Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MyWay.MyWebSearch Infection


  • This topic is locked This topic is locked
16 replies to this topic

#1 jsos1298

jsos1298

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 31 December 2008 - 02:41 PM

I am having trouble removing the MyWay.MyWebSearch maleware from my computer. I initially found it by using Spybot. However Spybot gave the following message

Some problems couldn't be fixed; the reason could be that the associated files are still in use(in memory).
This could be fixed after a restart.
May Spybot-S&D run on your next system startup?

After startup the problem still existed. I contacted Bleeping Computer and have since run ATF, SAS, Malewarebytes, and Spybot some of them in safe mode.

Unfortunately the problem is still there so I was told to make a HJT log and post it here. That can be found below.

Thank you for your help.

Jim

DDS (Version 1.1.0) - NTFSx86
Run by Jim at 13:24:55.75 on Wed 12/31/2008
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1222 [GMT -6:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\rpcnet.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jim\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Bar =
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - No File
TB: {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - No File
TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Dell AIO Printer A960] "c:\program files\dell aio printer a960\dlbfbmgr.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [WD Button Manager] WDBtnMgr.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{14fcfe7c-ab86-428a-9d2e-bfb6f5a7aa6e}\Icon3E5562ED7.ico
uPolicies-explorer: HideClock = 0 (0x0)
dPolicies-explorer: HideClock = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 c:\windows\system32\qoMDwUMf

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\SASDIFSV.SYS [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\SASKUTIL.sys [2008-12-22 55024]
R1 SAVRT;SAVRT;\??\c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;\??\c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccEvtMgr.exe" [2006-11-21 192104]
R2 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccSetMgr.exe" [2006-11-21 169576]
R2 Symantec AntiVirus;Symantec AntiVirus;"c:\program files\symantec antivirus\Rtvscan.exe" [2007-3-14 1816768]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\ViewpointService.exe" [2007-12-19 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-4 99376]
R3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20081229.003\naveng.sys [2008-12-29 89104]
R3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20081229.003\navex15.sys [2008-12-29 876112]
S3 SASENUM;SASENUM;\??\c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]
S3 SavRoam;SAVRoam;"c:\program files\symantec antivirus\SavRoam.exe" [2007-3-14 116416]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys [2005-1-26 280344]

============== File Associations ===============

scrfile="%1" %*

=============== Created Last 30 ================

2008-12-31 00:27 <DIR> --d----- c:\program files\uTorrent
2008-12-30 15:05 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2008-12-30 15:02 <DIR> --d----- c:\windows\ERUNT
2008-12-30 14:53 <DIR> --d----- C:\SDFix
2008-12-30 00:26 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-12-19 12:54 <DIR> --d----- c:\program files\Trend Micro
2008-12-18 23:11 <DIR> --d----- c:\program files\Bonjour
2008-12-14 17:45 178 a------- c:\windows\wininit.ini
2008-12-12 11:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 a------- c:\windows\system32\dnssd.dll
2008-12-09 13:39 <DIR> --d----- C:\audiograbber

==================== Find3M ====================

2008-12-31 13:10 17,408 a------- c:\windows\system32\rpcnetp.exe
2008-12-31 09:34 47,104 a------- c:\windows\system32\rpcnet.dll
2008-12-30 15:13 17,408 a------- c:\windows\system32\rpcnetp.dll
2008-12-13 23:04 47,104 a------- c:\windows\system32\rpcnet.exe
2008-12-03 19:52 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 19:52 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-11-18 15:39 274,432 a------- c:\windows\system32\TubeFinder.exe
2008-10-28 16:36 823,296 a------- c:\windows\system32\divx_xx0c.dll
2008-10-28 16:36 823,296 a------- c:\windows\system32\divx_xx07.dll
2008-10-28 16:35 815,104 a------- c:\windows\system32\divx_xx0a.dll
2008-10-28 16:35 802,816 a------- c:\windows\system32\divx_xx11.dll
2008-10-28 16:35 684,032 a------- c:\windows\system32\DivX.dll
2008-10-25 11:16 364,544 a------- c:\windows\system32\WDBtnMgr.exe
2008-10-23 06:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 14:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-03 04:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-10-02 16:36 32,256 a------- c:\windows\system32\identprv.dll
2008-07-09 21:08 87,608 a------- c:\docume~1\jim\applic~1\inst.exe
2008-07-09 21:08 47,360 a------- c:\docume~1\jim\applic~1\pcouffin.sys
2008-03-24 12:05 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2008-08-20 06:53 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082020080821\index.dat

============= FINISH: 13:25:22.00 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 sjpritch25

sjpritch25

  • Security Colleague
  • 895 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:04:34 AM

Posted 10 January 2009 - 08:38 PM

Welcome to BC :thumbsup:

Sorry for the delay

Please post a fresh DDS log. Thanks
Microsoft MVP Consumer Security--2007-2010

#3 jsos1298

jsos1298
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 11 January 2009 - 09:45 AM

Thanks for getting back to me. Here are the new DDS logs as requested.


DDS (Version 1.1.0) - NTFSx86
Run by Jim at 8:36:43.18 on Sun 01/11/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1273 [GMT -6:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Dell AIO Printer A960\dlbfbmon.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\rpcnet.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jim\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Bar =
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - No File
TB: {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - No File
TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Dell AIO Printer A960] "c:\program files\dell aio printer a960\dlbfbmgr.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [WD Button Manager] WDBtnMgr.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{14fcfe7c-ab86-428a-9d2e-bfb6f5a7aa6e}\Icon3E5562ED7.ico
uPolicies-explorer: HideClock = 0 (0x0)
dPolicies-explorer: HideClock = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 c:\windows\system32\qoMDwUMf

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\SASDIFSV.SYS [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\SASKUTIL.sys [2008-12-22 55024]
R1 SAVRT;SAVRT;\??\c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;\??\c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccEvtMgr.exe" [2006-11-21 192104]
R2 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccSetMgr.exe" [2006-11-21 169576]
R2 Symantec AntiVirus;Symantec AntiVirus;"c:\program files\symantec antivirus\Rtvscan.exe" [2007-3-14 1816768]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\ViewpointService.exe" [2007-12-19 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-4 99376]
R3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20090108.007\naveng.sys [2009-1-8 89104]
R3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20090108.007\navex15.sys [2009-1-8 876112]
S3 SASENUM;SASENUM;\??\c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]
S3 SavRoam;SAVRoam;"c:\program files\symantec antivirus\SavRoam.exe" [2007-3-14 116416]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys [2005-1-26 280344]

============== File Associations ===============

scrfile="%1" %*

=============== Created Last 30 ================

2009-01-02 22:03 499 a------- c:\windows\eReg.dat
2009-01-02 22:03 33,792 a----r-- c:\windows\NPSExec.exe
2008-12-31 00:27 <DIR> --d----- c:\program files\uTorrent
2008-12-30 15:05 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2008-12-30 15:02 <DIR> --d----- c:\windows\ERUNT
2008-12-30 14:53 <DIR> --d----- C:\SDFix
2008-12-30 00:26 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-12-19 12:54 <DIR> --d----- c:\program files\Trend Micro
2008-12-18 23:11 <DIR> --d----- c:\program files\Bonjour
2008-12-14 17:45 178 a------- c:\windows\wininit.ini
2008-12-12 11:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 a------- c:\windows\system32\dnssd.dll

==================== Find3M ====================

2009-01-11 08:32 17,408 a------- c:\windows\system32\rpcnetp.exe
2009-01-11 08:32 47,104 a------- c:\windows\system32\rpcnet.dll
2008-12-30 15:13 17,408 a------- c:\windows\system32\rpcnetp.dll
2008-12-13 23:04 47,104 a------- c:\windows\system32\rpcnet.exe
2008-12-03 19:52 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 19:52 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-11-18 15:39 274,432 a------- c:\windows\system32\TubeFinder.exe
2008-10-28 16:36 823,296 a------- c:\windows\system32\divx_xx0c.dll
2008-10-28 16:36 823,296 a------- c:\windows\system32\divx_xx07.dll
2008-10-28 16:35 815,104 a------- c:\windows\system32\divx_xx0a.dll
2008-10-28 16:35 802,816 a------- c:\windows\system32\divx_xx11.dll
2008-10-28 16:35 684,032 a------- c:\windows\system32\DivX.dll
2008-10-25 11:16 364,544 a------- c:\windows\system32\WDBtnMgr.exe
2008-10-23 06:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 14:38 826,368 a------- c:\windows\system32\wininet.dll
2008-07-09 21:08 87,608 a------- c:\docume~1\jim\applic~1\inst.exe
2008-07-09 21:08 47,360 a------- c:\docume~1\jim\applic~1\pcouffin.sys
2008-03-24 12:05 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2008-08-20 06:53 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082020080821\index.dat

============= FINISH: 8:37:16.31 ===============

Attached Files



#4 sjpritch25

sjpritch25

  • Security Colleague
  • 895 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:04:34 AM

Posted 11 January 2009 - 09:09 PM

Please download the OTMoveIt3 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :processes
    explorer.exe
    :reg
    [HKEY_LOCAL_MACHINE\System\CurrentControlset\Control\Lsa]
    "Notification Packages"=hex(7):73,63,65,63,6c,69,00,00 
    :commands
    [emptytemp]
    [start explorer]
  • Return to OTMoveIt3, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Click Ok to allow OTMoveIt3 reboot your machine.
  • After reboot, a log file will appear. Copy the contents to the clipboard[/b] by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
How is everything running??
Microsoft MVP Consumer Security--2007-2010

#5 jsos1298

jsos1298
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 12 January 2009 - 01:04 AM

Here is the log you requested. Everything seems to be running fine. But everytime I run Spybot the MyWay.MyWebSearch is detected and can't be deleted. I just ran Spybot after running OTMoveIT3 and the same problem happened.

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\System\CurrentControlset\Control\Lsa\\"Notification Packages"|hex(7):73,63,65,63,6c,69,00,00 /E : value set successfully!
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Jim\LOCALS~1\Temp\Perflib_Perfdata_37c.dat scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Jim\LOCALS~1\Temp\Perflib_Perfdata_d50.dat scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01112009_235149

Files moved on Reboot...
File C:\DOCUME~1\Jim\LOCALS~1\Temp\Perflib_Perfdata_37c.dat not found!
File C:\DOCUME~1\Jim\LOCALS~1\Temp\Perflib_Perfdata_d50.dat not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.

#6 jsos1298

jsos1298
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 12 January 2009 - 01:23 AM

Posting this might be a total waste of time but I just found it. When I click on the recovery tab in Spybot this is what is shown. I have attached a word file with the screen shot.

Attached Files



#7 sjpritch25

sjpritch25

  • Security Colleague
  • 895 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:04:34 AM

Posted 12 January 2009 - 06:09 PM

Do they keep reappearing? Asktoolbar is questionable, unless it was installed without your knowledge. Let me know.
Microsoft MVP Consumer Security--2007-2010

#8 jsos1298

jsos1298
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 12 January 2009 - 06:39 PM

I didn't purposefully install Asktoolbar and I don't think it is still on my computer. I don't see any additional toolbars and it is not on the list of programs that can be uninstalled.

The MyWay.MyWebSearch is found every time I run Spybot and it is never able to remove it. I receive the following message each time.

"Some problems couldn't be fixed; the reason could be that the associated files are still in use(in memory).
This could be fixed after a restart.
May Spybot-S&D run on your next system startup?"

If I click yes, Spybot runs when the computer reboots. Again it finds the problem but can't delete it.

#9 sjpritch25

sjpritch25

  • Security Colleague
  • 895 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:04:34 AM

Posted 12 January 2009 - 07:09 PM

Can you give me a screenshot of what it won't remove. Thanks
Microsoft MVP Consumer Security--2007-2010

#10 jsos1298

jsos1298
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 13 January 2009 - 12:19 AM

Here is the screen shot you requested. After rebooting and allowing Spybot to run it still can't remove the problem.

Attached Files



#11 sjpritch25

sjpritch25

  • Security Colleague
  • 895 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:04:34 AM

Posted 13 January 2009 - 06:14 PM

oops i need you to click on the [+] so i can the detailed info. Thanks.
Microsoft MVP Consumer Security--2007-2010

#12 jsos1298

jsos1298
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 13 January 2009 - 07:58 PM

Sorry about that. Here you go.

All of the other problems that were found were tracking cookies and were taken care of without any problems.

Attached Files



#13 sjpritch25

sjpritch25

  • Security Colleague
  • 895 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:04:34 AM

Posted 16 January 2009 - 03:36 PM

Please DELETE the following folder(s) IF STILL PRESENT. You can use Windows Explorer to navigate or use Windows Search feature to locate them.

Folders:
C:\Program Files\AskTBar <-- this folder


LEt me know if you can't delete it. Thanks
Microsoft MVP Consumer Security--2007-2010

#14 jsos1298

jsos1298
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 16 January 2009 - 04:23 PM

I deleted the folder and ran Spybot. That took care of the problem. Thanks so much for your help.

#15 sjpritch25

sjpritch25

  • Security Colleague
  • 895 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:04:34 AM

Posted 16 January 2009 - 04:38 PM

Your Welcome

Open OTMOveIt3.exe and click on cleanup



Now that your system is clean you should SET A NEW RESTORE POINT to prevent future reinfection from the old restore point AFTER cleaning your system of any malware infection. Any trojans or spyware you picked up could have been saved in System Restore and are waiting to re-infect you. Since System Restore is a protected directory, your tools can not access it to delete files, trapping viruses inside. Setting a new restore point should be done to prevent any future reinfection from the old restore point and enable your computer to "roll-back" in case there is a future problem.

To SET A NEW RESTORE POINT:
1. Go to Start > Programs > Accessories > System Tools and click "System Restore".
2. Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
3. Then go to Start > Run and type: Cleanmgr
4. Click "OK".
5. Click the "More Options" Tab.
6. Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

Graphics for doing this are in the following links if you need them.
How to Create a Restore Point.
How to use Cleanmgr.

======================================

Here is some useful information on keeping your computer clean:
  • Most important thing is to make sure Windows is kept up to date with the latest patches and updates from Windows Update.
  • Here are two great Preventive programs
:
  • SpywareBlaster protects you from malicious ActiveX controls and cookies. Make sure and check for updates twice a month.
[*]Anti-Spyware Programs I Recommend:[/list]
  • Free Anti-Spyware Programs

Microsoft MVP Consumer Security--2007-2010




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users