in the directory where you ran exeHelper.com
    • Copy and paste the contents of exehelperlog.txt in your next reply.

    Note: If the window shows a message that says "Error deleting file", please re-run the tool again before posting a log and then post the two logs together (they both will be in the one file).
     
  12. frogtag

    frogtag TS Rookie Topic Starter

    Happy Birthday by the way. Hope you had a great day.

    Ran rkill.com ... no problems at all.
    Ran exeHelper ... again no problems

    exeHelper by Raktor
    Build 20100414
    Run at 09:48:15 on 10/21/10
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Resetting filetype association for .com
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--

    Still no luck with ComboFix. Did the same as before run prompt box came up. Clicked run. Did nothing.

    An additional observation that I made yesterday (not connected with ComboFix) is that Norton is blocking unauthorized access to "Send Terminate Message to Window". It now explains why the computer reset itself while I was scanning with GMER. The log says:

    Actor: C:\WINDOWS\EXPLORER.EXE
    Actor PID: 1992
    Target: \Device\HarddiskVolume2\Program Files\Norton 360\Engine\4.3.0.5\ccsvchst.exe Target PID: 2116
    Action: Send Terminate Message to Window
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Thank you. I did have a nice day!

    Good explanation for the terminate program:
    http://community.norton.com/t5/Nort...d-Send-Terminate-Message-to-Window/m-p/146445

    Let's see if we can get around what's blocking Combofix:
    First, run this online AV scan:
    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ============================================
    Please download OTMovit by Old Timer and save to your desktop. Do not run yet.
    ==========================================
    Download the HijackThis Installer and save to the desktop:
    1. Double-click on HJTInstall.exe to run the program.
    2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
    3. Accept the license agreement by clicking the "I Accept" button.
    4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    5. Click "Save log" to save the log file and then the log will open in notepad.
    6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

    Don't reboot the computer. Leave the Eset and HijackThis logs in your next reply.
  14. frogtag

    frogtag TS Rookie Topic Starter

    1 ... Eset scan done without problems

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=60501d75a635344b827ca213cdfc9f84
    # end=finished
    # remove_checked=false
    # archives_checked=true
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-10-22 10:37:36
    # local_time=2010-10-22 11:37:36 (+0000, GMT Daylight Time)
    # country="United Kingdom"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=1024 16777215 100 0 16579402 16579402 0 0
    # compatibility_mode=3589 16777189 100 86 859404 51102943 0 0
    # compatibility_mode=8192 67108863 100 0 240 240 0 0
    # scanned=97836
    # found=37
    # cleaned=0
    # scan_time=9213
    C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP955\A0128043.exe Win32/Adware.ADON application 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP967\A0131358.exe probably a variant of Win32/Adware.180Solutions application 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP967\A0131359.dll a variant of Win32/Adware.HotBar.E application 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP967\A0131362.exe a variant of Win32/Adware.HotBar.E application 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP971\A0131952.dll Win32/Olmarik.ADF trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP971\A0131953.dll Win32/Olmarik.ACK trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP976\A0134764.DLL Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP976\A0134765.DLL Win32/Adware.FunWeb application 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP976\A0134766.DLL Win32/Adware.FunWeb application 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP976\A0134767.DLL Win32/Adware.FunWeb application 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP976\A0134768.DLL Win32/Adware.FunWeb application 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP976\A0134769.DLL Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP976\A0134770.DLL Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP976\A0134771.DLL Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP976\A0134772.DLL Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP976\A0134773.DLL Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP976\A0134774.DLL Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP976\A0134775.DLL Win32/Adware.FunWeb application 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP976\A0134776.DLL Win32/Adware.FunWeb application 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP976\A0134777.DLL Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP976\A0134778.scr Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP976\A0134779.DLL Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP976\A0134780.SCR Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP976\A0134781.DLL Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP976\A0134782.EXE Win32/Adware.FunWeb application 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP976\A0134786.DLL Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP976\A0134787.EXE Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP976\A0134790.EXE Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP976\A0134791.EXE Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP976\A0134792.EXE Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP976\A0134793.DLL Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP976\A0134805.EXE a variant of Win32/Toolbar.MyWebSearch.I application 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP976\A0134806.dll Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP976\A0134807.DLL a variant of Win32/Toolbar.MyWebSearch.K application 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP976\A0134808.EXE Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP976\A0134809.DLL Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP976\A0134810.DLL Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I

    2 ... HiJack Scan done without problems

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 11:47:43, on 22/10/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\apps\ABoard\ABoard.exe
    C:\Program Files\Packard Bell EverSafe\TrayControl.exe
    C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Winamp\winampa.exe
    C:\WINDOWS\PixArt\PAC207\Monitor.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\apps\ABoard\AOSD.exe
    C:\Program Files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
    C:\Program Files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\System32\msiexec.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://securityresponse.symantec.com/avcenter/vinfodb.html?prodid=nav2003
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\4.3.0.5\coIEPlg.dll
    O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\4.3.0.5\IPSBHO.DLL
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O2 - BHO: Search Assistant - {F0626A63-410B-45E2-99A1-3F2475B2D695} - C:\Program Files\SGPSA\BHO.dll (file missing)
    O2 - BHO: XBTBPos00 - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files\Fast Browser Search\IE\FBStoolbar.dll
    O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O3 - Toolbar: Fast Browser Search Toolbar - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - C:\Program Files\Fast Browser Search\IE\FBStoolbar.dll
    O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\4.3.0.5\coIEPlg.dll
    O4 - HKLM\..\Run: [ATIPTA] "C:\ATI Technologies\ATI Control Panel\atiptaxx.exe"
    O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe
    O4 - HKLM\..\Run: [NovaNet-WEB Tray Control] C:\Program Files\Packard Bell EverSafe\TrayControl.exe
    O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
    O4 - HKLM\..\Run: [CleanEasyImg] c:\apps\easydvd\cleanall.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
    O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
    O4 - HKLM\..\Run: [Item Viewer] C:\Diablo\itemview.exe /register
    O4 - HKLM\..\Run: [PAC207_Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe
    O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [EPSON Stylus SX400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEGE.EXE /FU "C:\WINDOWS\TEMP\E_S61.tmp" /EF "HKCU"
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: Packard Bell EverSafe Tray Control.lnk = C:\Program Files\Packard Bell EverSafe\TrayControl.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    O16 - DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} (DNL Reader) - http://www.digitalwebbooks.com/reader/dbplugin.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1193166580614
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
    O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
    O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe
    O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
    O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe

    --
    End of file - 10394 bytes

    3 ... Haven't rebooted my computer.
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay, no new in Eset. I will have you drop all the old restore points when we're through.

    Please reopen HijackThis to 'do system scan only.' Check each of the following, if present:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    O2 - BHO: Search Assistant - {F0626A63-410B-45E2-99A1-3F2475B2D695} - C:\Program Files\SGPSA\BHO.dll (file missing)
    O2 - BHO: XBTBPos00 - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files\Fast Browser Search\IE\FBStoolbar.dll
    O3 - Toolbar: Fast Browser Search Toolbar - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - C:\Program Files\Fast Browser Search\IE\FBStoolbar.dll


    Close all Windows except for HijackThis and click on "Fix Checked"

    Go back to this step in Combofix: Before you do the double lick to run, do a right click> rename and change combofix.exe to frogspot.exe
    [4]. Double click combofix.exe & follow the prompts to run.
    Then try the scan.
  16. frogtag

    frogtag TS Rookie Topic Starter

    1 ... Bingo! Did system scan. Fixed Checked.
    2 ... Renamed ComboFix and it ran fine.

    ComboFix 10-10-22.04 - Ben 23/10/2010 9:07.1.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.104 [GMT 1:00]
    Running from: c:\documents and settings\Ben\Desktop\frogspot.exe
    AV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\docume~1\Ben\LOCALS~1\Temp\tmp1.tmp
    c:\documents and settings\Ben\Recent\Evony-Free_Forever.url
    c:\program files\Fast Browser Search
    c:\program files\Fast Browser Search\IE\1.bat
    c:\program files\Fast Browser Search\IE\about.html
    c:\program files\Fast Browser Search\IE\affid.dat
    c:\program files\Fast Browser Search\IE\basis.xml
    c:\program files\Fast Browser Search\IE\ClearRecycleBin.exe
    c:\program files\Fast Browser Search\IE\error.html
    c:\program files\Fast Browser Search\IE\FBSPlugin.dll
    c:\program files\Fast Browser Search\IE\fbsProtection.xml
    c:\program files\Fast Browser Search\IE\FbsSearchProvider.xml
    c:\program files\Fast Browser Search\IE\FbsSearchProviderIE8.exe
    c:\program files\Fast Browser Search\IE\fbstoolbar.jar
    c:\program files\Fast Browser Search\IE\fbstoolbar.manifest
    c:\program files\Fast Browser Search\IE\icons.bmp
    c:\program files\Fast Browser Search\IE\MTWBtoolbar.html
    c:\program files\Fast Browser Search\IE\search.bmp
    c:\program files\Fast Browser Search\IE\SearchGuardPlus.exe
    c:\program files\Fast Browser Search\IE\SearchGuardPlus.ico
    c:\program files\Fast Browser Search\IE\SGPU.ico
    c:\program files\Fast Browser Search\IE\sgpUpdater.exe
    c:\program files\Fast Browser Search\IE\sgpUpdater.xml
    c:\program files\Fast Browser Search\IE\SGPUpdaterS.exe
    c:\program files\Fast Browser Search\IE\tbhelper.dll
    c:\program files\Fast Browser Search\IE\tbs_include_script_003175.js
    c:\program files\Fast Browser Search\IE\tbs_include_script_005064.js
    c:\program files\Fast Browser Search\IE\tbs_include_script_012817.js
    c:\program files\Fast Browser Search\IE\Toolbar Help.htm
    c:\program files\Fast Browser Search\IE\uninstall.exe
    c:\program files\Fast Browser Search\IE\uninstalSGP.exe
    c:\program files\Fast Browser Search\IE\uninstalSGPU.exe
    c:\program files\Fast Browser Search\IE\update.exe
    c:\program files\Fast Browser Search\IE\version.txt
    c:\program files\SGPSA
    c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
    c:\windows\PixArt\PAC207\Monitor.exe
    c:\windows\system32\DMLEng.dll
    c:\windows\system32\Icons
    c:\windows\system32\Icons\2-Hot-Train.ico
    c:\windows\system32\Icons\Black iTunes.ico
    c:\windows\system32\Icons\Blood Splatter.ico
    c:\windows\system32\Icons\Bloody Chainsaw.ico
    c:\windows\system32\Icons\Brain.ico
    c:\windows\system32\Icons\Carved Pumpkin.ico
    c:\windows\system32\Icons\Chainsaw.ico
    c:\windows\system32\Icons\Chupacabra.ico
    c:\windows\system32\Icons\Earth-and-Moon.ico
    c:\windows\system32\Icons\Eyeball.ico
    c:\windows\system32\Icons\family.ico
    c:\windows\system32\Icons\Galaxy.ico
    c:\windows\system32\Icons\ipod-shuffle-09.ico
    c:\windows\system32\Icons\itunes.ico
    c:\windows\system32\Icons\Newcastle-United.ico
    c:\windows\system32\Icons\Pirate.ico
    c:\windows\system32\Icons\Poison.ico
    c:\windows\system32\Icons\Pumpkin.ico
    c:\windows\system32\Icons\recycle-empty.ico
    c:\windows\system32\Icons\recycle-full.ico
    c:\windows\system32\Icons\Sea Monster.ico
    c:\windows\system32\Icons\solar-eclipse.ico
    c:\windows\system32\Icons\Solar-System.ico
    c:\windows\system32\Icons\solar-system2.ico
    c:\windows\system32\Icons\Soul.ico
    c:\windows\system32\Icons\Squid Attack.ico
    c:\windows\system32\Icons\Train.ico
    c:\windows\system32\Icons\Tree.ico
    c:\windows\system32\Icons\Vampire.ico
    c:\windows\system32\Icons\VGC Bomberman.ico
    c:\windows\system32\Icons\VGC CFJ Chunli.ico
    c:\windows\system32\Icons\VGC CFJ Ryu.ico
    c:\windows\system32\Icons\VGC CFJ Sakura.ico
    c:\windows\system32\Icons\VGC CFJ Zangief.ico
    c:\windows\system32\Icons\VGC MarioBros.ico
    c:\windows\system32\Icons\VGC Megaman Kobun.ico
    c:\windows\system32\Icons\VGC Megaman.ico
    c:\windows\system32\Icons\VGC Metroid Samus.ico
    c:\windows\system32\Icons\VGC Rayman Rabbit.ico
    c:\windows\system32\Icons\VGC Rayman.ico
    c:\windows\system32\Icons\VGC RE ChrisRedfield.ico
    c:\windows\system32\Icons\VGC RE JillValentine.ico
    c:\windows\system32\Icons\VGC RE Zombie.ico
    c:\windows\system32\Icons\VGC RE4 LeonKennedy.ico
    c:\windows\system32\Icons\VGC SC3 Yoshimitsu.ico
    c:\windows\system32\Icons\VGC SC5 Ulala.ico
    c:\windows\system32\Icons\VGC Sonic.ico
    c:\windows\system32\Icons\VGC TTT HeihachiMishima.ico
    c:\windows\system32\Icons\VGC TTT LeiWulong.ico
    c:\windows\system32\Icons\VGC VS Felicia.ico
    c:\windows\system32\Icons\VGC VS Lilith.ico
    c:\windows\system32\Icons\VGC VS Morrigan.ico
    c:\windows\system32\Icons\VGC Zelda Link.ico
    c:\windows\system32\Icons\Witch.ico
    c:\windows\system32\Icons\Zombie.ico
    c:\windows\system32\PCLECoInst.dll
    c:\windows\system32\system

    Infected copy of c:\windows\system32\drivers\aic78u2.sys was found and disinfected
    Restored copy from - Kitty had a snack :p
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_MYWEBSEARCHSERVICE


    ((((((((((((((((((((((((( Files Created from 2010-09-23 to 2010-10-23 )))))))))))))))))))))))))))))))
    .

    2010-10-22 10:46 . 2010-10-22 10:46 388096 ----a-r- c:\documents and settings\Ben\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-10-22 10:46 . 2010-10-22 10:46 -------- d-----w- c:\program files\Trend Micro
    2010-10-22 08:00 . 2010-10-22 08:00 -------- d-----w- c:\program files\ESET
    2010-10-19 08:14 . 2010-10-19 08:14 -------- d-----w- c:\program files\Common Files\Java
    2010-10-19 08:13 . 2010-09-15 03:50 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-10-19 07:44 . 2010-09-18 06:53 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
    2010-10-19 07:44 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
    2010-10-16 07:01 . 2010-10-16 07:01 -------- d-----w- c:\documents and settings\Ben\Application Data\Malwarebytes
    2010-10-15 08:02 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-10-15 08:02 . 2010-10-15 08:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-10-15 08:02 . 2010-10-16 07:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-10-15 08:02 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-10-12 07:10 . 2010-05-06 04:01 361904 ----a-w- c:\windows\system32\drivers\symtdi.sys
    2010-10-12 07:10 . 2010-04-22 03:02 173104 ----a-w- c:\windows\system32\drivers\symefa.sys
    2010-10-12 07:10 . 2010-04-29 05:03 116784 ----a-w- c:\windows\system32\drivers\ironx86.sys
    2010-10-12 07:10 . 2010-04-22 02:29 43696 ----a-w- c:\windows\system32\drivers\srtspx.sys
    2010-10-12 07:10 . 2010-02-26 00:22 501888 ----a-w- c:\windows\system32\drivers\cchpx86.sys
    2010-10-12 07:10 . 2009-10-15 03:50 328752 ----a-r- c:\windows\system32\drivers\symds.sys
    2010-10-11 15:08 . 2010-10-11 15:08 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
    2010-10-11 15:08 . 2010-10-11 15:08 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2010-10-11 15:06 . 2010-10-12 09:20 -------- d-----w- c:\windows\system32\drivers\N360
    2010-10-11 15:06 . 2010-10-11 15:06 -------- d-----w- c:\program files\Norton 360
    2010-10-11 15:06 . 2010-10-11 15:06 -------- d-----w- c:\program files\Windows Sidebar
    2010-10-11 15:06 . 2010-10-11 15:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
    2010-10-11 15:04 . 2010-10-11 15:04 -------- d-----w- c:\program files\NortonInstaller

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-18 11:23 . 2002-09-19 19:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53 . 2002-09-19 19:26 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2002-09-19 19:26 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53 . 2002-09-19 19:26 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-15 01:29 . 2008-06-28 14:19 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-09-10 05:58 . 2006-06-23 10:33 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-09-10 05:58 . 2002-09-19 19:26 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-10 05:58 . 2002-09-19 19:26 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-09-01 11:51 . 2002-09-19 19:26 285824 ----a-w- c:\windows\system32\atmfd.dll
    2010-08-31 13:42 . 2002-09-19 19:26 1852800 ----a-w- c:\windows\system32\win32k.sys
    2010-08-27 08:02 . 2002-09-19 19:26 119808 ----a-w- c:\windows\system32\t2embed.dll
    2010-08-27 05:57 . 2002-09-19 19:26 99840 ----a-w- c:\windows\system32\srvsvc.dll
    2010-08-26 13:39 . 2002-09-19 19:26 357248 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-08-26 12:52 . 2009-04-16 16:08 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2010-08-23 16:12 . 2002-09-19 19:26 617472 ----a-w- c:\windows\system32\comctl32.dll
    2010-08-17 13:17 . 2005-06-10 23:55 58880 ----a-w- c:\windows\system32\spoolsv.exe
    2010-08-16 08:45 . 2004-03-06 02:16 590848 ----a-w- c:\windows\system32\rpcrt4.dll
    2006-11-20 08:01 . 2006-11-20 08:01 163840 ----a-w- c:\program files\Common Files\AMCap.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ATIPTA"="c:\ati technologies\ATI Control Panel\atiptaxx.exe" [2003-06-19 335872]
    "ACTIVBOARD"="c:\apps\ABoard\ABoard.exe" [2003-05-02 24576]
    "NovaNet-WEB Tray Control"="c:\program files\Packard Bell EverSafe\TrayControl.exe" [2002-07-31 762368]
    "VCSPlayer"="c:\program files\Virtual CD v4 SDK\system\vcsplay.exe" [2002-06-07 299008]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2003-08-15 151597]
    "PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2003-11-10 406016]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]
    "WinampAgent"="c:\program files\Winamp\winampa.exe" [2007-10-10 36352]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-22 141608]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-8-1 111376]
    Packard Bell EverSafe Tray Control.lnk - c:\program files\Packard Bell EverSafe\TrayControl.exe [2003-8-30 762368]

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "9420:TCP"= 9420:TCP:Akamai NetSession Interface
    "5000:UDP"= 5000:UDP:Akamai NetSession Interface
    "2416:TCP"= 2416:TCP:Akamai NetSession Interface
    "2745:TCP"= 2745:TCP:Akamai NetSession Interface

    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0403000.005\symds.sys [12/10/2010 08:10 328752]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0403000.005\symefa.sys [12/10/2010 08:10 173104]
    R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20101001.001\BHDrvx86.sys [02/10/2010 00:00 692272]
    R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0403000.005\cchpx86.sys [12/10/2010 08:10 501888]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0403000.005\ironx86.sys [12/10/2010 08:10 116784]
    R1 vcsmpdrv;vcsmpdrv;c:\windows\system32\drivers\vcsmpdrv.sys [15/08/2003 10:33 49232]
    R2 N360;Norton 360;c:\program files\Norton 360\Engine\4.3.0.5\ccsvchst.exe [12/10/2010 08:09 126392]
    R2 VCSSecS;Virtual CD v4 Security service (SDK - Version);c:\program files\Virtual CD v4 SDK\System\vcssecs.exe [15/08/2003 10:33 139264]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [11/10/2010 17:44 102448]
    R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20101020.001\IDSXpx86.sys [19/10/2010 21:36 341880]
    S3 gkmixern;gkmixern;\??\c:\docume~1\Ben\LOCALS~1\Temp\gkmixern.sys --> c:\docume~1\Ben\LOCALS~1\Temp\gkmixern.sys [?]
    S3 map730c;map730c;c:\windows\system32\drivers\map730c.sys [13/02/2007 22:22 24784]
    S3 map730m;map730m;c:\windows\system32\drivers\map730m.sys [13/02/2007 22:22 25044]
    S3 map730u;map730u;c:\windows\system32\drivers\map730u.sys [13/02/2007 22:22 56320]
    S3 PAC207;Sweex Webcam USB;c:\windows\system32\drivers\PFC027.SYS [25/10/2007 18:31 616064]
    .
    Contents of the 'Scheduled Tasks' folder

    2003-08-30 c:\windows\Tasks\Registration reminder 1.job
    - c:\windows\System32\OOBE\oobebaln.exe [2002-09-19 00:12]

    2003-08-30 c:\windows\Tasks\Registration reminder 2.job
    - c:\windows\System32\OOBE\oobebaln.exe [2002-09-19 00:12]

    2003-08-30 c:\windows\Tasks\Registration reminder 3.job
    - c:\windows\System32\OOBE\oobebaln.exe [2002-09-19 00:12]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    uInternet Connection Wizard,ShellNext = hxxp://securityresponse.symantec.com/avcenter/vinfodb.html?prodid=nav2003
    uInternet Settings,ProxyOverride = *.local
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} - hxxp://www.digitalwebbooks.com/reader/dbplugin.cab
    .
    - - - - ORPHANS REMOVED - - - -

    Toolbar-SITEguard - (no file)
    HKLM-Run-CleanEasyImg - c:\apps\easydvd\cleanall.exe
    HKLM-Run-USB2Check - c:\windows\system32\PCLECoInst.dll
    HKLM-Run-Item Viewer - c:\diablo\itemview.exe
    HKLM-Run-PAC207_Monitor - c:\windows\PixArt\PAC207\Monitor.exe
    HKLM-Run-Monitor - c:\windows\PixArt\PAC207\Monitor.exe
    AddRemove-Birth of the Federation version 1.0.2 - c:\botf\Uninst.isu
    AddRemove-KB923789 - c:\windows\system32\MacroMed\Flash\genuinst.exe
    AddRemove-Kingpin - c:\program files\Kingpin\Uninst.isu
    AddRemove-Vampire - c:\program files\Vampire The Masquerade - Redemption\Vampire.isu



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-10-23 09:32
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
    "ImagePath"="\"c:\program files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\4.3.0.5\diMaster.dll\" /prefetch:1"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-2646306841-3634641365-3773164037-1007\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    @SACL=

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(600)
    c:\windows\system32\Ati2evxx.dll

    - - - - - - - > 'explorer.exe'(1004)
    c:\windows\system32\WININET.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\IEFRAME.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\System32\Ati2evxx.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\system32\Ati2evxx.exe
    c:\apps\ABoard\AOSD.exe
    c:\windows\system32\RUNDLL32.EXE
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\Symantec\LiveUpdate\AUPDATE.EXE
    c:\program files\Symantec\LiveUpdate\LuComServer_3_4.EXE
    .
    **************************************************************************
    .
    Completion time: 2010-10-23 09:47:44 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-10-23 08:47

    Pre-Run: 7,542,194,176 bytes free
    Post-Run: 7,538,208,768 bytes free

    - - End Of File - - 9BDEAE526C8759B9B073255468BF6389
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please run this Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\docume~1\ben\locals~1\temp\gkmixern.sys
    
    DDS::
    TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
    TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
    DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=-
    "FirewallOverride"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=-
    
    Driver::
    gkmixern
    FCopy::                             
    C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\Windows\System32\drivers\atapi.sys
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ===============================================
    NOTE: You have 3 entries for this on the same date in the Contents of the 'Scheduled Tasks' folder:
    2003-08-30 c:\windows\Tasks\Registration reminder 1.job
    This is a Windows OOBE Balloon Reminder, part of the Windows XP Out of Box Experience{OOBE}. As implied by the name, OOBE is intended to run once after you complete Windows XP setup. OOBE wizard helps you complete of setup actions after you initially install Windows XP.

    Since it is 8 years old, you have most likely already registered the OS and should delete this task as follows: Access Scheduled Tasks with Click on Start> All Programs> Accessories> System Tools> Scheduled Tasks.
    [o] To delete a task> right-click the task> click Delete.
    Do this on all 3 of the entries.
    ===============================================
    Has the redirect been resolved? Are there any more malware related problems?
  18. frogtag

    frogtag TS Rookie Topic Starter

    It's probably not relevant, but just noticed within the code something about Java Update 6 (JU6) & Jave Update 17 (JU17). As part of the 8 steps I removed JU6 with add/removed in control as it seemed to be an old update. JU17 was replaced by the latest update JU22. Like I say just mentioning incase I did a bad thing?

    1 ... Ran script with ComboFix ... one problem at end when I got a PEV.exe terminal shutdown message. Other than that ran normally.

    ComboFix 10-10-23.02 - Ben 25/10/2010 8:18.2.2 - x86
    Running from: c:\documents and settings\Ben\Desktop\frogspot.exe
    Command switches used :: c:\documents and settings\Ben\Desktop\CFScript.txt
    AV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
    * Created a new restore point

    FILE ::
    "c:\docume~1\ben\locals~1\temp\gkmixern.sys"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    .
    --------------- FCopy ---------------

    c:\windows\ServicePackFiles\i386\atapi.sys --> c:\windows\System32\drivers\atapi.sys
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_GKMIXERN
    -------\Service_gkmixern


    ((((((((((((((((((((((((( Files Created from 2010-09-25 to 2010-10-25 )))))))))))))))))))))))))))))))
    .

    2010-10-22 10:46 . 2010-10-22 10:46 388096 ----a-r- c:\documents and settings\Ben\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-10-22 10:46 . 2010-10-22 10:46 -------- d-----w- c:\program files\Trend Micro
    2010-10-22 08:00 . 2010-10-22 08:00 -------- d-----w- c:\program files\ESET
    2010-10-19 08:14 . 2010-10-19 08:14 -------- d-----w- c:\program files\Common Files\Java
    2010-10-19 08:13 . 2010-09-15 03:50 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-10-19 07:44 . 2010-09-18 06:53 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
    2010-10-19 07:44 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
    2010-10-16 07:01 . 2010-10-16 07:01 -------- d-----w- c:\documents and settings\Ben\Application Data\Malwarebytes
    2010-10-15 08:02 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-10-15 08:02 . 2010-10-15 08:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-10-15 08:02 . 2010-10-16 07:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-10-15 08:02 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-10-12 07:10 . 2010-05-06 04:01 361904 ----a-w- c:\windows\system32\drivers\symtdi.sys
    2010-10-12 07:10 . 2010-04-22 03:02 173104 ----a-w- c:\windows\system32\drivers\symefa.sys
    2010-10-12 07:10 . 2010-04-29 05:03 116784 ----a-w- c:\windows\system32\drivers\ironx86.sys
    2010-10-12 07:10 . 2010-04-22 02:29 43696 ----a-w- c:\windows\system32\drivers\srtspx.sys
    2010-10-12 07:10 . 2010-02-26 00:22 501888 ----a-w- c:\windows\system32\drivers\cchpx86.sys
    2010-10-12 07:10 . 2009-10-15 03:50 328752 ----a-r- c:\windows\system32\drivers\symds.sys
    2010-10-11 15:08 . 2010-10-11 15:08 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
    2010-10-11 15:08 . 2010-10-11 15:08 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2010-10-11 15:06 . 2010-10-12 09:20 -------- d-----w- c:\windows\system32\drivers\N360
    2010-10-11 15:06 . 2010-10-11 15:06 -------- d-----w- c:\program files\Norton 360
    2010-10-11 15:06 . 2010-10-11 15:06 -------- d-----w- c:\program files\Windows Sidebar
    2010-10-11 15:06 . 2010-10-11 15:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
    2010-10-11 15:04 . 2010-10-11 15:04 -------- d-----w- c:\program files\NortonInstaller

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-18 11:23 . 2002-09-19 19:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53 . 2002-09-19 19:26 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2002-09-19 19:26 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53 . 2002-09-19 19:26 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-15 01:29 . 2008-06-28 14:19 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-09-10 05:58 . 2006-06-23 10:33 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-09-10 05:58 . 2002-09-19 19:26 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-10 05:58 . 2002-09-19 19:26 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-09-01 11:51 . 2002-09-19 19:26 285824 ----a-w- c:\windows\system32\atmfd.dll
    2010-08-31 13:42 . 2002-09-19 19:26 1852800 ----a-w- c:\windows\system32\win32k.sys
    2010-08-27 08:02 . 2002-09-19 19:26 119808 ----a-w- c:\windows\system32\t2embed.dll
    2010-08-27 05:57 . 2002-09-19 19:26 99840 ----a-w- c:\windows\system32\srvsvc.dll
    2010-08-26 13:39 . 2002-09-19 19:26 357248 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-08-26 12:52 . 2009-04-16 16:08 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2010-08-23 16:12 . 2002-09-19 19:26 617472 ----a-w- c:\windows\system32\comctl32.dll
    2010-08-17 13:17 . 2005-06-10 23:55 58880 ----a-w- c:\windows\system32\spoolsv.exe
    2010-08-16 08:45 . 2004-03-06 02:16 590848 ----a-w- c:\windows\system32\rpcrt4.dll
    2006-11-20 08:01 . 2006-11-20 08:01 163840 ----a-w- c:\program files\Common Files\AMCap.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ATIPTA"="c:\ati technologies\ATI Control Panel\atiptaxx.exe" [2003-06-19 335872]
    "ACTIVBOARD"="c:\apps\ABoard\ABoard.exe" [2003-05-02 24576]
    "NovaNet-WEB Tray Control"="c:\program files\Packard Bell EverSafe\TrayControl.exe" [2002-07-31 762368]
    "VCSPlayer"="c:\program files\Virtual CD v4 SDK\system\vcsplay.exe" [2002-06-07 299008]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2003-08-15 151597]
    "PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2003-11-10 406016]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]
    "WinampAgent"="c:\program files\Winamp\winampa.exe" [2007-10-10 36352]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-22 141608]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-8-1 111376]
    Packard Bell EverSafe Tray Control.lnk - c:\program files\Packard Bell EverSafe\TrayControl.exe [2003-8-30 762368]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "9420:TCP"= 9420:TCP:Akamai NetSession Interface
    "5000:UDP"= 5000:UDP:Akamai NetSession Interface
    "2416:TCP"= 2416:TCP:Akamai NetSession Interface
    "2745:TCP"= 2745:TCP:Akamai NetSession Interface

    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0403000.005\symds.sys [12/10/2010 08:10 328752]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0403000.005\symefa.sys [12/10/2010 08:10 173104]
    R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20101001.001\BHDrvx86.sys [02/10/2010 00:00 692272]
    R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0403000.005\cchpx86.sys [12/10/2010 08:10 501888]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0403000.005\ironx86.sys [12/10/2010 08:10 116784]
    R1 vcsmpdrv;vcsmpdrv;c:\windows\system32\drivers\vcsmpdrv.sys [15/08/2003 10:33 49232]
    R2 N360;Norton 360;c:\program files\Norton 360\Engine\4.3.0.5\ccsvchst.exe [12/10/2010 08:09 126392]
    R2 VCSSecS;Virtual CD v4 Security service (SDK - Version);c:\program files\Virtual CD v4 SDK\System\vcssecs.exe [15/08/2003 10:33 139264]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [11/10/2010 17:44 102448]
    R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20101020.001\IDSXpx86.sys [19/10/2010 21:36 341880]
    S3 map730c;map730c;c:\windows\system32\drivers\map730c.sys [13/02/2007 22:22 24784]
    S3 map730m;map730m;c:\windows\system32\drivers\map730m.sys [13/02/2007 22:22 25044]
    S3 map730u;map730u;c:\windows\system32\drivers\map730u.sys [13/02/2007 22:22 56320]
    S3 PAC207;Sweex Webcam USB;c:\windows\system32\drivers\PFC027.SYS [25/10/2007 18:31 616064]
    .
    Contents of the 'Scheduled Tasks' folder

    2003-08-30 c:\windows\Tasks\Registration reminder 1.job
    - c:\windows\System32\OOBE\oobebaln.exe [2002-09-19 00:12]

    2003-08-30 c:\windows\Tasks\Registration reminder 2.job
    - c:\windows\System32\OOBE\oobebaln.exe [2002-09-19 00:12]

    2003-08-30 c:\windows\Tasks\Registration reminder 3.job
    - c:\windows\System32\OOBE\oobebaln.exe [2002-09-19 00:12]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    uInternet Connection Wizard,ShellNext = hxxp://securityresponse.symantec.com/avcenter/vinfodb.html?prodid=nav2003
    uInternet Settings,ProxyOverride = *.local
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} - hxxp://www.digitalwebbooks.com/reader/dbplugin.cab
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-10-25 08:39
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
    "ImagePath"="\"c:\program files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\4.3.0.5\diMaster.dll\" /prefetch:1"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-2646306841-3634641365-3773164037-1007\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    @SACL=

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(600)
    c:\windows\system32\Ati2evxx.dll

    - - - - - - - > 'explorer.exe'(4024)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\System32\Ati2evxx.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\system32\Ati2evxx.exe
    c:\windows\system32\wscntfy.exe
    c:\apps\ABoard\AOSD.exe
    c:\program files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2010-10-25 08:49:28 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-10-25 07:49

    Pre-Run: 7,501,447,168 bytes free
    Post-Run: 7,490,576,384 bytes free

    - - End Of File - - 760580CA342F08CAA7DF072910D58D01

    2 ... Removed all 3 registration reminders.
    3 ... Have tried google search engine. There doesn't seem to be any redirecting. Don't see any other malware related problems?
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I still see the scheduled tasks, so do a short script:
    Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    KillAll::
    File::
    c:\windows\System32\OOBE\oobebaln.exe 
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . You don't need to leave the log.
    ===============================================
    Since thre problems have been resolved, you can remove all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin

    Let me know if you have any more questions.
  20. frogtag

    frogtag TS Rookie Topic Starter

    The scheduled tasks were removed after the scan. But they have definitely gone. I've scanned the computer again with Malware. Nothing found. Removed all the programs.

    Just scanned with Norton Registry Clean Up and found a High risk threat?

    Backdoor.Tidserv.l!inf

    It says i need to manually remove it?
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    If Norton put the entry in Quarantine, delete it. There's a Norton Wizard that's telling everyone they have this malware even if it's been removed, even if it's in the Quarantine folder.

    Let me know if that doesn't work and I'll have you do an online scan again.
  22. frogtag

    frogtag TS Rookie Topic Starter

    Deleted the quarantine entry. Within 5mins Norton re-found the threat, so definitely there.

    The info i have on it is as follows

    Name/Type: Backdoor.Tidserv.I!inf

    Location: c:\system volume information\_restore{98e46f0a-9da1-4258-92c4-7ccae5d21e6e}\RP979\A0147364.sys
  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    This is a System Restore point. Did you follow my directions above to set a new, clean restore point and remove the old ones?


    This is not active in the system and some day, I hope the people who write Norton programs will be smart enough to stop alarming all their subscribers about this infection. This board has a significant number of people who see this same thing.
  24. frogtag

    frogtag TS Rookie Topic Starter

    The more I'm thinking about it, I think I may have jumped the gun before at the end of the clean up and just cleaned up the C drive. Any how I've followed the instructions again and Norton hasn't picked it up (yet!) and hopefully won't.

    Thank you for all your help, it was very much appreciated, I don't know what I would have done without you.
  25. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You're welcome. I thought you may not have run the removal yet.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.