MALWARE - SMART CHECK REMOVAL

I WENT THRU ALL SUGGESTED STEPS IN ORDER AND CANNOT REMOVE THIS ERROR I HAVE LISTED ALL LOGS BELOW PLEASE HELP I HAVE ALOT FILES ON THIS COMPUTER THAT ARE NOT BACKED UP

Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.02.04

Windows Vista Service Pack 1 x86 FAT32
Internet Explorer 8.0.6001.19088
regina :: REGINA-NEW [administrator]

Protection: Enabled

5/2/2012 12:33:32 PM
mbam-log-2012-05-02 (12-33-32).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 698522
Time elapsed: 10 minute(s), 43 second(s)

Memory Processes Detected: 1
C:\Program Files\RadioRage_4j\bar\1.bin\4jbrmon.exe (PUP.MyWebSearch) -> 5160 -> Delete on reboot.

Memory Modules Detected: 5
C:\Program Files\RadioRage_4j\bar\1.bin\4jbrstub.dll (PUP.MyWebSearch) -> Delete on reboot.
C:\Program Files\RadioRage_4j\bar\1.bin\4jauxstb.dll (PUP.MyWebSearch) -> Delete on reboot.
C:\Program Files\RadioRage_4j\bar\1.bin\4jSrcAs.dll (PUP.MyWebSearch) -> Delete on reboot.
C:\Program Files\RadioRage_4j\bar\1.bin\4jdlghk.dll (PUP.MyWebSearch) -> Delete on reboot.
C:\Program Files\RadioRage_4j\bar\1.bin\4jieovr.dll (PUP.MyWebSearch) -> Delete on reboot.

Registry Keys Detected: 37
HKLM\SYSTEM\CurrentControlSet\Services\RadioRage_4jService (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{3c35ad63-af1d-4e21-b484-b6651a8efcf9} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{5848763c-2668-44ca-adbe-2999a6ee2858} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5848763C-2668-44CA-ADBE-2999A6EE2858} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{5848763C-2668-44CA-ADBE-2999A6EE2858} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5848763C-2668-44CA-ADBE-2999A6EE2858} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{6562e272-88e1-4dff-8ff8-fe1a05323d36} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TypeLib\{d0e90465-cf35-480d-b520-e1e3bde802f5} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\Interface\{6D32BB6F-7969-48BF-836A-C14CDFC72D72} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{48909954-14fb-4971-a7b3-47e7af10b38a} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{48909954-14FB-4971-A7B3-47E7AF10B38A} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{48909954-14FB-4971-A7B3-47E7AF10B38A} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{48909954-14FB-4971-A7B3-47E7AF10B38A} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RadioRage_4jbar Uninstall (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{A4730EBE-43A6-443e-9776-36915D323AD3} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{00A6FAF1-072E-44CF-8957-5838F569A31D} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EAB-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3E720452-B472-4954-B7AA-33069EB53906} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59C7FC09-1C83-4648-B3E6-003D2BBC7481} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68AF847F-6E91-45dd-9B68-D6A12C30E5D7} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170B96C-28D4-4626-8358-27E6CAEEF907} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D1A71FA0-FF48-48dd-9B6D-7A13A3E42127} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DDB1968E-EAD6-40fd-8DAE-FF14757F60C7} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F138D901-86F0-4383-99B6-9CDD406036DA} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\MyWebSearch (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\FocusInteractive (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Fun Web Products (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\MyWebSearch (PUP.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Detected: 5
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|RadioRage_4j Browser Plugin Loader (PUP.MyWebSearch) -> Data: C:\PROGRA~1\RADIOR~2\bar\1.bin\4jbrmon.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks|{3C35AD63-AF1D-4E21-B484-B6651A8EFCF9} (PUP.MyWebSearch) -> Data: -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|RadioRage Search Scope Monitor (PUP.MyWebSearch) -> Data: "C:\PROGRA~1\RADIOR~2\bar\1.bin\4jsrchmn.exe" /m=2 /w /h -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|{857A20DE-3964-AD7F-EC6C-FAD5D14FD9C8} (Spyware.Zeus) -> Data: C:\Users\Regina\AppData\Roaming\Caleud\usqaoz.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|{32693763-EA66-5696-FA39-235A2F6A69BE} (Trojan.ZbotR.Gen) -> Data: C:\Users\Regina\AppData\Roaming\Boohs\obwuf.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.

Folders Detected: 7
C:\Program Files\FunWebProducts (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver\Images (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\History (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings (PUP.MyWebSearch) -> Quarantined and deleted successfully.

Files Detected: 13
C:\Program Files\RadioRage_4j\bar\1.bin\4jbarsvc.exe (PUP.MyWebSearch) -> Delete on reboot.
C:\Program Files\RadioRage_4j\bar\1.bin\4jbrstub.dll (PUP.MyWebSearch) -> Delete on reboot.
C:\Program Files\RadioRage_4j\bar\1.bin\4jbrmon.exe (PUP.MyWebSearch) -> Delete on reboot.
C:\Program Files\RadioRage_4j\bar\1.bin\4jauxstb.dll (PUP.MyWebSearch) -> Delete on reboot.
C:\Program Files\RadioRage_4j\bar\1.bin\4jSrcAs.dll (PUP.MyWebSearch) -> Delete on reboot.
C:\Program Files\RadioRage_4j\bar\1.bin\4jdlghk.dll (PUP.MyWebSearch) -> Delete on reboot.
C:\Program Files\RadioRage_4j\bar\1.bin\4jieovr.dll (PUP.MyWebSearch) -> Delete on reboot.
C:\Program Files\RadioRage_4j\bar\1.bin\4jbar.dll (PUP.MyWebSearch) -> Delete on reboot.
C:\Program Files\RadioRage_4j\bar\1.bin\4jSrchMn.exe (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Users\Regina\AppData\Roaming\Caleud\usqaoz.exe (Spyware.Zeus) -> Quarantined and deleted successfully.
C:\Users\Regina\AppData\Local\Temp\37631306.exe (Spyware.Zeus) -> Quarantined and deleted successfully.
C:\Users\Regina\AppData\Local\Temp\tmp1ffc81f6.tmp (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat (PUP.MyWebSearch) -> Quarantined and deleted successfully.

(end)
Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.02.04

Windows Vista Service Pack 1 x86 FAT32
Internet Explorer 8.0.6001.19088
regina :: REGINA-NEW [administrator]

Protection: Enabled

5/2/2012 1:00:24 PM
mbam-log-2012-05-02 (13-00-24).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 697876
Time elapsed: 19 minute(s), 18 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-05-02 13:23:37
Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD15 rev.04.0
Running: download[1].exe; Driver: C:\Users\Regina\AppData\Local\Temp\pwdcauod.sys


---- Devices - GMER 1.0.15 ----

Device \Driver\iaStor \Device\Ide\iaStor0 [8B0CD580] \SystemRoot\system32\drivers\iastor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort0 858EC1F8
Device \Driver\atapi \Device\Ide\IdePort1 858EC1F8
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [8B0CD580] \SystemRoot\system32\drivers\iastor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-1 [8B0CD580] \SystemRoot\system32\drivers\iastor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\a395j7w2 \Device\Scsi\a395j7w21Port4Path0Target0Lun0 874B7500
Device \Driver\a395j7w2 \Device\Scsi\a395j7w21 874B7500
Device 858ED1F8
Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device 87BEE1F8
Device fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----
aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-05-02 13:25:43
-----------------------------
13:25:43.511 OS Version: Windows 6.0.6001 Service Pack 1
13:25:43.511 Number of processors: 2 586 0x1706
13:25:43.512 ComputerName: REGINA-NEW UserName: regina
13:25:44.403 Initialize success
13:27:28.845 AVAST engine defs: 12050200
13:27:56.315 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
13:27:56.317 Disk 0 Vendor: WDC_WD15 04.0 Size: 143089MB BusType: 3
13:27:56.328 Disk 0 MBR read successfully
13:27:56.330 Disk 0 MBR scan
13:27:56.337 Disk 0 Windows VISTA default MBR code
13:27:56.339 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 86 MB offset 63
13:27:56.346 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 2048 MB offset 178176
13:27:56.357 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 140953 MB offset 4372480
13:27:56.361 Disk 0 scanning sectors +293044224
13:27:56.393 Disk 0 scanning C:\Windows\system32\drivers
13:28:01.069 Service scanning
13:28:10.437 Service sptd C:\Windows\System32\Drivers\sptd.sys **LOCKED** 32
13:28:14.966 Modules scanning
13:28:17.601 Disk 0 trace - called modules:
13:28:17.616 ntkrnlpa.exe CLASSPNP.SYS disk.sys iastor.sys sper.sys hal.dll >>UNKNOWN [0x858a2938]<<
13:28:17.619 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86e3aac8]
13:28:17.623 3 CLASSPNP.SYS[8b593745] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x8595e028]
13:28:18.304 AVAST engine scan C:\Windows
13:28:19.720 AVAST engine scan C:\Windows\system32
13:30:44.291 AVAST engine scan C:\Windows\system32\drivers
13:30:50.905 AVAST engine scan C:\Users\Regina
13:57:30.268 AVAST engine scan C:\ProgramData
14:02:14.215 Scan finished successfully
14:02:41.859 Disk 0 MBR has been saved successfully to "M:\MBR.dat"
14:02:42.088 The log file has been saved successfully to "M:\aswMBR.txt"

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

• Please do not run any tools unless instructed to do so.
  
  • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
• Please do not attach logs or use code boxes, just copy and paste the text.
  
  • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
• Please read every post completely before doing anything.
  
  • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
• Please provide feedback about your experience as we go.
  
  • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.

NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.


DeFogger:

• Please download DeFogger to your desktop.
  
  Double click DeFogger to run the tool.
  
• The application window will appear
• Click the Disable button to disable your CD Emulation drivers
• Click Yes to continue
• A 'Finished!' message will appear
• Click OK
• DeFogger may ask you to reboot the machine, if it does - click OK

Do not re-enable these drivers until otherwise instructed.


Security Check

• Download Security Check by screen317 from here.
• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Download DDS:

• Please download DDS by sUBs from one of the links below and save it to your desktop:
  
  
  Download DDS and save it to your desktop
  
  Link1
  Link2
  Link3
  
  Please disable any anti-malware program that will block scripts from running before running DDS.
  
  
  • Double-Click on dds.scr and a command window will appear. This is normal.
  • Shortly after two logs will appear:
    
  • DDS.txt
  • Attach.txt
• A window will open instructing you save & post the logs
• Save the logs to a convenient place such as your desktop
• Copy the contents of both logs & post in your next reply

information and logs:

• In your next post I need the following
  
  
• .logs from DDS
• let me know of any problems you may have had

Gringo

Hello

48 Hour bump

It has been more than 48 hours since my last post.

• do you still need help with this?
• do you need more time?
• are you having problems following my instructions?
  
• if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.