Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Mywebsearch / Funweb


  • This topic is locked This topic is locked
7 replies to this topic

#1 Krawlspace

Krawlspace

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 24 August 2007 - 01:33 PM

Greets to all and thanks in advance for the help!

XP SP2
Fully updated.
BSOD shortly after desktop loaded.
Several suspicious start up items noted and disabled which stopped BSOD.
Scanned with Panda ActiveScan; 70+ viruses reported along with myriad spyware and trojan items.
After repeated scans and manual removal methods, PC scans clean on updated AdAware, SpyBot S&D, and AVG.
Panda ActiveScan still reports the following:

Incident Status Location

Potentially unwanted tool:application/mywebsearch Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44cf-8957-5838F569A31D}
Potentially unwanted tool:application/funweb Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3DC201FB-E9C9-499C-A11F-23C360D7C3F8}

I can find no registry entry for either of these keys.
There is a user account that has been deleted, but which still has files in the Documents and Settings folder.
Could they be residual from that account?

Latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 2:31:17 PM, on 8/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\shauna\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_2.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:12 AM

Posted 29 August 2007 - 06:58 PM

Hello Krawlspace,

Let's see what might be in the registry :

Download the trial version of Spy Sweeper from
Here


Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

You will be prompted to check for updated definitions, please do so.
(This may take several minutes)

Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.

Click on Sweep and allow it to fully scan your system.

When the sweep has finished, click Remove. Click Select All and then Next

From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

Exit Spy Sweeper.

Restart your computer, and then please copy and paste the SpySweeper log into this thread.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Krawlspace

Krawlspace
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 04 September 2007 - 01:22 PM

Hi, Tea!
Thanks for the help!


12:36 PM: Removal process completed. Elapsed time 00:00:00
12:36 PM: Quarantining All Traces: core adware
12:36 PM: Quarantining All Traces: trojan-relayer-midlenet
12:36 PM: Removal process initiated
12:17 PM: Traces Found: 3
12:17 PM: Custom Sweep has completed. Elapsed time 00:24:39
12:17 PM: File Sweep Complete, Elapsed Time: 00:22:55
12:15 PM: Warning: TCompressedFile.GetStreams(1): Stream read error
12:14 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmsb78f951e-e948-49db-97fb-4a2ae0eb54c9.tmp". The operation completed successfully
12:14 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms7c5f9f91-2df5-4685-9429-0c189ab51620.tmp". The operation completed successfully
12:14 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms95faf268-8204-4bb1-8d75-4bb5e5a56c9f.tmp". The operation completed successfully
12:14 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms99b7ba39-932c-4c7a-8862-b99bf08f25d4.tmp". The operation completed successfully
12:14 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms008969e5-8ad3-476e-b34e-67aada995a68.tmp". The operation completed successfully
12:14 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms5b10e1b8-5fe7-40a7-aa16-b8f3b4338b26.tmp". The operation completed successfully
12:14 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmsf22d7dff-11f6-45e0-a8a6-6363942fa37c.tmp". The operation completed successfully
12:14 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmsddb445bd-91be-4259-b7d1-a54b0729973b.tmp". The operation completed successfully
12:14 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmsc6125912-cbc4-4240-a201-65aaa4442a25.tmp". The operation completed successfully
12:14 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms87e18a74-f30e-4f2c-8866-802d72f7fae1.tmp". The operation completed successfully
12:14 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms678da5ee-0982-4028-86cd-4ad205c131b4.tmp". The operation completed successfully
12:14 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmsd3eb1480-d498-40a7-8958-5bd52ee356d3.tmp". The operation completed successfully
12:13 PM: Warning: Failed to open file "c:\documents and settings\shauna\application data\mozilla\firefox\profiles\ziolmto4.default\parent.lock". The operation completed successfully
11:54 AM: Starting File Sweep
11:54 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
11:54 AM: Starting Cookie Sweep
11:54 AM: Registry Sweep Complete, Elapsed Time:00:00:14
11:54 AM: HKU\S-1-5-21-2502214043-2863034100-2360020318-1007\software\microsoft\internet explorer\security\ || host (ID = 2154848)
11:54 AM: HKU\S-1-5-21-2502214043-2863034100-2360020318-1007\software\microsoft\internet explorer\desktop\ || host (ID = 2154846)
11:54 AM: Found Trojan Horse: trojan-relayer-midlenet
11:54 AM: HKLM\system\currentcontrolset\services\tnidriver\ (ID = 2136507)
11:54 AM: Found Adware: core adware
11:53 AM: Starting Registry Sweep
11:53 AM: Memory Sweep Complete, Elapsed Time: 00:01:27
11:52 AM: Starting Memory Sweep
11:52 AM: Start Custom Sweep
11:52 AM: Sweep initiated using definitions version 981
Keylogger: Off
E-mail Attachment: On
11:45 AM: Informational: ShieldEmail: Start monitoring port 25 for mail activities
11:45 AM: Informational: ShieldEmail: Start monitoring port 110 for mail activities
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites: Off
Hosts File Shield: On
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
File System Shield: On
Execution Shield: On
System Services Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
11:45 AM: Shield States
11:45 AM: License Check Status (0): Success
11:45 AM: Spyware Definitions: 981
12:44 PM: Spy Sweeper 5.5.7.48 started
12:44 PM: Spy Sweeper 5.5.7.48 started
12:44 PM: | Start of Session, Tuesday, September 04, 2007 |
***************

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:12 AM

Posted 04 September 2007 - 06:38 PM

Hello,

You're welcome. :thumbsup:

Does the problem still exist? Let me know how it's running now, please. :flowers:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 Krawlspace

Krawlspace
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 04 September 2007 - 07:15 PM

Hello, tea...
PC runs fine to my eyes, and scans clean on all aforementioned programs.

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:12 AM

Posted 04 September 2007 - 07:51 PM

Excellent. :thumbsup:

Your Java is out of date, which leaves your computer vulnerable.

Updating Java
  • Download the latest version of Java Runtime Environment (JRE) 6u2.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
There looks to be some good protection in place, so I'll leave you with the following :

http://mvps.org/winhelp2002/unwanted.htm

Take care,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 Krawlspace

Krawlspace
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 04 September 2007 - 08:46 PM

Many thanks, again !

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:12 AM

Posted 14 September 2007 - 10:08 AM

You're most welcome. :thumbsup:

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users