Inactive Bad Image Errors

[JulieAnne]

I also have the bad image errors causing me grief on my computer. I have followed the 8 step removal instructions but errors keep coming. I have pasted logs below & would really appreciate some help.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6147

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

24/03/2011 4:00:40 PM
mbam-log-2011-03-24 (16-00-40).txt

Scan type: Quick scan
Objects scanned: 149530
Time elapsed: 6 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 13
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EAB-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{25560540-9571-4D7B-9389-0F166788785A} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3DC201FB-E9C9-499C-A11F-23C360D7C3F8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9FF05104-B030-46FC-94B8-81276E4E27DF} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\(default) (Adware.Hotbar) -> Value: (default) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\program files\antivirus 2009 (Rogue.AntiVirus2008) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\system32\h4afrahh.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
GMER 1.0.15.15570 - http://www.gmer.net
Rootkit quick scan 2011-03-24 16:10:31
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 WDC_WD800BB-60JKA0 rev.05.01C05
Running: m8wg6yfn.exe; Driver: C:\DOCUME~1\JULIEM~1\LOCALS~1\Temp\fwwcaaoc.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----
.
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Julie McCarthy at 16:17:13.37 on Thu 24/03/2011
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1247.556 [GMT 11:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG PC Tuneup 2011\BoostSpeed.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9TE.EXE
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
C:\Documents and Settings\Julie McCarthy\My Documents\Mum's Ipod\iTunesHelper.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe
C:\Program Files\Clipsal Australia\Clipsal eCatalogue Edition 2\Clipsal_eCatalogue.exe
C:\Program Files\SEC\Natural Color Pro\NCProTray.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Julie McCarthy\My Documents\jess\bin\iPodService.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Common Files\Nokia\NoA\nokiaaserver.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgchsvx.exe
C:\Program Files\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\AVG\AVG10\avgui.exe
C:\Documents and Settings\Julie McCarthy\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com.au/
uSearch Page = hxxp://www.google.com
uWindow Title = Internet Explorer from OptusNet
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: {02478d38-c3f9-4efb-9b51-7695eca05670} - Yahoo! Companion BHO
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Canon Easy-WebPrint EX BHO: {3785d0ad-bfff-47f6-bf5b-a587c162fed9} - c:\program files\canon\easy-webprint ex\ewpexbho.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: ST: {9394ede7-c8b5-483e-8773-474bf36af6e4} - c:\program files\msn apps\st\01.03.0000.1005\en-xu\stmain.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar4.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: MSNToolBandBHO: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\msn toolbar\01.02.5000.1021\en-us\msntb.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: MSN: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\msn toolbar\01.02.5000.1021\en-us\msntb.dll
TB: Yahoo! Companion: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\ycomp5_5_7_0.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [<NO NAME>]
uRun: [NokiaOviSuite2] c:\program files\nokia\nokia ovi suite\NokiaOviSuite.exe -tray
mRun: [VTTimer] VTTimer.exe
mRun: [Smapp] c:\program files\analog devices\soundmax\SMTray.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [FaxCenterServer4_in_1] "c:\program files\lexmark 4200 series\fax\fm3032.exe" /s
mRun: [Lexmark 4200 Series] "c:\program files\lexmark 4200 series\lxbmbmgr.exe"
mRun: [EPSON PictureMate 500] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9TE.EXE /P21 "EPSON PictureMate 500" /O6 "USB002" /M "PictureMate 500"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [IJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.exe
mRun: [iTunesHelper] "c:\documents and settings\julie mccarthy\my documents\mum's ipod\iTunesHelper.exe"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [NokiaMServer] c:\program files\common files\nokia\mplatform\NokiaMServer /watchfiles startup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\clipsa~1.lnk - c:\program files\clipsal australia\clipsal ecatalogue edition 2\Clipsal_eCatalogue.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ncprot~1.lnk - c:\program files\sec\natural color pro\NCProTray.exe
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
AppInit_DLLs: c:\progra~1\google\google~3\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 299984]
R2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files\adobe\elements organizer 8.0\PhotoshopElementsFileAgent.exe [2009-10-9 169312]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-1-6 6128720]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2010-10-24 517448]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2010-11-14 137344]
.
=============== Created Last 30 ================
.
2011-03-24 04:51:23 -------- d-----w- c:\docume~1\juliem~1\applic~1\Malwarebytes
2011-03-24 04:51:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-24 04:51:09 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-03-24 04:50:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-24 04:50:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-17 07:29:27 -------- d-----w- c:\docume~1\juliem~1\applic~1\Uniblue
2011-03-17 07:29:04 -------- d-----w- c:\program files\Uniblue
2011-03-17 07:28:42 -------- d-----w- c:\docume~1\juliem~1\locals~1\applic~1\PackageAware
2011-03-06 06:30:16 -------- d-----w- c:\docume~1\alluse~1\applic~1\CanonIJ
2011-03-06 06:29:55 -------- d--h--w- c:\docume~1\alluse~1\applic~1\CanonIJScan
2011-02-28 07:07:43 -------- d-----w- c:\windows\system32\XPSViewer
2011-02-28 07:07:04 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-02-28 07:06:31 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2011-02-28 07:06:31 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2011-02-28 07:06:31 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-02-28 07:06:31 117760 ------w- c:\windows\system32\prntvpt.dll
2011-02-28 07:06:30 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2011-02-28 07:06:30 575488 ------w- c:\windows\system32\xpsshhdr.dll
2011-02-28 07:06:30 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2011-02-28 07:06:30 1676288 ------w- c:\windows\system32\xpssvcs.dll
2011-02-27 00:56:26 -------- d-----w- c:\program files\Clipsal Australia
2011-02-27 00:56:26 -------- d-----w- c:\docume~1\alluse~1\applic~1\Clipsal Australia
.
==================== Find3M ====================
.
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 10:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-02 08:19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 16:21:34.60 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 13/03/2005 11:53:39 AM
System Uptime: 24/03/2011 4:02:10 PM (0 hours ago)
.
Motherboard: ASUSTek Computer INC. | | A7V400-MX
Processor: AMD Athlon(tm) | Socket A | 1194/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 75 GiB total, 38.528 GiB free.
D: is CDROM ()
F: is FIXED (NTFS) - 298 GiB total, 257.255 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
Description: Nokia E52
Device ID: ROOT\WPD\0000
Manufacturer: Nokia
Name: Nokia E52
PNP Device ID: ROOT\WPD\0000
Service: WUDFRd
.
==== System Restore Points ===================
.
RP1560: 23/12/2010 7:59:29 PM - System Checkpoint
RP1561: 25/12/2010 11:59:24 AM - System Checkpoint
RP1562: 3/01/2011 6:00:33 PM - Software Distribution Service 3.0
RP1563: 7/01/2011 2:19:35 PM - Software Distribution Service 3.0
RP1564: 8/01/2011 2:40:49 PM - System Checkpoint
RP1565: 9/01/2011 3:03:19 PM - System Checkpoint
RP1566: 10/01/2011 4:00:38 PM - System Checkpoint
RP1567: 12/01/2011 10:27:50 AM - System Checkpoint
RP1568: 12/01/2011 6:01:26 PM - Software Distribution Service 3.0
RP1569: 13/01/2011 6:36:52 PM - System Checkpoint
RP1570: 15/01/2011 10:28:08 AM - System Checkpoint
RP1571: 16/01/2011 12:19:20 PM - System Checkpoint
RP1572: 17/01/2011 1:00:32 PM - System Checkpoint
RP1573: 17/01/2011 1:20:29 PM - Software Distribution Service 3.0
RP1574: 18/01/2011 2:52:08 PM - Software Distribution Service 3.0
RP1575: 19/01/2011 4:48:59 PM - System Checkpoint
RP1576: 20/01/2011 5:57:54 PM - System Checkpoint
RP1577: 22/01/2011 1:22:55 PM - System Checkpoint
RP1578: 23/01/2011 1:36:25 PM - System Checkpoint
RP1579: 24/01/2011 3:03:22 PM - System Checkpoint
RP1580: 25/01/2011 3:45:22 PM - System Checkpoint
RP1581: 26/01/2011 4:34:40 PM - System Checkpoint
RP1582: 27/01/2011 5:15:34 PM - System Checkpoint
RP1583: 29/01/2011 5:38:28 PM - System Checkpoint
RP1584: 30/01/2011 6:52:03 PM - System Checkpoint
RP1585: 31/01/2011 7:36:28 PM - System Checkpoint
RP1586: 1/02/2011 7:41:27 PM - System Checkpoint
RP1587: 2/02/2011 8:24:15 PM - System Checkpoint
RP1588: 3/02/2011 8:48:10 PM - System Checkpoint
RP1589: 4/02/2011 8:54:33 PM - System Checkpoint
RP1590: 5/02/2011 9:12:35 PM - System Checkpoint
RP1591: 6/02/2011 9:50:40 PM - System Checkpoint
RP1592: 8/02/2011 4:46:07 PM - System Checkpoint
RP1593: 9/02/2011 6:00:52 PM - Software Distribution Service 3.0
RP1594: 10/02/2011 6:21:43 PM - System Checkpoint
RP1595: 11/02/2011 6:35:08 PM - System Checkpoint
RP1596: 12/02/2011 6:36:17 PM - System Checkpoint
RP1597: 13/02/2011 7:19:26 PM - System Checkpoint
RP1598: 14/02/2011 7:37:04 PM - System Checkpoint
RP1599: 15/02/2011 8:46:25 PM - System Checkpoint
RP1600: 16/02/2011 9:35:01 PM - System Checkpoint
RP1601: 17/02/2011 9:41:55 PM - System Checkpoint
RP1602: 18/02/2011 9:45:21 PM - System Checkpoint
RP1603: 19/02/2011 9:56:04 PM - System Checkpoint
RP1604: 20/02/2011 10:32:21 PM - System Checkpoint
RP1605: 21/02/2011 10:37:35 PM - System Checkpoint
RP1606: 23/02/2011 8:04:32 PM - System Checkpoint
RP1607: 24/02/2011 8:38:10 PM - System Checkpoint
RP1608: 25/02/2011 9:19:41 PM - System Checkpoint
RP1609: 26/02/2011 9:59:13 PM - System Checkpoint
RP1610: 27/02/2011 11:54:25 AM - Removed Adobe Reader 9.
RP1611: 27/02/2011 11:55:05 AM - Installed Adobe Reader 9.4.0.
RP1612: 27/02/2011 11:56:23 AM - Installed Clipsal eCatalogue Edition 2.
RP1613: 28/02/2011 5:39:09 PM - System Checkpoint
RP1614: 28/02/2011 6:00:19 PM - Software Distribution Service 3.0
RP1615: 28/02/2011 6:33:09 PM - Printer Driver Microsoft XPS Document Writer Installed
RP1616: 1/03/2011 6:00:20 PM - Software Distribution Service 3.0
RP1617: 2/03/2011 6:23:33 PM - System Checkpoint
RP1618: 3/03/2011 7:23:15 PM - System Checkpoint
RP1619: 4/03/2011 7:48:26 PM - System Checkpoint
RP1620: 5/03/2011 8:39:30 PM - System Checkpoint
RP1621: 6/03/2011 9:20:36 PM - System Checkpoint
RP1622: 7/03/2011 9:27:03 PM - System Checkpoint
RP1623: 8/03/2011 9:32:58 PM - System Checkpoint
RP1624: 9/03/2011 9:59:12 PM - System Checkpoint
RP1625: 9/03/2011 11:25:33 PM - Software Distribution Service 3.0
RP1626: 10/03/2011 11:36:30 PM - System Checkpoint
RP1627: 13/03/2011 11:25:07 AM - System Checkpoint
RP1628: 14/03/2011 12:05:30 AM - Installed Java(TM) 6 Update 24
RP1629: 15/03/2011 1:34:01 PM - System Checkpoint
RP1630: 16/03/2011 7:18:33 PM - System Checkpoint
RP1631: 16/03/2011 11:23:49 PM - Software Distribution Service 3.0
RP1632: 18/03/2011 4:23:04 PM - System Checkpoint
RP1633: 18/03/2011 6:00:19 PM - Software Distribution Service 3.0
RP1634: 20/03/2011 7:49:33 PM - System Checkpoint
RP1635: 21/03/2011 8:36:26 PM - System Checkpoint
RP1636: 23/03/2011 4:46:48 PM - System Checkpoint
.
==== Installed Programs ======================
.
.
20 Hot Games Volume 2
ABBYY FineReader 5.0 Sprint Plus
Adobe Flash Player 10 ActiveX
Adobe Photoshop Elements 8.0
Adobe Reader 9.4.2
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AVG 2011
AVG PC Tuneup 2011
BigPond Broadband ADSL FAQ
BJ Printer Driver
Bonjour
Camera Support Core Library
Camera Window DS
Camera Window DVC
Camera Window MC
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DS for ZoomBrowser EX
Canon Camera Window MC 5 for ZoomBrowser EX
Canon Easy-WebPrint EX
Canon IJ Network Scan Utility
Canon IJ Network Tool
Canon Inkjet Printer/Scanner/Fax Extended Survey Program
Canon MovieEdit Task for ZoomBrowser EX
Canon MP Navigator EX 3.0
Canon MP640 series MP Drivers
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities Easy-PhotoPrint EX
Canon Utilities My Printer
Canon Utilities PhotoStitch 3.1
Canon Utilities Solution Menu
Canon ZoomBrowser EX
Cashflow Manager
Cashflow Manager 5
CD-LabelPrint
Clipsal eCatalogue Edition 2
Compatibility Pack for the 2007 Office system
e-tax 2009
e-tax 2010
EPSON Attach To Email
EPSON Easy Photo Print
EPSON File Manager
EPSON PRINT Image Framer Tool
EPSON Printer Software
EPSON Scan Assistant
Facebook Plug-In
Fly Fishing with Cortland
Google Earth
Google Toolbar for Internet Explorer
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
ImageMixer3
iPod for Windows 2005-02-07
iTunes
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
Java Auto Updater
Java(TM) 6 Update 2
Java(TM) 6 Update 24
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
Jezzball Deluxe
Lexmark 4200 Series
Lexmark 4200 Series Fax Solutions
Lexmark Fax Solutions
LimeWire 4.12.6
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Maxtor Manager
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Age of Empires
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft National Language Support Downlevel APIs
Microsoft Office Basic Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.9
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
MobileMe Control Panel
MovieEdit Task
MSN
MSN Toolbar
MSVC80_x86_v2
MSVC90_x86
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
Natural Color Pro
Nero Suite
Nokia Connectivity Cable Driver
Nokia Ovi Suite
Nokia Ovi Suite Software Updater
Nokia PC Suite
Norton Speed Disk 6.0 for Windows NT
Norton Utilities 2002 for Windows
Ovi Desktop Sync Engine
OviMPlatform
PC Connectivity Solution
PhotoStitch
PhotoStudio Expressions
PIF DESIGNER
PM500 User's Guide
print@camerahouse
QuickTime
RAW Image Task 2.1
S3 S3Display
S3 S3Gamma2
S3 S3Info2
S3 S3Overlay
Safari
SAMSUNG CDMA Modem Driver Set
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 7 (KB2183461)
Security Update for Windows Internet Explorer 7 (KB2360131)
Security Update for Windows Internet Explorer 7 (KB2416400)
Security Update for Windows Internet Explorer 7 (KB2482017)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
SoundMAX
Spelling Dictionaries Support For Adobe Reader 8
The Sims Deluxe Edition
TomTom HOME
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB2467659)
Update for Windows XP (KB971029)
VC_MergeModuleToMSI
VIA Rhine-Family Fast Ethernet Adapter
VIA/S3G Display Driver
WebFldrs XP
Windows Driver Package - Nokia Modem (06/09/2010 4.5)
Windows Driver Package - Nokia Modem (06/09/2010 7.01.0.7)
Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
Windows Genuine Advantage v1.3.0254.0
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
Yahoo! Toolbar
.
==== Event Viewer Messages From Past Week ========
.
24/03/2011 4:13:27 PM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
24/03/2011 4:05:21 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: uagp35
24/03/2011 3:26:10 PM, error: Service Control Manager [7034] - The ServiceLayer service terminated unexpectedly. It has done this 1 time(s).
24/03/2011 3:26:10 PM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
24/03/2011 3:26:03 PM, error: Service Control Manager [7034] - The Speed Disk service service terminated unexpectedly. It has done this 1 time(s).
24/03/2011 3:26:03 PM, error: Service Control Manager [7034] - The SoundMAX Agent Service service terminated unexpectedly. It has done this 1 time(s).
24/03/2011 3:26:03 PM, error: Service Control Manager [7034] - The Maxtor Service service terminated unexpectedly. It has done this 1 time(s).
24/03/2011 3:26:03 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
24/03/2011 3:26:03 PM, error: Service Control Manager [7034] - The Canon Inkjet Printer/Scanner/Fax Extended Survey Program service terminated unexpectedly. It has done this 1 time(s).
24/03/2011 3:26:03 PM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
24/03/2011 3:26:02 PM, error: Service Control Manager [7034] - The LexBce Server service terminated unexpectedly. It has done this 1 time(s).
24/03/2011 3:26:02 PM, error: Service Control Manager [7034] - The InCD Helper service terminated unexpectedly. It has done this 1 time(s).
24/03/2011 3:26:02 PM, error: Service Control Manager [7034] - The Adobe Active File Monitor V8 service terminated unexpectedly. It has done this 1 time(s).
24/03/2011 3:26:02 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
.
==== End Of File ===========================

 

[Bobbye]

Welcome to TechSpot, Julie Anne! Look like you may have visited the FunWebSearch site! Maybe for themes, cursors, wallpaper, Smileys and other 'fun' things that all bring malware with them! So- please do not visit that site or similar ones, especially while I'm trying to clean with system.

Mbam found a variety of malware. Some entries for it were removed, but there will be others. But you need to do some Housekeeping first:

1. Java: You have outdated versions on the system. All of these are vulnerabilities, so they need to be removed:
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
Java Auto Updater
Java(TM) 6 Update 2
Java(TM) 6 Update 24>> this is the current version, but it will be removed. You will need to use the link to download v6u24 again.
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
Please download JavaRa and unzip it to your desktop.
Important!
***Please close any instances of Internet Explorer before continuing!***

• Double-click on JavaRa.exe to start the program.
• From the drop-down menu, choose English and click on Select.
• JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
• Click Yes when prompted. When JavaRa is done, a notice will appear that
  a logfile has been produced. Click OK.
• A logfile will pop up. Please save it to a convenient location.

Then download and install then most current version and update of Java Runtime Environment (JRE) HERE.
============================================
P2P or 'file sharing Warning:> LimeWire
Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall LimeWire for the following reasons:

• As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
• Malware writers use these program to include malicious content.
• File sharing is usually unmonitored and there is a danger that your private files might be accessed.
• The 'sharing' also includes malware that the shared system has on it.
• Files that are illegal can be spread through file sharing.

Please read the information on P2P Warning to help you better understand these dangers.
===========================================
I note 4 Symantec entries:
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
Norton Speed Disk 6.0 for Windows NT
Norton Utilities 2002 for Windows
If you are using only the utilities, okay. But live update is usually for the AV> Here is a tool you can run to remove the program if this has the AV:
[*]Norton Removal Tool
If you use this, please reboot the computer when through.
===========================================
Combofix will pick up more entries, but you will have to uninstall AVG to run it.

Download AppRemover and save to the desktop]
How to Use AppRemover to Remove a Complete Security Application

1. Double click the setup on the desktop> click Next
2. Select “Remove Security Application”
3. Let scan finish to determine security apps
4. A screen like below will appear:
   https://www.techspot.com/downloads/5514-appremover.htmlabout/chooseuninstall.gif/image_preview[/img[*] Click on [b]Next[/b] after choice has been made
   [*] Check the AVG program you want to uninstall
   [*] After uninstall shows complete, follow online prompts to Exit the program.[/list]
   [B]Temporary AV:[/B]
   [url=http://download.cnet.com/Avira-AntiVir-Personal-Free-Antivirus/3000-2239_4-10322935.html?part=dl-10322935&subj=dl&tag=button&cdlPid=11012914][b][color=blue]Avira-AntiVir-Personal-Free-Antivirus[/b][/color][/url]
   [URL="http://download.cnet.com/Avast-Free-Antivirus/3000-2239_4-10019223.html?part=dl-85737&subj=dl&tag=button"][B][COLOR="RoyalBlue"]Avast Free Version[/COLOR][/B][/URL]
   =========================================
   [b]Download Combofix from [url=http://www.bleepingcomputer.com/download/anti-virus/combofix]HERE[/url] or [url=http://www.forospyware.com/sUBs/ComboFix.exe]HERE[/b][/url] and save to the desktop[list]
   [*]Double click combofix.exe & follow the prompts.
   [*] ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
   [b]**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.[/b]
   [*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
   [*]Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
   [*]Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
   [img]http://img.photobucket.com/albums/v706/ried7/whatnext.png
5. .Click on Yes, to continue scanning for malware
6. .If Combofix asks you to update the program, allow
7. .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
8. .Close any open browsers.
9. .Double click combofix.exe
   
   & follow the prompts to run.
10. When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

 

[JulieAnne]

Thanks Bobbye

I have gone through all the steps you suggested and will paste combofix log below. The only thing I had trouble with was the symantec entries which I have left as is. I went to the link but could not work out which tool was needed. None of them seemed to match my requirements. I have also noticed, when I uninstalled Limewire, that there still seemed to be multiple versions of Java. Not sure if I need to run JavaRa again or not. It did say it was completed at the end.

I am pleased to report that the Bad Image errors seem to have ceased. Do I need to do anything else now or is my system now clean.

ComboFix 11-03-25.01 - Julie McCarthy 26/03/2011 14:17:40.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1247.755 [GMT 11:00]
Running from: c:\documents and settings\Julie McCarthy\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
F:\Autorun.inf
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_USNJSVC
-------\Service_usnjsvc
.
.
((((((((((((((((((((((((( Files Created from 2011-02-26 to 2011-03-26 )))))))))))))))))))))))))))))))
.
.
2011-03-26 02:27 . 2011-03-26 02:27 -------- d-----w- c:\documents and settings\Julie McCarthy\Logs
2011-03-24 04:51 . 2011-03-24 04:51 -------- d-----w- c:\documents and settings\Julie McCarthy\Application Data\Malwarebytes
2011-03-24 04:51 . 2010-12-20 07:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-24 04:51 . 2011-03-24 04:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-24 04:50 . 2011-03-24 04:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-24 04:50 . 2010-12-20 07:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-17 07:29 . 2011-03-17 07:29 -------- d-----w- c:\documents and settings\Julie McCarthy\Application Data\Uniblue
2011-03-17 07:29 . 2011-03-17 07:29 -------- d-----w- c:\program files\Uniblue
2011-03-17 07:28 . 2011-03-17 07:28 -------- d-----w- c:\documents and settings\Julie McCarthy\Local Settings\Application Data\PackageAware
2011-03-13 13:05 . 2011-03-13 13:05 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2011-03-06 06:30 . 2011-03-06 06:30 -------- d-----w- c:\documents and settings\All Users\Application Data\CanonIJ
2011-03-06 06:29 . 2011-03-06 06:34 -------- d-----w- c:\documents and settings\Julie McCarthy\Application Data\Canon
2011-02-28 07:07 . 2011-02-28 07:07 -------- d-----w- c:\windows\system32\XPSViewer
2011-02-28 07:07 . 2011-02-28 07:07 -------- d-----w- c:\program files\MSBuild
2011-02-28 07:07 . 2011-02-28 07:07 -------- d-----w- c:\program files\Reference Assemblies
2011-02-28 07:07 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-02-28 07:06 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2011-02-28 07:06 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2011-02-28 07:06 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2011-02-28 07:06 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-02-28 07:06 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2011-02-28 07:06 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2011-02-28 07:06 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2011-02-28 07:06 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2011-02-27 00:56 . 2011-02-27 01:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Clipsal Australia
2011-02-27 00:56 . 2011-02-27 00:56 -------- d-----w- c:\program files\Clipsal Australia
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2004-08-04 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 10:40 . 2010-06-20 13:38 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-02 08:19 . 2007-05-19 13:29 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-02 07:58 . 2005-03-13 00:44 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2005-03-13 00:44 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-04 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-04 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-04 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-26 68856]
"NokiaOviSuite2"="c:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe" [2010-09-01 672632]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]
"VTTimer"="VTTimer.exe" [2004-01-15 49152]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-04 143360]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"FaxCenterServer4_in_1"="c:\program files\Lexmark 4200 Series\Fax\fm3032.exe" [2004-01-22 151552]
"Lexmark 4200 Series"="c:\program files\Lexmark 4200 Series\lxbmbmgr.exe" [2004-01-16 57344]
"EPSON PictureMate 500"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9TE.EXE" [2004-10-17 98304]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-10-08 47904]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2008-07-21 169312]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-03-23 1983816]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-17 767312]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2009-05-19 136544]
"iTunesHelper"="c:\documents and settings\Julie McCarthy\My Documents\Mum's Ipod\iTunesHelper.exe" [2010-07-21 141608]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Clipsal eCatalogue Edition 2.lnk - c:\program files\Clipsal Australia\Clipsal eCatalogue Edition 2\Clipsal_eCatalogue.exe [2010-11-5 6238208]
NCProTray.lnk - c:\program files\SEC\Natural Color Pro\NCProTray.exe [2007-8-28 49220]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ImageMixer HDD Camera Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ImageMixer HDD Camera Monitor.lnk
backup=c:\windows\pss\ImageMixer HDD Camera Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Monitor.lnk
backup=c:\windows\pss\Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=c:\windows\pss\MyWebSearch Email Plugin.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Julie McCarthy^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=c:\documents and settings\Julie McCarthy\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=c:\windows\pss\MyWebSearch Email Plugin.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Julie McCarthy^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=c:\documents and settings\Julie McCarthy\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2004-06-04 11:33 1400944 ------w- c:\program files\Ahead\InCD\InCD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-07-21 05:53 141608 ----a-w- c:\documents and settings\Julie McCarthy\My Documents\Mum's Ipod\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mxomssmenu]
2008-07-21 06:16 169312 ----a-w- c:\program files\Maxtor\OneTouch Status\MaxMenuMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 00:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2007-03-14 05:52 3770024 ----a-w- c:\program files\TomTom HOME\TomTomHOME.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires\\Empires.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\Julie McCarthy\\My Documents\\Mum's Ipod\\iTunes.exe"=
.
R2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [9/10/2009 5:45 AM 169312]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [14/11/2010 2:19 PM 137344]
.
Contents of the 'Scheduled Tasks' folder
.
2011-02-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 02:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
SafeBoot-WudfPf
SafeBoot-WudfRd
MSConfigStartUp-My Web Search Bar Search Scope Monitor - c:\progra~1\MYWEBS~1\bar\2.bin\m3SrchMn.exe
MSConfigStartUp-MyWebSearch Email Plugin - c:\progra~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
AddRemove-{50316C0A-CC2A-460A-9EA5-F486E54AC17D}_is1 - c:\program files\AVG\AVG PC Tuneup 2011\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-26 14:27
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1796)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng-us.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\program files\PhotoStudio Expressions\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\VTTimer.exe
c:\program files\Lexmark 4200 Series\lxbmbmon.exe
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Canon\IJPLM\IJPLMSVC.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Maxtor\Sync\SyncServices.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Speed Disk\nopdb.exe
c:\documents and settings\Julie McCarthy\My Documents\jess\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe
c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe
c:\program files\Common Files\Nokia\NoA\nokiaaserver.exe
.
**************************************************************************
.
Completion time: 2011-03-26 14:34:13 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-26 03:34
.
Pre-Run: 42,260,746,240 bytes free
Post-Run: 42,223,468,544 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 0358EC0143A4B93D268122A87E0B2CE7

 

[Bobbye]

A deletion in the Combofix log for Drive F indicates you may have been using a flash drive. You will need to disinfect it:

These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.

Please disinfect all movable drives

1. Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
2. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
   Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
3. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
4. Wait until it has finished scanning and then exit the program.
5. Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
=================
Questions
1. Which program do you want to keep for the antivirus? Do you plan to reinstall AVG?
2. Are you using the Uniblue Registry Cleaner? I recommend it be uninstalled
3. You have MyWebSearch email plug in loading. This is malware.

Let me know about #1 and #2. I will set up script to remove the appropriate entries in Combofix.

Just as an FYI: you are loading processes for many programs that don't need to start on boot and run in the background:
Photo programs: Epsom
Printers> Canon and Lexmark
Lexmark Fax
Canon scanner
etc.

 

[JulieAnne]

Hi Bobbye

I have completed disinfecting.
In answer to your questions I have reinstalled the AVG, I am not using the UniBlue Registry Cleaner & have no idea as to where the MyWebSearch email plug has come from. I might add that although this computer is mine, I do have a couple of adult age children who also have access to this machine.
Thanks again for your help.

 

[Bobbye]

Okay then, let's get rid of the adware/spyware: Before you run the script below, remove any MyWebSearch and 180Search Assistant entries from the Startup menu using msconfig:

• Click on Start> Run> type in msconfig> enter>
  
  
• Click on Selective Startup
• Choose the Startup tab:
  
  
  
  All images courtesy NetSquirrel
• To expand the Command Column, (this shows what the process 'belongs' to) hold left mouse button down on the dividing line on frame above Location and move to the right to expand.
• Uncheck any processes for MyWebSearch and 180SearchAssistant
• Click on Apply> OK when finished.

NOTE:
When you reboot the system the first time after making changes using the msconfig utility, a nag message comes up that can be ignored and closed after checking 'don't show this message again.' Remain in Selective Startup to retain those changes.
=========================================
Please run this Custom CFScript:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.

File::
Folder::
c:\documents and settings\Julie McCarthy\Application Data\Uniblue
c:\program files\Uniblue
c:\documents and settings\All Users\Application Data\McAfee
Registry::
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
[HKLM\~\startupfolder\C:^Documents and Settings^Julie McCarthy^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\StubInstaller.exe"=-

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
Show Hidden Files and Folders in Windows 7:

• Click on the Start button and select Computer
• Press the Alt key on your keyboard and click on Tools
• Select Folder Options
• Click the View tab and make sure that Show hidden files and folders is selected under Hidden files and folders
• Next, uncheck the box next to Hide protected operating system files (Recommended)
• Then, uncheck the box next to Hide extensions for known filetypes
• Click Apply then click OK

==================================
Go right on to the following without a reboot:
Part 1>Addons
MyWebSearch Email Plugin and 180SearchAsistant:
Check Addons in the browser tools> look in both the 'addons now on the system' and addons previously on the system> Highlight and Disable any addons for MyWebSearch and 180SearchAssistant.

Note: This plugin appears both in the docs & settings Start Menu for All Users & Julie Anne.
===================================
Part 2>Add/Remove Programs Feature

1. Go to Start menu and click on Control Panel.
2. Double-click on Add/Remove Programs icon.
3. Scroll down to 180 Search Assistant and click on it to highlight.
4. Do the same for any MyWebSearch entry
5. Click on Uninstall button.

Part 3>Removing 180 Search Assistant Remaining Files

1. Go to Start menu and click on Search.
2. Select All Files and Folders option.
3. Type nCaseInstaller.class and hit Enter. Delete the found file.
4. Repeat for 180AInstaller.class and ZangoInstaller.class files.
5. Restart your computer.

Part 4: Confirming removal.

1. Go to Start menu and click on Search.
2. Select All Files and Folders option.
3. Enter msbb in "All or part of the file name:"
4. Click "Search"
5. Wait for full results.
6. do a right click> Delete if any of the install files remain in "C:\Program Files\180Solutions" and prefetch files in "C:\WINDOWS\Prefetch".

Important! Go back and rehide the files and folders!
==============================================
Update Adobe Reader to current update. Uninstall any earlier updates as they are vulnerabilities.

 

[JulieAnne]

Hi Bobbye
Have completed instructions, log pasted below.
When I went through parts 1 -4 i didn't find any files to delete.

ComboFix 11-04-02.03 - Julie McCarthy 03/04/2011 20:55:56.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1247.765 [GMT 10:00]
Running from: c:\documents and settings\Julie McCarthy\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Julie McCarthy\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\McAfee
c:\documents and settings\All Users\Application Data\McAfee\MCLOGS\Common\MsiExec\MsiExec000.log
c:\documents and settings\Julie McCarthy\Application Data\Uniblue
c:\documents and settings\Julie McCarthy\Application Data\Uniblue\RegistryBooster\backup\20110317.183720.zip
c:\documents and settings\Julie McCarthy\Application Data\Uniblue\RegistryBooster\error.log
c:\documents and settings\Julie McCarthy\Application Data\Uniblue\RegistryBooster\history\20110317-183645_repair.xml
c:\documents and settings\Julie McCarthy\Application Data\Uniblue\RegistryBooster\history\latest_scan_results.html
c:\documents and settings\Julie McCarthy\Application Data\Uniblue\RegistryBooster\last_scan.dat
c:\documents and settings\Julie McCarthy\Application Data\Uniblue\RegistryBooster\settings.dat
c:\program files\Uniblue
F:\autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2011-03-03 to 2011-04-03 )))))))))))))))))))))))))))))))
.
.
2011-03-28 08:42 . 2011-03-28 08:42 -------- d-sh--w- c:\documents and settings\Julie McCarthy\UserData
2011-03-26 04:04 . 2011-03-26 04:04 -------- d-----w- c:\documents and settings\Julie McCarthy\Application Data\AVG10
2011-03-26 03:59 . 2011-04-03 10:45 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2011-03-26 03:52 . 2011-03-31 11:15 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-03-26 02:27 . 2011-03-26 02:27 -------- d-----w- c:\documents and settings\Julie McCarthy\Logs
2011-03-24 04:51 . 2011-03-24 04:51 -------- d-----w- c:\documents and settings\Julie McCarthy\Application Data\Malwarebytes
2011-03-24 04:51 . 2010-12-20 07:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-24 04:51 . 2011-03-24 04:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-24 04:50 . 2011-03-24 04:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-24 04:50 . 2010-12-20 07:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-17 07:28 . 2011-03-17 07:28 -------- d-----w- c:\documents and settings\Julie McCarthy\Local Settings\Application Data\PackageAware
2011-03-12 01:28 . 2011-03-12 01:28 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-03-06 06:30 . 2011-03-06 06:30 -------- d-----w- c:\documents and settings\All Users\Application Data\CanonIJ
2011-03-06 06:29 . 2011-03-06 06:34 -------- d-----w- c:\documents and settings\Julie McCarthy\Application Data\Canon
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2004-08-04 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 10:40 . 2010-06-20 13:38 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-02 08:19 . 2007-05-19 13:29 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-02 07:58 . 2005-03-13 00:44 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2005-03-13 00:44 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-04 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-04 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-26 68856]
"NokiaOviSuite2"="c:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe" [2010-09-01 672632]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]
"VTTimer"="VTTimer.exe" [2004-01-15 49152]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-04 143360]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"FaxCenterServer4_in_1"="c:\program files\Lexmark 4200 Series\Fax\fm3032.exe" [2004-01-22 151552]
"Lexmark 4200 Series"="c:\program files\Lexmark 4200 Series\lxbmbmgr.exe" [2004-01-16 57344]
"EPSON PictureMate 500"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9TE.EXE" [2004-10-17 98304]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-10-08 47904]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2008-07-21 169312]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-03-23 1983816]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-17 767312]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2009-05-19 136544]
"iTunesHelper"="c:\documents and settings\Julie McCarthy\My Documents\Mum's Ipod\iTunesHelper.exe" [2010-07-21 141608]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Clipsal eCatalogue Edition 2.lnk - c:\program files\Clipsal Australia\Clipsal eCatalogue Edition 2\Clipsal_eCatalogue.exe [2010-11-5 6238208]
NCProTray.lnk - c:\program files\SEC\Natural Color Pro\NCProTray.exe [2007-8-28 49220]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ImageMixer HDD Camera Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ImageMixer HDD Camera Monitor.lnk
backup=c:\windows\pss\ImageMixer HDD Camera Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Monitor.lnk
backup=c:\windows\pss\Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=c:\windows\pss\MyWebSearch Email Plugin.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Julie McCarthy^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=c:\documents and settings\Julie McCarthy\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=c:\windows\pss\MyWebSearch Email Plugin.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Julie McCarthy^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=c:\documents and settings\Julie McCarthy\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2004-06-04 11:33 1400944 ------w- c:\program files\Ahead\InCD\InCD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-07-21 05:53 141608 ----a-w- c:\documents and settings\Julie McCarthy\My Documents\Mum's Ipod\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mxomssmenu]
2008-07-21 06:16 169312 ----a-w- c:\program files\Maxtor\OneTouch Status\MaxMenuMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 00:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2007-03-14 05:52 3770024 ----a-w- c:\program files\TomTom HOME\TomTomHOME.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires\\Empires.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\Julie McCarthy\\My Documents\\Mum's Ipod\\iTunes.exe"=
.
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [14/11/2010 1:19 PM 137344]
.
Contents of the 'Scheduled Tasks' folder
.
2011-02-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 02:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-03 21:07
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-04-03 21:17:13
ComboFix-quarantined-files.txt 2011-04-03 11:17
ComboFix2.txt 2011-03-26 03:34
.
Pre-Run: 41,484,107,776 bytes free
Post-Run: 41,544,368,128 bytes free
.
- - End Of File - - 8B1CE3B3997F7133E3830E446CF91387

 

[Bobbye]

JulieAnne, this is still showing in the Combofix delete: F:\autorun.inf. Did you use the flash drive again on the system before it was disinfected? Or have you connected any other removable drive like a phone? That should be included in the flash disinfect> all movable drives.

 

[JulieAnne]

Hi Bobbye
As far as I know nothing has been plugged in, in the last couple of weeks. I did plug in my ipod tonight but that's all I know of. What now?

 

[Bobbye]

What is the F Drive?

 

[JulieAnne]

The F drive appears to be the Maxtor external hard drive.

 

[Bobbye]

Okay, that drive is infected. Please run the Flash Disinfector and follow prompts for other removable drives.
First Combofox scan shows>((( Other Deletions )))F:\Autorun.inf
Second Combofix scan, with the script shows deletions that I set up with script and also shows>(((Other Deletions)))F:\Autorun.inf>> again, not as 'previous.'

This is being loaded from the Registry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2008-07-21 169312]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mxomssmenu]
2008-07-21 06:16 169312 ----a-w- c:\program files\Maxtor\OneTouch Status\MaxMenuMgr.exe

This drive is being loaded on Startup. If it is infected and is connected to the computer, it can reinfect the computer.
=================================
Due to the extensive MyWebSearch infection and continuing entries, please do the following: Note: You may not find all of these entries. That's okay. Handle the ones you do find:

First, uninstall the My Web Search option from Add/Remove Programs
1) Click on Start, Settings, Control Panel
2) Double click on Add/Remove Programs
3) Find "My Web Search" in the list of installed programs and click on Change/Remove to uninstall it. You may also want to uninstall any of the following items associated with FunWebProducts if found:

• My Web Search (Smiley Central or FWP product as applicable)
• My Way Speedbar (Smiley Central or other FWP as applicable)
• My Way Speedbar (AOL and Yahoo Messengers) (beta users only)
• My Way Speedbar (Outlook, Outlook Express, and IncrediMail)
• Search Assistant - My Way

4) Reboot your Computer and run HijackThis
===========================================
Download HijackThis http://download.bleepingcomputer.com/hijackthis/HijackThis.zipand save to your desktop.

• Extract it to a directory on your hard drive called c:\HijackThis.
• Then navigate to that directory and double-click on the hijackthis.exe file.
• When started click on the Scan button and then the Save Log button to create a log of your information.
• The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log. Save that log to your desktop.

-----------------------------------------------------
Reopen HijackThis to do system scan only.' Check each of the following if found:

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - Crogram FilesMyWebSearchSrchAstt1.binMWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - Crogram FilesMyWebSearchSrchAstt1.binMWSSRCAS.DLL
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - Crogram FilesMyWebSearchbar1.binMWSBAR.DLL
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - Crogram FilesMyWebSearchbar1.binMWSBAR.DLL
O4 - HKLM..Run: [MyWebSearch Email Plugin] CROGRA~1MYWEBS~1bar1.binmwsoemon.exe
O4 - HKCU..Run: [MyWebSearch Email Plugin] CROGRA~1MYWEBS~1bar1.binmwsoemon.exe
O4 - Startup: MyWebSearch Email Plugin.lnk=CrogramFilesMyWebSearchbar1.bin MWSOEMON.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = Crogram FilesMyWebSearchbar1.bin MWSOEMON.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p ZWYYYYYYYYUS
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/MyWebSearchInitialSetup1.0.0.8-2.cab

Close all Windows except HijackThis and click on "Fix Checked"

Delete program folders:
Using Windows Explorer (Windows key + e)> Open My Computer> Local Drive(C)> double-click on the Program Files folder
Right-click and delete the folders for:

• FunWebProducts
• MyWebSearch

============================================
Please run this Custom CFScript:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.

Registry::
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
[HKLM\~\startupfolder\C:^Documents and Settings^Julie McCarthy^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.

MyWebSearch should now be completely uninstalled from your computer.

Note: To prevent this in the uture, I advise you to also stay away from:
Other FunWebProducts
Smiley Central Removal
Cursor Mania Removal
FunBuddyIcons Removal
My Mail Stationery Removal
My Mail Signature Removal
My Mail Stamps Removal
Popular Screensavers Removal
Webfetti Removal

Let me know how you're doing.

 

[JulieAnne]

Hi Bobbye
I have completed all suggested steps & I noticed that the log still has F:\Autorun.inf under deletions. Has this done the job or is the computer still infected?
When I did the went to the add/remove programs, I didn't find any of the items you listed.
I also didn't find anything with HijackThis.
I found nothing in the program files.
I did do a search for any files with My WebSearch or FunWebProducts in the name, and found 3 items which I deleted.
The results of the ComboFix are pasted below.
ComboFix 11-04-09.01 - Julie McCarthy 10/04/2011 16:27:08.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1247.767 [GMT 10:00]
Running from: c:\documents and settings\Julie McCarthy\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Julie McCarthy\Desktop\CFScript.txt.1.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Julie McCarthy\WINDOWS
c:\hijackthis\HijackThis.exe
F:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2011-03-10 to 2011-04-10 )))))))))))))))))))))))))))))))
.
.
2011-04-10 05:42 . 2011-04-10 05:42 -------- d-----w- c:\documents and settings\Julie McCarthy\Local Settings\Application Data\Temp
2011-04-08 08:07 . 2011-04-08 08:07 -------- d-sh--w- c:\documents and settings\Julie McCarthy\UserData
2011-04-07 12:42 . 2011-04-10 06:34 -------- d-----w- C:\HijackThis
2011-04-05 12:03 . 2011-04-05 12:03 -------- d-----w- c:\program files\Bonjour
2011-04-05 12:01 . 2011-04-05 13:38 -------- d-----w- c:\windows\SxsCaPendDel
2011-04-05 11:59 . 2011-04-05 11:59 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll
2011-04-05 11:59 . 2011-04-05 11:59 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll
2011-04-05 11:59 . 2011-04-05 11:59 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
2011-04-05 11:59 . 2011-04-05 11:59 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
2011-04-05 11:59 . 2011-04-05 11:59 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll
2011-04-05 11:59 . 2011-04-05 11:59 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
2011-04-05 11:59 . 2011-04-05 11:59 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
2011-04-05 11:58 . 2011-04-05 11:59 -------- d-----w- c:\program files\QuickTime
2011-04-03 12:37 . 2011-04-03 12:37 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonIJEGV
2011-04-03 12:28 . 2011-04-03 12:28 -------- d-----w- c:\program files\Common Files\Adobe AIR
2011-03-26 04:04 . 2011-03-26 04:04 -------- d-----w- c:\documents and settings\Julie McCarthy\Application Data\AVG10
2011-03-26 03:59 . 2011-04-10 06:13 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2011-03-26 03:52 . 2011-04-03 11:54 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-03-26 02:27 . 2011-03-26 02:27 -------- d-----w- c:\documents and settings\Julie McCarthy\Logs
2011-03-24 04:51 . 2011-03-24 04:51 -------- d-----w- c:\documents and settings\Julie McCarthy\Application Data\Malwarebytes
2011-03-24 04:51 . 2010-12-20 07:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-24 04:51 . 2011-03-24 04:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-24 04:50 . 2011-03-24 04:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-24 04:50 . 2010-12-20 07:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-17 07:28 . 2011-03-17 07:28 -------- d-----w- c:\documents and settings\Julie McCarthy\Local Settings\Application Data\PackageAware
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2004-08-04 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 10:40 . 2010-06-20 13:38 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-02 08:19 . 2007-05-19 13:29 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-02 07:58 . 2005-03-13 00:44 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2005-03-13 00:44 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-04 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-04-03_11.08.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-04-10 06:18 . 2011-04-10 06:18 16384 c:\windows\Temp\Perflib_Perfdata_25c.dat
+ 2011-04-05 12:08 . 2011-02-18 06:36 41984 c:\windows\system32\DRVSTORE\usbaapl_05A32DBD3911A2EF4222EF5BE7BB535FAB37D6C4\usbaapl.sys
+ 2011-04-05 12:08 . 2010-04-19 10:29 18432 c:\windows\system32\DRVSTORE\netaapl_8A27A03003759CB01567E831096473C330131D64\netaapl.sys
+ 2010-10-07 02:23 . 2010-10-07 02:23 91424 c:\windows\system32\dnssd.dll
- 2010-05-18 06:35 . 2010-05-18 06:35 91424 c:\windows\system32\dnssd.dll
+ 2011-04-03 12:28 . 2011-04-03 12:28 28160 c:\windows\Installer\107ca9.msi
+ 2010-11-10 02:49 . 2010-11-10 02:49 17304 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\ViewerPS.dll
+ 2010-11-10 02:49 . 2010-11-10 02:49 35736 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\reader_sl.exe
+ 2010-11-10 02:49 . 2010-11-10 02:49 84896 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\PDFPrevHndlr.dll
+ 2010-11-10 02:49 . 2010-11-10 02:49 94608 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\eula.exe
+ 2010-11-10 02:49 . 2010-11-10 02:49 49064 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\acrotextextractor.exe
+ 2010-11-10 02:49 . 2010-11-10 02:49 17824 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AcroRd32Info.exe
+ 2010-11-10 02:49 . 2010-11-10 02:49 62376 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\acroiehelpershim.dll
+ 2010-11-10 02:49 . 2010-11-10 02:49 64928 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AcroIEHelper.dll
+ 2010-11-10 02:49 . 2010-11-10 02:49 63384 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\Acrofx32.dll
+ 2010-10-07 02:23 . 2010-10-07 02:23 197920 c:\windows\system32\dnssdX.dll
- 2010-05-18 06:35 . 2010-05-18 06:35 197920 c:\windows\system32\dnssdX.dll
+ 2010-10-07 02:23 . 2010-10-07 02:23 107808 c:\windows\system32\dns-sd.exe
- 2010-05-18 06:35 . 2010-05-18 06:35 107808 c:\windows\system32\dns-sd.exe
+ 2011-04-05 12:02 . 2011-04-05 12:02 811520 c:\windows\Installer\61c59.msi
+ 2011-04-05 12:04 . 2011-04-05 12:04 897024 c:\windows\Installer\{C73F2967-062E-48F2-A462-D335B8950183}\SafariIco.exe
+ 2011-04-05 12:14 . 2011-04-05 12:14 380928 c:\windows\Installer\{2A697B53-0DE3-42DA-B41D-C3F804B1C538}\iTunesIco.exe
+ 2010-11-10 02:49 . 2010-11-10 02:49 390552 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\pdfshell.dll
+ 2010-11-10 02:49 . 2010-11-10 02:49 101288 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\PDFPrevHndlrShim.exe
+ 2010-11-10 02:49 . 2010-11-10 02:49 135568 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\nppdf32.dll
+ 2010-11-10 02:49 . 2010-11-10 02:49 681872 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\JP2KLib.dll
+ 2010-11-10 02:49 . 2010-11-10 02:49 104344 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AiodLite.dll
+ 2010-11-10 02:49 . 2010-11-10 02:49 702352 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AcroPDF.dll
+ 2010-11-10 02:49 . 2010-11-10 02:49 294808 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\acrobroker.exe
+ 2010-11-10 02:49 . 2010-11-10 02:49 205720 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\a3dutils.dll
+ 2011-04-05 12:08 . 2011-02-18 06:36 4184352 c:\windows\system32\DRVSTORE\usbaapl_05A32DBD3911A2EF4222EF5BE7BB535FAB37D6C4\usbaaplrc.dll
+ 2011-04-05 12:08 . 2010-04-19 10:29 1461992 c:\windows\system32\DRVSTORE\netaapl_8A27A03003759CB01567E831096473C330131D64\wdfcoinstaller01009.dll
+ 2011-04-05 12:14 . 2011-04-05 12:14 5448704 c:\windows\Installer\62539.msi
+ 2011-04-05 12:08 . 2011-04-05 12:08 3085312 c:\windows\Installer\61d70.msi
+ 2011-04-05 12:05 . 2011-04-05 12:05 1710592 c:\windows\Installer\61cd9.msi
+ 2011-04-05 12:04 . 2011-04-05 12:04 3140608 c:\windows\Installer\61cb7.msi
+ 2011-04-05 12:03 . 2011-04-05 12:03 1984000 c:\windows\Installer\61c80.msi
+ 2011-04-05 11:59 . 2011-04-05 11:59 9472000 c:\windows\Installer\61c25.msi
+ 2011-04-03 12:02 . 2011-04-03 12:02 3272704 c:\windows\Installer\41cf70.msi
+ 2011-04-03 11:59 . 2011-04-03 11:59 1611776 c:\windows\Installer\41cf6c.msi
+ 2011-04-03 12:32 . 2011-04-03 12:32 2283008 c:\windows\Installer\107e8e.msi
+ 2010-11-10 02:49 . 2010-11-10 02:49 2207632 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\rt3d.dll
+ 2010-11-10 02:49 . 2010-11-10 02:49 6222744 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\authplay.dll
+ 2010-11-10 02:49 . 2010-11-10 02:49 5503368 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AGM.dll
+ 2010-11-10 02:49 . 2010-11-10 02:49 1216416 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AdobeCollabSync.exe
+ 2010-11-10 02:49 . 2010-11-10 02:49 1289624 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AcroRd32.exe
+ 2011-01-30 20:44 . 2011-01-30 20:44 12425728 c:\windows\Installer\107e8f.msp
+ 2010-11-10 02:49 . 2010-11-10 02:49 23724952 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0000000010\10.0.0\AcroRd32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-26 68856]
"NokiaOviSuite2"="c:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe" [2010-09-01 672632]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]
"VTTimer"="VTTimer.exe" [2004-01-15 49152]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-04 143360]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"FaxCenterServer4_in_1"="c:\program files\Lexmark 4200 Series\Fax\fm3032.exe" [2004-01-22 151552]
"Lexmark 4200 Series"="c:\program files\Lexmark 4200 Series\lxbmbmgr.exe" [2004-01-16 57344]
"EPSON PictureMate 500"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9TE.EXE" [2004-10-17 98304]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-10-08 47904]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2008-07-21 169312]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-03-23 1983816]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-17 767312]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2009-05-19 136544]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\documents and settings\Julie McCarthy\My Documents\Mum's Ipod\iTunesHelper.exe" [2011-03-07 421160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Clipsal eCatalogue Edition 2.lnk - c:\program files\Clipsal Australia\Clipsal eCatalogue Edition 2\Clipsal_eCatalogue.exe [2010-11-5 6238208]
NCProTray.lnk - c:\program files\SEC\Natural Color Pro\NCProTray.exe [2007-8-28 49220]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ImageMixer HDD Camera Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ImageMixer HDD Camera Monitor.lnk
backup=c:\windows\pss\ImageMixer HDD Camera Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Monitor.lnk
backup=c:\windows\pss\Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=c:\windows\pss\MyWebSearch Email Plugin.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Julie McCarthy^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=c:\documents and settings\Julie McCarthy\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=c:\windows\pss\MyWebSearch Email Plugin.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Julie McCarthy^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=c:\documents and settings\Julie McCarthy\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2004-06-04 11:33 1400944 ------w- c:\program files\Ahead\InCD\InCD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-03-07 05:33 421160 ----a-w- c:\documents and settings\Julie McCarthy\My Documents\Mum's Ipod\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mxomssmenu]
2008-07-21 06:16 169312 ----a-w- c:\program files\Maxtor\OneTouch Status\MaxMenuMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 07:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2007-03-14 05:52 3770024 ----a-w- c:\program files\TomTom HOME\TomTomHOME.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires\\Empires.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\Julie McCarthy\\My Documents\\Mum's Ipod\\iTunes.exe"=
.
R2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [9/10/2009 4:45 AM 169312]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [14/11/2010 1:19 PM 137344]
.
Contents of the 'Scheduled Tasks' folder
.
2011-02-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 02:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-10 16:35
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-04-10 16:38:50
ComboFix-quarantined-files.txt 2011-04-10 06:38
ComboFix2.txt 2011-04-03 11:17
ComboFix3.txt 2011-03-26 03:34
.
Pre-Run: 41,557,463,040 bytes free
Post-Run: 41,548,886,016 bytes free
.
- - End Of File - - D4E70B25C2C225AC184750C4B6DEF341

 

[Bobbye]

First: Don't be upset because you could find some of the entries! That's a good thing- it means they have been removed. Sometimes a removal doesn't include all the entries so we look for them to delete if present. That's why we add to HijackThis "if found."

I am puzzled by these entries. According to your log, You have had QuickTime on the system since 2010. But the following shows the program installed again on 2011-04-05 11:59
c:\program files\QuickTime
And the most puzzling of all is that all of the following plugins for QuickTime, on the same date, were added to Internet Explorer but the plugs ins are for Firefox!. See the np at the beginning of each .dll file? That refers to Firefox!
c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll
c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll
c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll
c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
[/b]
The plugins are all related to QuickTime.
But I see a Registry entry for an earlier datw:
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
===============================
About MyWebSearch Email Plugin I'd like you to run HijackThis: I should see this in that log and can instruct you in what to check for removal:
Download HijackThis http://download.bleepingcomputer.com/hijackthis/HijackThis.zipand save to your desktop.

• Extract it to a directory on your hard drive called c:\HijackThis.
• Then navigate to that directory and double-click on the hijackthis.exe file.
• When started click on the Scan button and then the Save Log button to create a log of your information.
• The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

 

[JulieAnne]

Hi Bobbye
HijackThis log pasted below.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:09:03 PM, on 11/04/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17095)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9TE.EXE
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe
C:\Documents and Settings\Julie McCarthy\My Documents\Mum's Ipod\iTunesHelper.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Clipsal Australia\Clipsal eCatalogue Edition 2\Clipsal_eCatalogue.exe
C:\Program Files\SEC\Natural Color Pro\NCProTray.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Documents and Settings\Julie McCarthy\My Documents\jess\bin\iPodService.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Common Files\Nokia\NoA\nokiaaserver.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Documents and Settings\Julie McCarthy\Desktop\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Canon Easy-WebPrint EX BHO - {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexbho.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
O4 - HKLM\..\Run: [EPSON PictureMate 500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9TE.EXE /P21 "EPSON PictureMate 500" /O6 "USB002" /M "PictureMate 500"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [IJNetworkScanUtility] C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
O4 - HKLM\..\Run: [NokiaMServer] C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Documents and Settings\Julie McCarthy\My Documents\Mum's Ipod\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [NokiaOviSuite2] C:\Program Files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe -tray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Clipsal eCatalogue Edition 2.lnk = C:\Program Files\Clipsal Australia\Clipsal eCatalogue Edition 2\Clipsal_eCatalogue.exe
O4 - Global Startup: NCProTray.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.optusnet.com.au/
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7B295DE9-84EF-437E-A9C1-498858A51F99}: Domain = vic.bigpond.net.au
O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Active File Monitor V8 (AdobeActiveFileMonitor8.0) - Adobe Systems Incorporated - C:\Program Files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Canon Inkjet Printer/Scanner/Fax Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Documents and Settings\Julie McCarthy\My Documents\jess\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)

--
End of file - 12106 bytes

 

[Bobbye]

I had hope I'd see MyWebSearch email plugin in HJT, but no such luck! So we're going to try one more way to remove it where it's hiding:

Using Windows Explorer (Windows key + E) go to My Computer> Double click on Local Drive(C)> Click on Windows> Find the pss folder and double click to open> you will see entries similar to these: Do not click on any of these entries

boot.ini.backup
Digital Line Detect.InkCommon
dlbcserv.InkCommon Startup
Microsoft Office.InkCommon Startu
system.ini.backup
win.ini.backup

Look for MyWebSearch Email Plugin> if found, do a right click> Delete. If you see more than one entry (it shows in All Users and JulieMcCarthy's account) do the right click> Delete

If it's not there, don't worry.

Also look in the Documents & Settings folders> Startup entries for both All Users and Julie McC for the same MyWebSearch Email plugin. If you see this in either folder, do the same right click> Delete.

Again, if it's not there, don't worry.
===================================================
Are you aware that you are loading 3 printers/scanners/copiers/faxes?
Lexmark,Canon and Epsom. Are you using all three of these? If not, you should uninstall those you are not using. Then let me know which you took off and I'll include script to remove any remaining entries.

Do any of the malware related problems remain?