Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Adware.MyWebSearch; worm.KoobFace; Adware.Hotbar; Trojan.Vundo


  • This topic is locked This topic is locked
16 replies to this topic

#1 chris.gatti

chris.gatti

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jackson, TN
  • Local time:05:30 PM

Posted 06 April 2010 - 01:09 PM

On 4/2/10 I opened a "video" link from a friend on Facebook. The link was for a file at "y.o.y tube". At first I thought it legit. but immediately began having all kinds of pop up ads for "Best Anti-virus" and other assorted ads. I ran Malwarebytes and it deleted over 140 infections. Included in those were the names I listed in the "Topic Title" bar. Here is the Malwarebytes log:

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 6.0.6000
Internet Explorer 8.0.6001.18882

4/2/2010 10:53:42 AM
mbam-log-2010-04-02 (10-53-42).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 294751
Time elapsed: 1 hour(s), 40 minute(s), 48 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 6
Registry Keys Infected: 141
Registry Values Infected: 9
Registry Data Items Infected: 0
Folders Infected: 31
Files Infected: 149

Memory Processes Infected:
C:\Program Files\MyWebSearch\bar\7.bin\MWSOEMON.EXE (Adware.MyWebSearch) -> Unloaded process successfully.
C:\Program Files\webserver\webserver.exe (Worm.KoobFace) -> Unloaded process successfully.

Memory Modules Infected:
C:\Program Files\MyWebSearch\bar\7.bin\MWSOESTB.DLL (Adware.MyWebSearch) -> Delete on reboot.
C:\Program Files\MyWebSearch\bar\7.bin\MWSSRCAS.DLL (Adware.MyWebSearch) -> Delete on reboot.
C:\Program Files\MyWebSearch\bar\7.bin\MWSBAR.DLL (Adware.MyWebSearch) -> Delete on reboot.
C:\Program Files\MyWebSearch\bar\7.bin\M3OUTLCN.DLL (Adware.MyWebSearch) -> Delete on reboot.
C:\Program Files\MyWebSearch\bar\7.bin\NPMYWEBS.DLL (Adware.MyWebSearch) -> Delete on reboot.
C:\Program Files\MyWebSearch\bar\7.bin\M3PLUGIN.DLL (Adware.MyWebSearch) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{00a6faf6-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{07b18ea0-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{07b18eaa-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{07b18eac-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f87d7fb5-9dc5-4c8c-b998-d8dfe02e2978} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{53ced2d0-5e9a-4761-9005-648404e6f7e5} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{adb01e81-3c79-4272-a0f1-7b2be7a782dc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.datacontrol (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c8cecde3-1ae1-4c4a-ad82-6d5b00212144} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{17de5e5e-bfe3-4e83-8e1f-8755795359ec} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1f52a5fa-a705-4415-b975-88503b291728} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a626cdbd-3d13-4f78-b819-440a28d7e8fc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.datacontrol.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historykillerscheduler (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{8ca01f0e-987c-49c3-b852-2f1ac4a7094c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1093995a-ba37-41d2-836e-091067c4ad17} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{120927bf-1700-43bc-810f-fab92549b390} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{247a115f-06c2-4fb3-967d-2d62d3cf4f0a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e53e2cb-86db-4a4a-8bd9-ffeb7a64df82} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{90449521-d834-4703-bb4e-d3aa44042ff8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{991aac62-b100-47ce-8b75-253965244f69} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{bbabdc90-f3d5-4801-863a-ee6ae529862d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d6ff3684-ad3b-48eb-bbb4-b9e6c5a355c1} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{eb9e5c1c-b1f9-4c2b-be8a-27d6446fdaf8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0f8ecf4f-3646-4c3a-8881-8e138ffcaf70} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b813095c-81c0-4e40-aa14-67520372b987} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c9d7be3e-141a-4c85-8cd6-32461f3df2c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{cff4ce82-3aa2-451f-9b77-7165605fb835} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historykillerscheduler.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historyswattercontrolbar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historyswattercontrolbar.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.htmlmenu (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{e47caee0-deea-464a-9326-3f2801535a4d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e1656ed-f60e-4597-b6aa-b6a58e171495} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.htmlmenu.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.htmlmenu.2 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.iecookiesmanager (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.iecookiesmanager.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.killerobjmanager (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.killerobjmanager.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswatterbarbutton (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{8e6f1830-9607-4440-8530-13be7c4b1d14} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{63d0ed2b-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{63d0ed2d-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8e6f1832-9607-4440-8530-13be7c4b1d14} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a9571378-68a1-443d-b082-284f960c6d17} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswatterbarbutton.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswattersettingscontrol (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswattersettingscontrol.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.chatsessionplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{e79dfbc0-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{72ee7f04-15bd-4845-a005-d6711144d86a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e79dfbc9-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e79dfbcb-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.chatsessionplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.htmlpanel (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{3e720450-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e720451-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e720453-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3e720452-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3e720452-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.htmlpanel.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.outlookaddin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.outlookaddin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{7473d290-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d291-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d293-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d295-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d297-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7473d292-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7473d294-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7473d294-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7473d296-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.settingsplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.settingsplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.toolbarplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.toolbarplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\screensavercontrol.screensaverinstaller (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{29d67d3c-509a-4544-903f-c8c1b8236554} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e3537fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{938aa51a-996c-4884-98ce-80dd16a5c9da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\screensavercontrol.screensaverinstaller.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6e74766c-4d93-4cc0-96d1-47b8e07ff9ca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{de38c398-b328-4f4c-a3ad-1b5e4ed93477} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e342af55-b78a-4cd0-a2bb-da7f52d9d25e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e342af55-b78a-4cd0-a2bb-da7f52d9d25f} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1e0de227-5ce4-4ea3-ab0c-8b03e1aa76bc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{84da4fdf-a1cf-4195-8688-3e961f505983} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d9fffb27-d62a-4d64-8cec-1ff006528805} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{0d26bc71-a633-4e71-ad31-eadc3a1b6a3a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{f42228fb-e84e-479e-b922-fbbd096e792c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\webserver (Worm.KoobFace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Outlook\Addins\MyWebSearch.OutlookAddin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Word\Addins\MyWebSearch.OutlookAddin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyWebSearch bar Uninstall (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{00a6faf6-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\(default) (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media\WMSDK\Sources\f3popularscreensavers (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\funwebproducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\my web search bar search scope monitor (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mywebsearch email plugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mywebsearch email plugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysfbtray (Worm.KoobFace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver\Images (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch (Adware.MyWebSearch) -> Delete on reboot.
C:\Program Files\MyWebSearch\bar (Adware.MyWebSearch) -> Delete on reboot.
C:\Program Files\MyWebSearch\bar\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\2.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\2.bin\chrome (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\3.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\3.bin\chrome (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\4.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\4.bin\chrome (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\5.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\5.bin\chrome (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\6.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\6.bin\chrome (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\7.bin (Adware.MyWebSearch) -> Delete on reboot.
C:\Program Files\MyWebSearch\bar\7.bin\chrome (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Avatar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\firefox (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\firefox\chrome (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Game (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\icons (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Message (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Message\COMMON (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\MyWebSearch\bar\7.bin\MWSOESTB.DLL (Adware.MyWebSearch) -> Delete on reboot.
C:\Program Files\MyWebSearch\bar\7.bin\MWSSRCAS.DLL (Adware.MyWebSearch) -> Delete on reboot.
C:\Program Files\MyWebSearch\bar\7.bin\MWSBAR.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\7.bin\MWSOEMON.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\7.bin\M3OUTLCN.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\7.bin\NPMYWEBS.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\7.bin\M3PLUGIN.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\7.bin\M3SRCHMN.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\7.bin\F3DTACTL.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\7.bin\F3HISTSW.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\7.bin\F3HTMLMU.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\7.bin\F3POPSWT.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\7.bin\M3MSG.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\7.bin\M3HTML.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\7.bin\M3SKIN.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\7.bin\F3SCRCTR.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\7.bin\F3CJPEG.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\7.bin\F3HTTPCT.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\7.bin\F3REPROX.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\7.bin\MWSOEPLG.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3HKSTUB.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3AUXSTB.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3DLGHK.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\3.bin\MWSBAR.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\3.bin\MWSOEMON.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\3.bin\MWSOESTB.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\4.bin\MWSBAR.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\5.bin\MWSBAR.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\6.bin\MWSBAR.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\7.bin\F3HKSTUB.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\7.bin\F3PSSAVR.SCR (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\7.bin\F3REGHK.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\7.bin\F3RESTUB.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\7.bin\F3SCHMON.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\7.bin\M3AUXSTB.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\7.bin\M3DLGHK.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\7.bin\M3HIGHIN.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\7.bin\M3IDLE.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\7.bin\M3IMPIPE.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\7.bin\M3MEDINT.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\7.bin\M3SKPLAY.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\7.bin\M3SLSRCH.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\7.bin\MWSSVC.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\firefox\NPMYWEBS.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\Windows Live\Messenger\msimg32.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\Windows Live\Messenger\riched20.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Users\Dad\Downloads\WebfettiSetup2.3.50.62.SA.HP.ZKfox000.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Users\Dad\Downloads\WebfettiSetup2.3.64.2.ZKfox000(2).exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Users\Dad\Downloads\WebfettiSetup2.3.64.2.ZKfox000(3).exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Users\Dad\Downloads\WebfettiSetup2.3.64.2.ZKfox000(4).exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Users\Dad\Downloads\WebfettiSetup2.3.64.2.ZKfox000.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Windows\System32\f3PSSavr.scr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\2.bin\chrome\M3FFXTBR.JAR (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\3.bin\chrome\M3FFXTBR.JAR (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\4.bin\chrome\M3FFXTBR.JAR (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\5.bin\chrome\M3FFXTBR.JAR (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\6.bin\chrome\M3FFXTBR.JAR (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\7.bin\CHROME.MANIFEST (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\7.bin\F3BKGERR.JPG (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\7.bin\F3SPACER.WMV (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\7.bin\F3WALLPP.DAT (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\7.bin\F3WPHOOK.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\7.bin\FWPBUDDY.PNG (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\7.bin\INSTALL.RDF (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\7.bin\chrome\M3FFXTBR.JAR (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Avatar\COMMON.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\0F415697 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\0F415E74 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\0F415F4E.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\0F4160A5.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\0F41621C.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\0F4163C1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\0F4A99CF.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\files.ini (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\firefox\CHROME.MANIFEST (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\firefox\INSTALL.RDF (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\firefox\chrome\M3FFXTBR.JAR (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Game\CHESS.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Game\REVERSI.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\History\search3 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\icons\CM.ICO (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\icons\MFC.ICO (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\icons\PSS.ICO (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\icons\SMILEY.ICO (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\icons\WB.ICO (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\icons\ZWINKY.ICO (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Message\COMMON.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Message\COMMON\8_step1.gif (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Message\COMMON\ask_logo.gif (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Message\COMMON\autoup.gif (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Message\COMMON\autoup.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Message\COMMON\bkwebfet.jpg (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Message\COMMON\bkzwinky.jpg (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Message\COMMON\blubtn2d.png (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Message\COMMON\blubtn2r.png (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Message\COMMON\blubtn3d.png (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Message\COMMON\blubtn3r.png (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Message\COMMON\center.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Message\COMMON\index.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Message\COMMON\logo_ZJ.png (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Message\COMMON\logo_ZR.png (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Message\COMMON\mid_dots.gif (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Message\COMMON\mws_logo.gif (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Message\COMMON\protect.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Message\COMMON\rebbtnbg.png (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Message\COMMON\rebbtnn1.png (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Message\COMMON\rebbtnn2.png (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Message\COMMON\rebbtny1.png (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Message\COMMON\rebbtny2.png (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Message\COMMON\rebclose.png (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Message\COMMON\rebut.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Message\COMMON\rebut2.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Message\COMMON\rebut3.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Message\COMMON\rebut3b.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Message\COMMON\reb_bg.png (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Message\COMMON\repmidsm.png (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Message\COMMON\shield.png (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Message\COMMON\shocked.gif (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Message\COMMON\stop.gif (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Message\COMMON\systray.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Message\COMMON\systrayp.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Message\COMMON\tp_grad.gif (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Message\COMMON\warn.gif (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\COMMON.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\DOG.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\FISH.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\KUNGFU.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\LIFEGARD.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\MAID.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\MAILBOX.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\OPERA.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\ROBOT.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\SEDUCT.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\SURFER.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\prevcfg2.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Windows\bk23567.dat (KoobFace.Trace) -> Quarantined and deleted successfully.
C:\Windows\fdgg34353edfgdfdf (KoobFace.Trace) -> Quarantined and deleted successfully.
C:\Program Files\webserver\webserver.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\Users\Dad\AppData\Local\Temp\zpskon_1270235611.exe (Worm.Koobface) -> Quarantined and deleted successfully.


I am still having issues with web browsing. Whenever I try to "Google", "Yahoo", or "Bing" search it gets hijacked to a completely different search page or an unrelated topic to my topic search. Sometimes the search I do will come up with the correct results page but when I click a results link it will go to an unrelated website. At other times I key in a web address directly into the browser bar and an Ask.com search results page comes up. When I click in the desired link for the website I was trying to go to it would only reopen the same Ask.com search results page.

There is obviously still some part of the infections are still on my computer. I had to go into safe mode just to go to this site to post this topic issue. The following is a copy of the DDS file. If you need a DDS scan of regular mode please let me know in email.

Here is the DDS copy:


DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by Dad at 10:51:15.84 on Tue 04/06/2010
Internet Explorer: 8.0.6001.18882 BrowserJavaVersion: 1.6.0_18
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.3062.2052 [GMT -5:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: avast! Antivirus *enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Dad\Downloads\Defogger.exe
C:\Users\Dad\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSEARCH PAGE = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.us.acer.yahoo.com
mDefault_Page_URL = hxxp://en.us.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
uURLSearchHooks: PageRage Toolbar: {9565115d-c7d6-46d3-bd63-b67b481a4368} - c:\program files\pagerage\tbPage.dll
uURLSearchHooks: iWin Toolbar: {ce0c2586-da36-452b-acdb-320d9bcb19bf} - c:\program files\iwin\tbiWin.dll
mURLSearchHooks: PageRage Toolbar: {9565115d-c7d6-46d3-bd63-b67b481a4368} - c:\program files\pagerage\tbPage.dll
mURLSearchHooks: iWin Toolbar: {ce0c2586-da36-452b-acdb-320d9bcb19bf} - c:\program files\iwin\tbiWin.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: IEHlprObj Class: {8ca5ed52-f3fb-4414-a105-2e3491156990} - c:\program files\iwin games\iWinGamesHookIE.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: PageRage Toolbar: {9565115d-c7d6-46d3-bd63-b67b481a4368} - c:\program files\pagerage\tbPage.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: iWin Toolbar: {ce0c2586-da36-452b-acdb-320d9bcb19bf} - c:\program files\iwin\tbiWin.dll
BHO: Dictionary.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers client\YontooIEClient.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Dictionary.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: PageRage Toolbar: {9565115d-c7d6-46d3-bd63-b67b481a4368} - c:\program files\pagerage\tbPage.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: iWin Toolbar: {ce0c2586-da36-452b-acdb-320d9bcb19bf} - c:\program files\iwin\tbiWin.dll
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Speech Recognition] "c:\windows\speech\common\sapisvr.exe" -SpeechUX -Startup
uRun: [SmileboxTray] "c:\users\dad\appdata\roaming\smilebox\SmileboxTray.exe"
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [cdloader] "c:\users\dad\appdata\roaming\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [Auslogics BoostSpeed] c:\program files\auslogics\auslogics boostspeed\boostspeed.exe
uRun: [Skype] "c:\program files\skype\\phone\Skype.exe" /nosplash /minimized
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [YSearchProtection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Atari Launcher 2] c:\program files\infogrames\atari anniversary edition\volume 2\Atari icon.exe
mRun: [AtariBanner] "c:\program files\infogrames\atari anniversary edition\volume 2\Banner.exe" /0
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [KnexStarter] c:\program files\common files\hewlett-packard\hp device communication services\appinterfaces\HPDeviceService.exe
mRun: [RunTasktray] "c:\program files\hewlett-packard\hp easy printer care\hpprun.exe" --regkeypath=software\hewlett-packard\hp easy printer care\HPPRun --valuename=InstallTTM
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [LManager] c:\progra~1\launch~1\QtZgAcer.EXE
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [boincmgr] "c:\program files\progress thru processors\progressthruprocessors.exe" /a /s
mRun: [boinctray] "c:\program files\progress thru processors\boinctray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [YMailAdvisor] "c:\program files\yahoo!\common\YMailAdvisor.exe"
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [Acer Tour Reminder] c:\acer\acertour\Reminder.exe
StartupFolder: c:\users\dad\appdata\roaming\micros~1\windows\startm~1\programs\startup\acerem~1.lnk - c:\acer\empowering technology\Acer.Empowering.Framework.Supervisor.exe
StartupFolder: c:\users\dad\appdata\roaming\micros~1\windows\startm~1\programs\startup\cnette~1.lnk - c:\users\dad\appdata\roaming\cbs interactive\cnet techtracker\TechTracker.exe
StartupFolder: c:\users\dad\appdata\roaming\micros~1\windows\startm~1\programs\startup\thespr~1.lnk - c:\program files\thespringbox\TheSpringBox.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\clever~1.lnk - c:\program files\lexico\cleverkeys\CK.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\sidebar.lnk - c:\program files\windows sidebar\sidebar.exe
IE: &Search
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
Trusted Zone: magicjack.com\my
Trusted Zone: plaxo.com\www
Trusted Zone: talk4free.com\reg
Trusted Zone: hp.com
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/The%20Hidden%20Prophecies%20of%20Nostradamus/Images/armhelper.ocx
Handler: HPDCS - {ba135f49-a12c-4e26-a2c4-6ea945999072} - c:\program files\common files\hewlett-packard\hp device communication services\app\hpdcsapp.dll
Handler: hppfile - {C4E2084B-ED27-4893-A43D-488CA3F370E2} - c:\program files\hewlett-packard\hp easy printer care\HPPCtrls.dll
Handler: hppsam - {C4E2084B-ED27-4893-A43D-488CA3F370E2} - c:\program files\hewlett-packard\hp easy printer care\HPPCtrls.dll
Handler: hppzip - {C4E2084B-ED27-4893-A43D-488CA3F370E2} - c:\program files\hewlett-packard\hp easy printer care\HPPCtrls.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~3\GOEC62~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\dad\appdata\roaming\mozilla\firefox\profiles\7gsrjbwc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2418376&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - MyWebSearch
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZKfox000&fl=0&ptb=3NGeClJPZDKucW6NHh6LlA&url=http://search.mywebsearch.com/mywebsearch/GGmain.jhtml&st=kwd&n=77ce5b62&searchfor=
FF - component: c:\program files\mozilla firefox\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - component: c:\users\dad\appdata\roaming\mozilla\firefox\profiles\7gsrjbwc.default\extensions\{71d2cf9e-34e4-4401-8841-f4fc3f3edc32}\components\FFExternalAlert.dll
FF - component: c:\users\dad\appdata\roaming\mozilla\firefox\profiles\7gsrjbwc.default\extensions\{71d2cf9e-34e4-4401-8841-f4fc3f3edc32}\components\RadioWMPCore.dll
FF - component: c:\users\dad\appdata\roaming\mozilla\firefox\profiles\7gsrjbwc.default\extensions\{9565115d-c7d6-46d3-bd63-b67b481a4368}\components\FFExternalAlert.dll
FF - component: c:\users\dad\appdata\roaming\mozilla\firefox\profiles\7gsrjbwc.default\extensions\{9565115d-c7d6-46d3-bd63-b67b481a4368}\components\RadioWMPCore.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa2.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol308.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdjvu.dll
FF - plugin: c:\program files\mywebsearch\bar\3.bin\NPMYWEBS.DLL
FF - plugin: c:\program files\mywebsearch\bar\4.bin\NPMYWEBS.DLL
FF - plugin: c:\program files\mywebsearch\bar\5.bin\NPMYWEBS.DLL
FF - plugin: c:\program files\mywebsearch\bar\6.bin\NPMYWEBS.DLL
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\programdata\realarcade\npraclient.dll
FF - plugin: c:\users\dad\appdata\local\yahoo!\browserplus\2.6.0\plugins\npybrowserplus_2.6.0.dll
FF - plugin: c:\users\dad\appdata\roaming\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\users\dad\appdata\roaming\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\users\dad\appdata\roaming\move networks\plugins\npqmp071500000347.dll
FF - plugin: c:\users\dad\appdata\roaming\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\users\dad\appdata\roaming\mozilla\firefox\profiles\7gsrjbwc.default\extensions\{38ab6a6c-cc4c-4f9e-a3dd-3c5681ef18a1}\plugins\npsoe.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 dmoko;Port Processor Class Service Fax Network;c:\windows\system32\drivers\ndisoko.sys [2007-2-28 32768]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]
R3 winbondcir;Winbond IR Transceiver;c:\windows\system32\drivers\winbondcir.sys [2007-8-21 43008]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2008-12-5 162640]
S1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2010-2-17 58984]
S1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-2-17 108904]
S2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\acer arcade deluxe\play movie\000.fcl [2008-12-5 13560]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-12-5 19024]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2008-12-5 51792]
S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-9 40384]
S2 BOINC;BOINC;c:\program files\progress thru processors\boinc.exe [2009-7-28 844496]
S2 gupdate1c9c06fef3dab2;Google Update Service (gupdate1c9c06fef3dab2);c:\program files\google\update\GoogleUpdate.exe [2009-4-18 133104]
S2 ipokoraid;BandSite PostAgent Proxy DHCP Taskbar Pluggable;c:\windows\system32\svchost.exe -k rpcSsc [2006-11-2 22016]
S2 iWinTrusted;iWinTrusted;c:\program files\iwin games\iWinTrusted.exe [2010-1-21 78104]
S2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2010-2-17 779496]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-9 40384]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-9 40384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2007-8-21 179712]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-4-14 55280]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-12-11 30192]

=============== Created Last 30 ================

2010-04-06 15:49:45 0 ----a-w- c:\users\dad\defogger_reenable
2010-04-06 13:52:39 0 d-----w- c:\program files\Yontoo Layers Client
2010-04-06 13:52:37 0 d-----w- c:\programdata\Tarma Installer
2010-04-05 17:14:36 0 d-----w- c:\program files\Sandlot Games
2010-04-05 17:14:36 0 d-----w- c:\program files\common files\Sandlot Shared
2010-04-02 13:16:29 0 d-----w- c:\program files\webserver
2010-04-02 13:10:35 77824 ---h--w- c:\windows\bill106.exe
2010-04-01 15:35:39 0 d-----w- c:\users\dad\appdata\roaming\Silverback Productions
2010-03-31 14:11:07 0 d-----w- c:\program files\common files\EzTools
2010-03-30 13:05:23 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-03-30 13:05:17 396800 ----a-w- c:\windows\system32\drivers\http.sys
2010-03-30 13:05:17 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-03-30 13:01:57 473088 ----a-w- c:\windows\system32\secproc_isv.dll
2010-03-30 13:01:57 472576 ----a-w- c:\windows\system32\secproc.dll
2010-03-30 13:01:56 435712 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-03-30 13:01:53 523776 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-03-30 13:01:46 515584 ----a-w- c:\windows\system32\RMActivate.exe
2010-03-30 13:01:42 431104 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-03-30 13:01:42 312320 ----a-w- c:\windows\system32\msdrm.dll
2010-03-30 13:01:42 154624 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-03-30 13:01:42 154112 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-03-30 13:00:24 2048 ----a-w- c:\windows\system32\tzres.dll
2010-03-29 13:30:59 0 d-----w- c:\users\dad\appdata\roaming\DiskSpaceFan
2010-03-29 13:30:55 0 d-----w- c:\program files\DiskSpaceFan
2010-03-27 16:05:41 0 d-----w- c:\programdata\BC Soft Games
2010-03-22 19:37:32 0 d-----w- c:\programdata\Magazine
2010-03-17 14:50:18 0 d-----w- c:\programdata\EscapeTheMuseum2
2010-03-14 03:20:40 2848 ----a-w- C:\am-valerieporterandthescarletscandaltm_80x45.jpg
2010-03-12 17:02:06 0 d-----w- c:\program files\iWin
2010-03-09 13:27:29 0 d-----w- c:\users\dad\appdata\roaming\CBS Interactive
2010-03-09 13:23:47 0 d-----w- c:\programdata\Alwil Software
2010-03-08 20:49:34 0 d-----w- c:\programdata\Sandlot Games

==================== Find3M ====================

2010-03-09 11:08:52 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-03-05 19:35:41 4096 ----a-w- c:\windows\d3dx.dat
2010-02-24 15:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-19 23:47:50 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-10 15:11:41 51200 ----a-w- c:\windows\inf\infpub.dat
2010-02-10 15:11:41 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-02-05 23:49:05 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-30 17:37:28 466944 ----a-w- c:\windows\system32\BSTIEPrintCtl1.dll
2010-01-17 20:53:37 201728 ----a-w- c:\windows\system32\Garfield Gets Real.scr
2010-01-17 20:52:14 520192 ----a-w- c:\windows\system32\Garfield Fun Fest.scr
2010-01-17 20:12:03 201728 ----a-w- c:\windows\system32\Garfield Guide To Cats.scr
2010-01-17 20:11:24 201728 ----a-w- c:\windows\system32\Garfield Through the Years.scr
2010-01-17 20:10:48 201728 ----a-w- c:\windows\system32\Garfield 9 Lives.scr
2010-01-17 20:10:13 201728 ----a-w- c:\windows\system32\Garfield Midnight Snack.scr
2009-09-17 11:39:45 86016 ----a-w- c:\windows\inf\infstor.dat
2008-12-11 04:57:20 174 --sha-w- c:\program files\desktop.ini
2008-12-05 21:03:34 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-02-26 04:51:17 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009022520090226\index.dat
2009-04-22 00:08:07 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009042120090422\index.dat
2009-04-28 00:24:23 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009042720090428\index.dat
2009-09-14 21:44:51 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009091420090915\index.dat
2009-11-14 23:33:22 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009111420091115\index.dat
2009-10-26 14:19:49 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat

============= FINISH: 10:52:51.86 ===============

Here is the GMER log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-06 12:03:52
Windows 6.0.6000
Running: gmer.exe; Driver: C:\Users\Dad\AppData\Local\Temp\kxldapow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp aswRdr.SYS (avast! TDI RDR Driver/ALWIL Software)
AttachedDevice \Driver\tdx \Device\Udp ndisoko.sys

---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{12EEC193-5CB2-8AD6-790A-4615C62AD84F}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{12EEC193-5CB2-8AD6-790A-4615C62AD84F}@jankemlleppeccgdiopp 0x62 0x61 0x62 0x66 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{12EEC193-5CB2-8AD6-790A-4615C62AD84F}@jankemlleppeccgdiodp 0x62 0x61 0x6D 0x69 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{12EEC193-5CB2-8AD6-790A-4615C62AD84F}@ianhabgjhdloojbmdi 0x6B 0x61 0x63 0x66 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{12EEC193-5CB2-8AD6-790A-4615C62AD84F}@hahikphdnijjlnno 0x6B 0x61 0x63 0x66 ...

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR

---- EOF - GMER 1.0.15 ----

The file Attach.txt i renamed in error "DDSII 4-6-10" The contents of the file are still the same. I hope this does not cause a problem. I attached all of the logs for your convenience as well.

Attached Files



BC AdBot (Login to Remove)

 


#2 tetonbob

tetonbob

  • Malware Response Team
  • 796 posts
  • OFFLINE
  •  
  • Local time:06:30 PM

Posted 08 April 2010 - 07:07 PM

Hello -

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------

Please visit this webpage for download links, and instructions for running combofix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

You can get help on disabling your protection programs here

Please include the C:\ComboFix.txt in your next reply for further review.




Practice Safe Surfing

Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015

#3 chris.gatti

chris.gatti
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jackson, TN
  • Local time:05:30 PM

Posted 08 April 2010 - 08:31 PM

Here is a copy of the ComboFix.txt: (I have also attached a copy of the .txt file)

ComboFix 10-04-08.01 - Dad 04/08/2010 19:31:21.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.3062.988 [GMT -5:00]
Running from: c:\users\Dad\Downloads\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: avast! Antivirus *disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\iWin Games\iWINgameshookie.dll
c:\program files\iWin\tbIWin.dll
c:\program files\webserver
c:\users\Dad\AppData\Local\010112010146111103.xxe
c:\users\Dad\AppData\Local\010112010146114101.xxe
c:\users\Dad\AppData\Local\010112010146114111.xxe
c:\users\Dad\AppData\Local\0101120101465198.xxe
c:\users\Dad\AppData\Local\Temp\sfamcc00001.dll
c:\users\Dad\AppData\Local\Temp\sfareca00001.dll
c:\windows\hide.exe
c:\windows\System32\BSTIeprintctl1.dll
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-03-09 to 2010-04-09 )))))))))))))))))))))))))))))))
.

2010-04-09 00:51 . 2010-04-09 00:51 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-09 00:27 . 2010-04-09 00:28 -------- d-----w- C:\32788R22FWJFW
2010-04-08 12:45 . 2010-04-08 12:45 -------- d-----w- c:\program files\iPod
2010-04-08 12:45 . 2010-04-08 12:46 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-08 12:45 . 2010-04-08 12:46 -------- d-----w- c:\program files\iTunes
2010-04-08 12:42 . 2010-04-08 12:42 -------- d-----w- c:\program files\QuickTime
2010-04-08 12:38 . 2010-04-08 12:38 -------- d-----w- c:\windows\LastGood.Tmp
2010-04-08 12:37 . 2010-04-08 12:37 -------- d-----w- c:\program files\Bonjour
2010-04-06 13:52 . 2010-04-06 13:52 -------- d-----w- c:\program files\Yontoo Layers Client
2010-04-06 13:52 . 2010-04-06 13:52 -------- d-----w- c:\programdata\Tarma Installer
2010-04-05 17:14 . 2010-04-05 17:14 -------- d-----w- c:\program files\Common Files\Sandlot Shared
2010-04-05 17:14 . 2010-04-05 17:14 -------- d-----w- c:\program files\Sandlot Games
2010-04-01 15:35 . 2010-04-01 15:35 -------- d-----w- c:\users\Dad\AppData\Roaming\Silverback Productions
2010-03-31 14:11 . 2010-03-31 14:11 -------- d-----w- c:\program files\Common Files\EzTools
2010-03-30 13:05 . 2010-02-20 23:54 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-03-30 13:05 . 2010-02-20 23:51 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-03-30 13:05 . 2010-02-20 21:30 396800 ----a-w- c:\windows\system32\drivers\http.sys
2010-03-30 13:01 . 2010-01-25 12:58 473088 ----a-w- c:\windows\system32\secproc_isv.dll
2010-03-30 13:01 . 2010-01-25 12:58 472576 ----a-w- c:\windows\system32\secproc.dll
2010-03-30 13:01 . 2010-01-25 08:36 435712 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-03-30 13:01 . 2010-01-25 08:35 523776 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-03-30 13:01 . 2010-01-25 08:36 515584 ----a-w- c:\windows\system32\RMActivate.exe
2010-03-30 13:01 . 2010-01-25 12:58 154624 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-03-30 13:01 . 2010-01-25 12:58 154112 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-03-30 13:01 . 2010-01-25 12:56 312320 ----a-w- c:\windows\system32\msdrm.dll
2010-03-30 13:01 . 2010-01-25 08:36 431104 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-03-30 13:00 . 2010-01-23 08:05 2048 ----a-w- c:\windows\system32\tzres.dll
2010-03-29 13:30 . 2010-04-01 03:46 -------- d-----w- c:\users\Dad\AppData\Roaming\DiskSpaceFan
2010-03-29 13:30 . 2010-03-29 13:30 -------- d-----w- c:\program files\DiskSpaceFan
2010-03-27 16:05 . 2010-03-27 16:05 -------- d-----w- c:\programdata\BC Soft Games
2010-03-22 19:37 . 2010-03-22 19:37 -------- d-----w- c:\programdata\Magazine
2010-03-17 14:50 . 2010-03-17 14:50 -------- d-----w- c:\programdata\EscapeTheMuseum2
2010-03-12 17:02 . 2010-04-09 00:51 -------- d-----w- c:\program files\iWin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-09 00:59 . 2009-09-23 13:44 -------- d-----w- c:\programdata\BOINC
2010-04-09 00:52 . 2009-04-26 01:56 12 ----a-w- c:\windows\bthservsdp.dat
2010-04-09 00:51 . 2009-09-14 21:44 -------- d-----w- c:\program files\iWin Games
2010-04-08 22:52 . 2008-12-11 06:27 -------- d-----w- c:\programdata\Google Updater
2010-04-08 18:19 . 2009-08-25 03:07 -------- d-----w- c:\users\Dad\AppData\Roaming\mjusbsp
2010-04-08 12:45 . 2009-01-11 19:16 -------- d-----w- c:\program files\Common Files\Apple
2010-04-08 12:31 . 2010-04-08 12:31 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-06 18:01 . 2009-05-02 14:37 6648 ----a-w- c:\users\Dad\AppData\Local\d3d9caps.dat
2010-03-24 03:00 . 2010-03-24 02:57 2109952 ----a-w- c:\programdata\BOINC\projects\climateprediction.net\famous_graphics_6.02_windows_intelx86.exe
2010-03-24 02:56 . 2010-03-24 02:56 715264 ----a-w- c:\programdata\BOINC\projects\climateprediction.net\famous_6.02_windows_intelx86.exe
2010-03-23 18:32 . 2010-03-24 21:40 629248 ----a-w- c:\programdata\BOINC\projects\climateprediction.net\famous_se_6.02_windows_intelx86.dll
2010-03-23 18:31 . 2010-03-24 21:40 6888448 ----a-w- c:\programdata\BOINC\projects\climateprediction.net\famous_um_6.02_windows_intelx86.exe
2010-03-18 23:03 . 2009-09-15 22:38 -------- d-----w- c:\users\Dad\AppData\Roaming\Skype
2010-03-18 21:04 . 2009-07-29 02:43 -------- d-----w- c:\users\Dad\AppData\Roaming\skypePM
2010-03-09 13:51 . 2008-12-05 22:27 -------- d-----w- c:\program files\Alwil Software
2010-03-09 13:27 . 2010-03-09 13:27 100096 ----a-w- c:\users\Dad\AppData\Roaming\CBS Interactive\CNET TechTracker\uninst.exe
2010-03-09 13:27 . 2010-03-09 13:27 -------- d-----w- c:\users\Dad\AppData\Roaming\CBS Interactive
2010-03-09 13:23 . 2010-03-09 13:23 -------- d-----w- c:\programdata\Alwil Software
2010-03-09 11:24 . 2008-12-05 22:27 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-03-09 11:12 . 2008-12-05 22:27 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-03-09 11:12 . 2008-12-05 22:27 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-03-09 11:09 . 2008-12-05 22:27 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-03-09 11:08 . 2008-12-05 22:27 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-03-09 11:08 . 2008-12-05 22:27 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-03-08 23:25 . 2009-04-12 00:24 -------- d-----w- c:\program files\Oberon Media
2010-03-08 20:49 . 2010-03-08 20:49 -------- d-----w- c:\programdata\Sandlot Games
2010-03-06 01:12 . 2010-03-06 01:12 -------- d-----w- c:\programdata\Oberon Media
2010-03-05 20:50 . 2010-03-05 20:50 -------- d-----w- c:\users\Dad\AppData\Roaming\HSA
2010-03-05 19:35 . 2010-03-05 19:35 4096 ----a-w- c:\windows\d3dx.dat
2010-03-02 20:55 . 2010-01-29 03:12 50354 ----a-w- c:\users\Dad\AppData\Roaming\Facebook\uninstall.exe
2010-03-02 20:55 . 2010-01-29 03:12 -------- d-----w- c:\users\Dad\AppData\Roaming\Facebook
2010-02-27 22:50 . 2009-01-30 18:42 -------- d-----w- c:\programdata\JollyBear
2010-02-26 23:51 . 2010-02-26 23:51 138584 ----a-w- c:\users\Dad\AppData\Roaming\mjusbsp\ug00000\magicJack.dll
2010-02-26 23:51 . 2010-04-08 18:19 6870864 ---ha-w- c:\users\Dad\AppData\Roaming\mjusbsp\in00000\setup.exe
2010-02-26 23:51 . 2010-03-02 16:51 6870864 ---ha-w- c:\users\Dad\AppData\Roaming\mjusbsp\Upgrade\setup1.exe
2010-02-26 23:51 . 2010-02-26 23:51 6870864 ----a-w- c:\users\Dad\AppData\Roaming\mjusbsp\ug00000\setup.exe
2010-02-26 23:51 . 2010-02-26 23:51 705936 ----a-w- c:\users\Dad\AppData\Roaming\mjusbsp\magicJackLoader.exe
2010-02-26 23:51 . 2010-02-26 23:51 480608 ----a-w- c:\users\Dad\AppData\Roaming\mjusbsp\octvqe1_apiw.dll
2010-02-26 23:51 . 2010-02-26 23:51 214360 ----a-w- c:\users\Dad\AppData\Roaming\mjusbsp\TjVista.dll
2010-02-26 23:50 . 2010-02-26 23:50 324952 ----a-w- c:\users\Dad\AppData\Roaming\mjusbsp\TjIpSys.dll
2010-02-26 23:50 . 2010-02-26 23:50 615792 ----a-w- c:\users\Dad\AppData\Roaming\mjusbsp\SJHandsetMagicJack.dll
2010-02-26 23:50 . 2010-02-26 23:50 87384 ----a-w- c:\users\Dad\AppData\Roaming\mjusbsp\st00000\mjsetup.exe
2010-02-26 23:50 . 2010-02-26 23:50 138584 ----a-w- c:\users\Dad\AppData\Roaming\mjusbsp\st00000\magicJack.dll
2010-02-26 23:50 . 2010-02-26 23:50 138584 ----a-w- c:\users\Dad\AppData\Roaming\mjusbsp\magicJack.dll
2010-02-26 23:46 . 2010-02-26 23:46 12526424 ----a-w- c:\users\Dad\AppData\Roaming\mjusbsp\magicJack.exe
2010-02-26 23:45 . 2010-04-08 18:19 743872 ---ha-w- c:\users\Dad\AppData\Roaming\mjusbsp\ar00000\install.exe
2010-02-26 23:45 . 2010-03-02 16:51 743872 ---ha-w- c:\users\Dad\AppData\Roaming\mjusbsp\Upgrade\install1.exe
2010-02-26 23:45 . 2010-02-26 23:45 743872 ----a-w- c:\users\Dad\AppData\Roaming\mjusbsp\ug00000\install.exe
2010-02-26 23:45 . 2010-02-26 23:45 87384 ----a-w- c:\users\Dad\AppData\Roaming\mjusbsp\in00000\mjsetup.exe
2010-02-26 23:45 . 2010-02-26 23:45 138584 ----a-w- c:\users\Dad\AppData\Roaming\mjusbsp\in00000\magicJack.dll
2010-02-26 23:44 . 2010-02-26 23:44 138584 ----a-w- c:\users\Dad\AppData\Roaming\mjusbsp\lr00000\magicJack.dll
2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\users\Dad\AppData\Roaming\mjusbsp\ug00000\magicJackSplash.exe
2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\users\Dad\AppData\Roaming\mjusbsp\st00000\magicJackSplash.exe
2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\users\Dad\AppData\Roaming\mjusbsp\magicJackSplash.exe
2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\users\Dad\AppData\Roaming\mjusbsp\in00000\magicJackSplash.exe
2010-02-26 23:43 . 2010-02-26 23:43 50520 ----a-w- c:\users\Dad\AppData\Roaming\mjusbsp\cdloader2.exe
2010-02-26 06:41 . 2010-02-26 06:41 847040 ----a-w- c:\users\Dad\AppData\Roaming\Facebook\axfbootloader.dll
2010-02-26 06:41 . 2010-02-26 06:41 5582848 ----a-w- c:\users\Dad\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
2010-02-26 00:04 . 2010-04-06 18:31 57856 ----a-w- c:\users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\7gsrjbwc.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
2010-02-26 00:04 . 2010-04-06 18:31 545280 ----a-w- c:\users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\7gsrjbwc.default\extensions\piclens@cooliris.com\libs\PicLensHelper.exe
2010-02-26 00:04 . 2010-04-06 18:31 4689408 ----a-w- c:\users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\7gsrjbwc.default\extensions\piclens@cooliris.com\libs\cooliris192.dll
2010-02-26 00:04 . 2010-04-06 18:31 103424 ----a-w- c:\users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\7gsrjbwc.default\extensions\piclens@cooliris.com\libs\pixomatic.dll
2010-02-26 00:04 . 2010-04-06 18:31 425984 ----a-w- c:\users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\7gsrjbwc.default\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe
2010-02-26 00:04 . 2010-04-06 18:31 153088 ----a-w- c:\users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\7gsrjbwc.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
2010-02-25 23:57 . 2010-04-06 13:52 226304 --s---r- c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe
2010-02-25 20:46 . 2009-09-19 17:27 -------- d-----w- c:\users\Dad\AppData\Roaming\Merscom
2010-02-25 20:46 . 2009-09-19 17:27 -------- d-----w- c:\programdata\Merscom
2010-02-25 03:52 . 2009-01-12 02:07 -------- d-----w- c:\users\Dad\AppData\Roaming\LimeWire
2010-02-24 15:16 . 2009-10-03 16:28 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 06:39 . 2010-04-07 16:55 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-04-07 16:55 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 06:33 . 2010-04-07 16:55 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 04:55 . 2010-04-07 16:55 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-22 21:26 . 2010-02-22 21:26 -------- d-----w- c:\programdata\PlayPond
2010-02-22 19:31 . 2010-02-22 19:31 -------- d-----w- c:\users\Dad\AppData\Roaming\HdO Adventure
2010-02-22 17:54 . 2010-02-22 17:54 -------- d-----w- c:\program files\LizardTech
2010-02-22 17:54 . 2007-08-21 13:17 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-13 20:53 . 2010-02-13 20:53 -------- d-----w- c:\users\Dad\AppData\Roaming\GameMill
2010-02-13 20:53 . 2010-02-13 20:53 -------- d-----w- c:\programdata\GameMill
2010-02-12 21:48 . 2009-01-30 01:03 -------- d-----w- c:\users\Dad\AppData\Roaming\PlayFirst
2010-02-12 21:48 . 2009-01-30 01:03 -------- d-----w- c:\programdata\PlayFirst
2010-02-12 16:46 . 2010-02-12 16:46 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 16:46 . 2010-02-12 16:46 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-11 18:53 . 2008-12-05 22:27 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-02-10 14:57 . 2010-02-10 14:57 -------- d-----w- c:\program files\SystemRequirementsLab
2010-02-10 14:56 . 2010-02-10 14:56 88576 ----a-w- c:\users\Dad\AppData\Roaming\SystemRequirementsLab\srlproxy_intel_4_1_47_0_d.dll
2010-02-10 14:56 . 2010-02-10 14:56 88576 ----a-w- c:\users\Dad\AppData\Roaming\SystemRequirementsLab\srlproxy_intel_4_1_47_0_c.dll
2010-02-10 14:56 . 2010-02-10 14:56 88576 ----a-w- c:\users\Dad\AppData\Roaming\SystemRequirementsLab\srlproxy_intel_4_1_47_0_b.dll
2010-02-10 14:56 . 2010-02-10 14:56 88576 ----a-w- c:\users\Dad\AppData\Roaming\SystemRequirementsLab\srlproxy_intel_4_1_47_0_a.dll
2010-02-10 14:56 . 2010-02-10 14:56 -------- d-----w- c:\users\Dad\AppData\Roaming\SystemRequirementsLab
2010-02-08 14:15 . 2010-02-08 14:13 2109440 ----a-w- c:\programdata\BOINC\projects\climateprediction.net\hadam3p_graphics_6.14_windows_intelx86.exe
2010-02-08 14:14 . 2010-02-08 14:13 674816 ----a-w- c:\programdata\BOINC\projects\climateprediction.net\hadam3p_6.14_windows_intelx86.exe
2010-02-05 23:49 . 2008-12-05 22:23 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-03 16:15 . 2010-02-03 16:15 1111552 ----a-w- c:\users\Dad\AppData\Roaming\CBS Interactive\CNET TechTracker\TechTracker.exe
2010-01-29 17:21 . 2010-02-08 15:48 629248 ----a-w- c:\programdata\BOINC\projects\climateprediction.net\hadam3p_se_6.14_windows_intelx86.dll
2010-01-29 17:12 . 2010-02-08 15:48 5708800 ----a-w- c:\programdata\BOINC\projects\climateprediction.net\hadam3p_um_6.14_windows_intelx86.exe
2010-01-27 03:20 . 2010-01-27 03:20 5578752 ----a-w- c:\users\Dad\AppData\Roaming\Facebook\npfbplugin_1_0_1.dll
2010-01-23 00:54 . 2009-08-02 00:50 12 ---ha-w- c:\programdata\iWin Games\drm\Service_2458921265333135255.dll
2010-01-22 01:02 . 2010-01-31 14:21 52224 ----a-w- c:\users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\7gsrjbwc.default\extensions\{71d2cf9e-34e4-4401-8841-f4fc3f3edc32}\components\FFExternalAlert.dll
2009-12-22 19:54 . 2009-12-22 19:54 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{9565115d-c7d6-46d3-bd63-b67b481a4368}"= "c:\program files\PageRage\tbPage.dll" [2010-03-17 2355224]

[HKEY_CLASSES_ROOT\clsid\{9565115d-c7d6-46d3-bd63-b67b481a4368}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9565115d-c7d6-46d3-bd63-b67b481a4368}]
2010-03-17 20:45 2355224 ----a-w- c:\program files\PageRage\tbPage.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-07-10 22:28 1174920 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
2010-04-05 22:42 194912 ------w- c:\program files\Yontoo Layers Client\YontooIEClient.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-07-10 1174920]
"{9565115d-c7d6-46d3-bd63-b67b481a4368}"= "c:\program files\PageRage\tbPage.dll" [2010-03-17 2355224]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CLASSES_ROOT\clsid\{9565115d-c7d6-46d3-bd63-b67b481a4368}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-07-10 1174920]
"{9565115D-C7D6-46D3-BD63-B67B481A4368}"= "c:\program files\PageRage\tbPage.dll" [2010-03-17 2355224]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CLASSES_ROOT\clsid\{9565115d-c7d6-46d3-bd63-b67b481a4368}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2007-08-29 1347584]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-11 68856]
"Speech Recognition"="c:\windows\Speech\Common\sapisvr.exe" [2006-11-02 49664]
"SmileboxTray"="c:\users\Dad\AppData\Roaming\Smilebox\SmileboxTray.exe" [2009-12-07 266888]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"cdloader"="c:\users\Dad\AppData\Roaming\mjusbsp\cdloader2.exe" [2010-02-26 50520]
"Auslogics BoostSpeed"="c:\program files\Auslogics\Auslogics BoostSpeed\boostspeed.exe" [2009-09-07 480368]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2009-10-09 25623336]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RunTasktray"="c:\program files\Hewlett-Packard\HP Easy Printer Care\HPPRun.exe --regkeypath=Software\Hewlett-Packard\HP Easy Printer Care\HPPRun --valuename=InstallTTM" [X]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-05-09 865840]
"Atari Launcher 2"="c:\program files\Infogrames\Atari Anniversary Edition\Volume 2\Atari icon.exe" [2001-05-23 55296]
"AtariBanner"="c:\program files\Infogrames\Atari Anniversary Edition\Volume 2\Banner.exe" [2001-05-23 49152]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"KnexStarter"="c:\program files\Common Files\Hewlett-Packard\HP Device Communication Services\Appinterfaces\HPDeviceService.exe" [2009-03-23 159744]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2007-07-31 707080]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"boincmgr"="c:\program files\Progress Thru Processors\progressthruprocessors.exe" [2009-07-28 4850384]
"boinctray"="c:\program files\Progress Thru Processors\boinctray.exe" [2009-07-28 58064]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-12-22 30192]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"YMailAdvisor"="c:\program files\Yahoo!\Common\YMailAdvisor.exe" [2009-05-08 174424]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-03-09 2769336]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-08-02 151552]

c:\users\Dad\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Acer Empowering Technology.lnk - c:\acer\Empowering Technology\Acer.Empowering.Framework.Supervisor.exe [2007-8-21 323584]
CNET TechTracker.lnk - c:\users\Dad\AppData\Roaming\CBS Interactive\CNET TechTracker\TechTracker.exe [2010-2-3 1111552]
TheSpringBox.lnk - c:\program files\TheSpringBox\TheSpringBox.exe [2007-6-14 1695679]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
CleverKeys.lnk - c:\program files\Lexico\CleverKeys\CK.exe [2009-4-9 561664]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-9-5 813584]
Sidebar.lnk - c:\program files\Windows Sidebar\sidebar.exe [2008-12-5 1232896]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~3\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux4"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R1 dmoko;Port Processor Class Service Fax Network;c:\windows\system32\drivers\ndisoko.sys [x]
R2 gupdate1c9c06fef3dab2;Google Update Service (gupdate1c9c06fef3dab2);c:\program files\Google\Update\GoogleUpdate.exe [2009-04-18 133104]
R2 ipokoraid;BandSite PostAgent Proxy DHCP Taskbar Pluggable;c:\windows\system32\svchost.exe [2006-11-02 22016]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-02-08 179712]
R3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2009-12-22 30192]
S1 aswSP;aswSP; [x]
S1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [2010-03-23 58984]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2010-03-23 125160]
S2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl [2006-11-02 13560]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-03-09 51792]
S2 BOINC;BOINC;c:\program files\Progress Thru Processors\boinc.exe [2009-07-28 844496]
S2 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe [2010-01-21 78104]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2010-03-23 779496]
S3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-11-17 3668480]
S3 winbondcir;Winbond IR Transceiver;c:\windows\system32\DRIVERS\winbondcir.sys [2007-04-19 43008]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ
rpcSsc REG_MULTI_SZ ipokoraid
.
Contents of the 'Scheduled Tasks' folder

2010-04-09 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-11 13:19]

2010-04-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-18 21:45]

2010-04-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-18 21:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.us.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
Trusted Zone: magicjack.com\my
Trusted Zone: plaxo.com\www
Trusted Zone: talk4free.com\reg
Trusted Zone: hp.com
Handler: HPDCS - {ba135f49-a12c-4e26-a2c4-6ea945999072} - c:\program files\Common Files\Hewlett-Packard\HP Device Communication Services\APP\hpdcsapp.dll
Handler: hppfile - {C4E2084B-ED27-4893-A43D-488CA3F370E2} - c:\program files\Hewlett-Packard\HP Easy Printer Care\HPPCtrls.dll
Handler: hppsam - {C4E2084B-ED27-4893-A43D-488CA3F370E2} - c:\program files\Hewlett-Packard\HP Easy Printer Care\HPPCtrls.dll
Handler: hppzip - {C4E2084B-ED27-4893-A43D-488CA3F370E2} - c:\program files\Hewlett-Packard\HP Easy Printer Care\HPPCtrls.dll
FF - ProfilePath - c:\users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\7gsrjbwc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2418376&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - MyWebSearch
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZKfox000&fl=0&ptb=3NGeClJPZDKucW6NHh6LlA&url=http://search.mywebsearch.com/mywebsearch/GGmain.jhtml&st=kwd&n=77ce5b62&searchfor=
FF - component: c:\program files\Mozilla Firefox\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - component: c:\users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\7gsrjbwc.default\extensions\{71d2cf9e-34e4-4401-8841-f4fc3f3edc32}\components\FFExternalAlert.dll
FF - component: c:\users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\7gsrjbwc.default\extensions\{71d2cf9e-34e4-4401-8841-f4fc3f3edc32}\components\RadioWMPCore.dll
FF - component: c:\users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\7gsrjbwc.default\extensions\{9565115d-c7d6-46d3-bd63-b67b481a4368}\components\FFExternalAlert.dll
FF - component: c:\users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\7gsrjbwc.default\extensions\{9565115d-c7d6-46d3-bd63-b67b481a4368}\components\RadioWMPCore.dll
FF - component: c:\users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\7gsrjbwc.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPcol308.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdjvu.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\programdata\RealArcade\npraclient.dll
FF - plugin: c:\users\Dad\AppData\Local\Yahoo!\BrowserPlus\2.6.0\Plugins\npybrowserplus_2.6.0.dll
FF - plugin: c:\users\Dad\AppData\Roaming\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\users\Dad\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\7gsrjbwc.default\extensions\{38AB6A6C-CC4C-4f9e-A3DD-3C5681EF18A1}\plugins\npsoe.dll
FF - plugin: c:\users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\7gsrjbwc.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-AVerMedia A310 (MiniCard, DVB-T) - c:\program files\AVerMedia\AVerMedia A310 (MiniCard



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-951931247-2294440584-1921547708-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{12EEC193-5CB2-8AD6-790A-4615C62AD84F}*]
"jankemlleppeccgdiopp"=hex:62,61,62,66,00,00
"jankemlleppeccgdiodp"=hex:62,61,6d,69,00,00
"ianhabgjhdloojbmdi"=hex:6b,61,63,66,62,6d,6b,68,66,67,61,6a,6d,6d,70,70,6e,63,
62,66,6d,63,00,00
"hahikphdnijjlnno"=hex:6b,61,63,66,62,6d,6b,68,6b,67,62,6f,69,61,65,6b,68,6b,
61,67,6b,6b,00,00

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(6592)
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\WLANExt.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\acer\Empowering Technology\eLock\Service\eLockServ.exe
c:\acer\Empowering Technology\eNet\eNet Service.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\acer\Mobility Center\MobilityService.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\UTSCSI.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\acer\Empowering Technology\ePower\ePowerSvc.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe
c:\acer\Empowering Technology\eSettings\Service\capuserv.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-04-08 20:05:13 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-09 01:04

Pre-Run: 6,052,777,984 bytes free
Post-Run: 6,147,063,808 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=3 Sets=1,2,3,49
- - End Of File - - AEF1388299D26975E866A6F4A807D2FA

Attached Files



#4 tetonbob

tetonbob

  • Malware Response Team
  • 796 posts
  • OFFLINE
  •  
  • Local time:06:30 PM

Posted 08 April 2010 - 09:06 PM

Hi -

No need to attach logs going forward, unless specifically requested. Thanks.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------
  1. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
  2. Open notepad and copy/paste the text in the quotebox below into it:
    CODE
    http://www.bleepingcomputer.com/forums/t/307602/adwaremywebsearch;-wormkoobface;-adwarehotbar;-trojanvundo/?p=1706600

    Driver::
    dmoko
    ipokoraid
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    "rpcSsc"=-
    Firefox::
    FF - ProfilePath - c:\users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\7gsrjbwc.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2418376&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine - MyWebSearch
    FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZKfox000&fl=0&ptb=3NGeClJPZDKucW6NHh6LlA&url=http://search.mywebsearch.com/mywebsearch/GGmain.jhtml&st=kwd&n=77ce5b62&searchfor=
    Collect::
    c:\windows\system32\drivers\ndisoko.sys
    RegNull::
    [HKEY_USERS\S-1-5-21-951931247-2294440584-1921547708-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{12EEC193-5CB2-8AD6-790A-4615C62AD84F}*]





    Save this as CFScript.txt




    Referring to the picture above, drag CFScript.txt into ComboFix.exe
  3. ComboFix may request an update; please allow it.
  4. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  5. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    **Note**

    When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
    • Ensure you are connected to the internet and click OK on the message box.
    Please let me know if the file was successfully submitted . Thanks.

    ------------------------------------------------------
  6. Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

Edited by tetonbob, 08 April 2010 - 09:11 PM.
edited script

Practice Safe Surfing

Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015

#5 tetonbob

tetonbob

  • Malware Response Team
  • 796 posts
  • OFFLINE
  •  
  • Local time:06:30 PM

Posted 08 April 2010 - 09:11 PM

Edited post above, please view via the webpage, not via email. Thanks.
Practice Safe Surfing

Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015

#6 chris.gatti

chris.gatti
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jackson, TN
  • Local time:05:30 PM

Posted 09 April 2010 - 07:59 AM

here is the ComboFix.txt log:

ComboFix 10-04-08.01 - Dad 04/08/2010 22:32:52.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.3062.1652 [GMT -5:00]
Running from: c:\users\Dad\Desktop\ComboFix.exe
Command switches used :: c:\users\Dad\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: avast! Antivirus *disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Dad\AppData\Local\Temp\sfamcc00001.dll
c:\users\Dad\AppData\Local\Temp\sfareca00001.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DMOKO
-------\Service_dmoko
-------\Service_ipokoraid


((((((((((((((((((((((((( Files Created from 2010-03-09 to 2010-04-09 )))))))))))))))))))))))))))))))
.

2010-04-09 03:41 . 2010-04-09 03:41 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-04-09 03:41 . 2010-04-09 03:41 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-09 03:41 . 2010-04-09 03:41 -------- d-----w- c:\users\boinc_master\AppData\Local\temp
2010-04-09 01:05 . 2010-04-09 03:46 -------- d-----w- c:\users\Dad\AppData\Local\temp
2010-04-08 12:45 . 2010-04-08 12:45 -------- d-----w- c:\program files\iPod
2010-04-08 12:45 . 2010-04-08 12:46 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-08 12:45 . 2010-04-08 12:46 -------- d-----w- c:\program files\iTunes
2010-04-08 12:42 . 2010-04-08 12:42 -------- d-----w- c:\program files\QuickTime
2010-04-08 12:37 . 2010-04-08 12:37 -------- d-----w- c:\program files\Bonjour
2010-04-06 13:52 . 2010-04-06 13:52 -------- d-----w- c:\program files\Yontoo Layers Client
2010-04-06 13:52 . 2010-04-06 13:52 -------- d-----w- c:\programdata\Tarma Installer
2010-04-05 17:14 . 2010-04-05 17:14 -------- d-----w- c:\program files\Common Files\Sandlot Shared
2010-04-05 17:14 . 2010-04-05 17:14 -------- d-----w- c:\program files\Sandlot Games
2010-04-01 15:35 . 2010-04-01 15:35 -------- d-----w- c:\users\Dad\AppData\Roaming\Silverback Productions
2010-03-31 14:11 . 2010-03-31 14:11 -------- d-----w- c:\program files\Common Files\EzTools
2010-03-30 13:05 . 2010-02-20 23:54 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-03-30 13:05 . 2010-02-20 23:51 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-03-30 13:05 . 2010-02-20 21:30 396800 ----a-w- c:\windows\system32\drivers\http.sys
2010-03-30 13:01 . 2010-01-25 12:58 473088 ----a-w- c:\windows\system32\secproc_isv.dll
2010-03-30 13:01 . 2010-01-25 12:58 472576 ----a-w- c:\windows\system32\secproc.dll
2010-03-30 13:01 . 2010-01-25 08:36 435712 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-03-30 13:01 . 2010-01-25 08:35 523776 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-03-30 13:01 . 2010-01-25 08:36 515584 ----a-w- c:\windows\system32\RMActivate.exe
2010-03-30 13:01 . 2010-01-25 12:58 154624 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-03-30 13:01 . 2010-01-25 12:58 154112 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-03-30 13:01 . 2010-01-25 12:56 312320 ----a-w- c:\windows\system32\msdrm.dll
2010-03-30 13:01 . 2010-01-25 08:36 431104 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-03-30 13:00 . 2010-01-23 08:05 2048 ----a-w- c:\windows\system32\tzres.dll
2010-03-29 13:30 . 2010-04-01 03:46 -------- d-----w- c:\users\Dad\AppData\Roaming\DiskSpaceFan
2010-03-29 13:30 . 2010-03-29 13:30 -------- d-----w- c:\program files\DiskSpaceFan
2010-03-27 16:05 . 2010-03-27 16:05 -------- d-----w- c:\programdata\BC Soft Games
2010-03-22 19:37 . 2010-03-22 19:37 -------- d-----w- c:\programdata\Magazine
2010-03-17 14:50 . 2010-03-17 14:50 -------- d-----w- c:\programdata\EscapeTheMuseum2
2010-03-12 17:02 . 2010-04-09 00:51 -------- d-----w- c:\program files\iWin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-09 03:44 . 2009-09-23 13:44 -------- d-----w- c:\programdata\BOINC
2010-04-09 03:42 . 2009-04-26 01:56 12 ----a-w- c:\windows\bthservsdp.dat
2010-04-09 00:51 . 2009-09-14 21:44 -------- d-----w- c:\program files\iWin Games
2010-04-08 22:52 . 2008-12-11 06:27 -------- d-----w- c:\programdata\Google Updater
2010-04-08 18:19 . 2009-08-25 03:07 -------- d-----w- c:\users\Dad\AppData\Roaming\mjusbsp
2010-04-08 12:45 . 2009-01-11 19:16 -------- d-----w- c:\program files\Common Files\Apple
2010-04-08 12:31 . 2010-04-08 12:31 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-06 18:01 . 2009-05-02 14:37 6648 ----a-w- c:\users\Dad\AppData\Local\d3d9caps.dat
2010-03-24 03:00 . 2010-03-24 02:57 2109952 ----a-w- c:\programdata\BOINC\projects\climateprediction.net\famous_graphics_6.02_windows_intelx86.exe
2010-03-24 02:56 . 2010-03-24 02:56 715264 ----a-w- c:\programdata\BOINC\projects\climateprediction.net\famous_6.02_windows_intelx86.exe
2010-03-23 18:32 . 2010-03-24 21:40 629248 ----a-w- c:\programdata\BOINC\projects\climateprediction.net\famous_se_6.02_windows_intelx86.dll
2010-03-23 18:31 . 2010-03-24 21:40 6888448 ----a-w- c:\programdata\BOINC\projects\climateprediction.net\famous_um_6.02_windows_intelx86.exe
2010-03-18 23:03 . 2009-09-15 22:38 -------- d-----w- c:\users\Dad\AppData\Roaming\Skype
2010-03-18 21:04 . 2009-07-29 02:43 -------- d-----w- c:\users\Dad\AppData\Roaming\skypePM
2010-03-09 13:51 . 2008-12-05 22:27 -------- d-----w- c:\program files\Alwil Software
2010-03-09 13:27 . 2010-03-09 13:27 100096 ----a-w- c:\users\Dad\AppData\Roaming\CBS Interactive\CNET TechTracker\uninst.exe
2010-03-09 13:27 . 2010-03-09 13:27 -------- d-----w- c:\users\Dad\AppData\Roaming\CBS Interactive
2010-03-09 13:23 . 2010-03-09 13:23 -------- d-----w- c:\programdata\Alwil Software
2010-03-09 11:24 . 2008-12-05 22:27 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-03-09 11:12 . 2008-12-05 22:27 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-03-09 11:12 . 2008-12-05 22:27 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-03-09 11:09 . 2008-12-05 22:27 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-03-09 11:08 . 2008-12-05 22:27 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-03-09 11:08 . 2008-12-05 22:27 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-03-08 23:25 . 2009-04-12 00:24 -------- d-----w- c:\program files\Oberon Media
2010-03-08 20:49 . 2010-03-08 20:49 -------- d-----w- c:\programdata\Sandlot Games
2010-03-06 01:12 . 2010-03-06 01:12 -------- d-----w- c:\programdata\Oberon Media
2010-03-05 20:50 . 2010-03-05 20:50 -------- d-----w- c:\users\Dad\AppData\Roaming\HSA
2010-03-05 19:35 . 2010-03-05 19:35 4096 ----a-w- c:\windows\d3dx.dat
2010-03-02 20:55 . 2010-01-29 03:12 50354 ----a-w- c:\users\Dad\AppData\Roaming\Facebook\uninstall.exe
2010-03-02 20:55 . 2010-01-29 03:12 -------- d-----w- c:\users\Dad\AppData\Roaming\Facebook
2010-02-27 22:50 . 2009-01-30 18:42 -------- d-----w- c:\programdata\JollyBear
2010-02-26 23:51 . 2010-02-26 23:51 138584 ----a-w- c:\users\Dad\AppData\Roaming\mjusbsp\ug00000\magicJack.dll
2010-02-26 23:51 . 2010-04-08 18:19 6870864 ---ha-w- c:\users\Dad\AppData\Roaming\mjusbsp\in00000\setup.exe
2010-02-26 23:51 . 2010-03-02 16:51 6870864 ---ha-w- c:\users\Dad\AppData\Roaming\mjusbsp\Upgrade\setup1.exe
2010-02-26 23:51 . 2010-02-26 23:51 6870864 ----a-w- c:\users\Dad\AppData\Roaming\mjusbsp\ug00000\setup.exe
2010-02-26 23:51 . 2010-02-26 23:51 705936 ----a-w- c:\users\Dad\AppData\Roaming\mjusbsp\magicJackLoader.exe
2010-02-26 23:51 . 2010-02-26 23:51 480608 ----a-w- c:\users\Dad\AppData\Roaming\mjusbsp\octvqe1_apiw.dll
2010-02-26 23:51 . 2010-02-26 23:51 214360 ----a-w- c:\users\Dad\AppData\Roaming\mjusbsp\TjVista.dll
2010-02-26 23:50 . 2010-02-26 23:50 324952 ----a-w- c:\users\Dad\AppData\Roaming\mjusbsp\TjIpSys.dll
2010-02-26 23:50 . 2010-02-26 23:50 615792 ----a-w- c:\users\Dad\AppData\Roaming\mjusbsp\SJHandsetMagicJack.dll
2010-02-26 23:50 . 2010-02-26 23:50 87384 ----a-w- c:\users\Dad\AppData\Roaming\mjusbsp\st00000\mjsetup.exe
2010-02-26 23:50 . 2010-02-26 23:50 138584 ----a-w- c:\users\Dad\AppData\Roaming\mjusbsp\st00000\magicJack.dll
2010-02-26 23:50 . 2010-02-26 23:50 138584 ----a-w- c:\users\Dad\AppData\Roaming\mjusbsp\magicJack.dll
2010-02-26 23:46 . 2010-02-26 23:46 12526424 ----a-w- c:\users\Dad\AppData\Roaming\mjusbsp\magicJack.exe
2010-02-26 23:45 . 2010-04-08 18:19 743872 ---ha-w- c:\users\Dad\AppData\Roaming\mjusbsp\ar00000\install.exe
2010-02-26 23:45 . 2010-03-02 16:51 743872 ---ha-w- c:\users\Dad\AppData\Roaming\mjusbsp\Upgrade\install1.exe
2010-02-26 23:45 . 2010-02-26 23:45 743872 ----a-w- c:\users\Dad\AppData\Roaming\mjusbsp\ug00000\install.exe
2010-02-26 23:45 . 2010-02-26 23:45 87384 ----a-w- c:\users\Dad\AppData\Roaming\mjusbsp\in00000\mjsetup.exe
2010-02-26 23:45 . 2010-02-26 23:45 138584 ----a-w- c:\users\Dad\AppData\Roaming\mjusbsp\in00000\magicJack.dll
2010-02-26 23:44 . 2010-02-26 23:44 138584 ----a-w- c:\users\Dad\AppData\Roaming\mjusbsp\lr00000\magicJack.dll
2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\users\Dad\AppData\Roaming\mjusbsp\ug00000\magicJackSplash.exe
2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\users\Dad\AppData\Roaming\mjusbsp\st00000\magicJackSplash.exe
2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\users\Dad\AppData\Roaming\mjusbsp\magicJackSplash.exe
2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\users\Dad\AppData\Roaming\mjusbsp\in00000\magicJackSplash.exe
2010-02-26 23:43 . 2010-02-26 23:43 50520 ----a-w- c:\users\Dad\AppData\Roaming\mjusbsp\cdloader2.exe
2010-02-26 06:41 . 2010-02-26 06:41 847040 ----a-w- c:\users\Dad\AppData\Roaming\Facebook\axfbootloader.dll
2010-02-26 06:41 . 2010-02-26 06:41 5582848 ----a-w- c:\users\Dad\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
2010-02-26 00:04 . 2010-04-06 18:31 57856 ----a-w- c:\users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\7gsrjbwc.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
2010-02-26 00:04 . 2010-04-06 18:31 545280 ----a-w- c:\users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\7gsrjbwc.default\extensions\piclens@cooliris.com\libs\PicLensHelper.exe
2010-02-26 00:04 . 2010-04-06 18:31 4689408 ----a-w- c:\users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\7gsrjbwc.default\extensions\piclens@cooliris.com\libs\cooliris192.dll
2010-02-26 00:04 . 2010-04-06 18:31 103424 ----a-w- c:\users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\7gsrjbwc.default\extensions\piclens@cooliris.com\libs\pixomatic.dll
2010-02-26 00:04 . 2010-04-06 18:31 425984 ----a-w- c:\users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\7gsrjbwc.default\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe
2010-02-26 00:04 . 2010-04-06 18:31 153088 ----a-w- c:\users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\7gsrjbwc.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
2010-02-25 23:57 . 2010-04-06 13:52 226304 --s---r- c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe
2010-02-25 20:46 . 2009-09-19 17:27 -------- d-----w- c:\users\Dad\AppData\Roaming\Merscom
2010-02-25 20:46 . 2009-09-19 17:27 -------- d-----w- c:\programdata\Merscom
2010-02-25 03:52 . 2009-01-12 02:07 -------- d-----w- c:\users\Dad\AppData\Roaming\LimeWire
2010-02-24 15:16 . 2009-10-03 16:28 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 06:39 . 2010-04-07 16:55 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-04-07 16:55 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 06:33 . 2010-04-07 16:55 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 04:55 . 2010-04-07 16:55 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-22 21:26 . 2010-02-22 21:26 -------- d-----w- c:\programdata\PlayPond
2010-02-22 19:31 . 2010-02-22 19:31 -------- d-----w- c:\users\Dad\AppData\Roaming\HdO Adventure
2010-02-22 17:54 . 2010-02-22 17:54 -------- d-----w- c:\program files\LizardTech
2010-02-22 17:54 . 2007-08-21 13:17 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-13 20:53 . 2010-02-13 20:53 -------- d-----w- c:\users\Dad\AppData\Roaming\GameMill
2010-02-13 20:53 . 2010-02-13 20:53 -------- d-----w- c:\programdata\GameMill
2010-02-12 21:48 . 2009-01-30 01:03 -------- d-----w- c:\users\Dad\AppData\Roaming\PlayFirst
2010-02-12 21:48 . 2009-01-30 01:03 -------- d-----w- c:\programdata\PlayFirst
2010-02-12 16:46 . 2010-02-12 16:46 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 16:46 . 2010-02-12 16:46 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-11 18:53 . 2008-12-05 22:27 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-02-10 14:57 . 2010-02-10 14:57 -------- d-----w- c:\program files\SystemRequirementsLab
2010-02-10 14:56 . 2010-02-10 14:56 88576 ----a-w- c:\users\Dad\AppData\Roaming\SystemRequirementsLab\srlproxy_intel_4_1_47_0_d.dll
2010-02-10 14:56 . 2010-02-10 14:56 88576 ----a-w- c:\users\Dad\AppData\Roaming\SystemRequirementsLab\srlproxy_intel_4_1_47_0_c.dll
2010-02-10 14:56 . 2010-02-10 14:56 88576 ----a-w- c:\users\Dad\AppData\Roaming\SystemRequirementsLab\srlproxy_intel_4_1_47_0_b.dll
2010-02-10 14:56 . 2010-02-10 14:56 88576 ----a-w- c:\users\Dad\AppData\Roaming\SystemRequirementsLab\srlproxy_intel_4_1_47_0_a.dll
2010-02-10 14:56 . 2010-02-10 14:56 -------- d-----w- c:\users\Dad\AppData\Roaming\SystemRequirementsLab
2010-02-08 14:15 . 2010-02-08 14:13 2109440 ----a-w- c:\programdata\BOINC\projects\climateprediction.net\hadam3p_graphics_6.14_windows_intelx86.exe
2010-02-08 14:14 . 2010-02-08 14:13 674816 ----a-w- c:\programdata\BOINC\projects\climateprediction.net\hadam3p_6.14_windows_intelx86.exe
2010-02-05 23:49 . 2008-12-05 22:23 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-03 16:15 . 2010-02-03 16:15 1111552 ----a-w- c:\users\Dad\AppData\Roaming\CBS Interactive\CNET TechTracker\TechTracker.exe
2010-01-29 17:21 . 2010-02-08 15:48 629248 ----a-w- c:\programdata\BOINC\projects\climateprediction.net\hadam3p_se_6.14_windows_intelx86.dll
2010-01-29 17:12 . 2010-02-08 15:48 5708800 ----a-w- c:\programdata\BOINC\projects\climateprediction.net\hadam3p_um_6.14_windows_intelx86.exe
2010-01-27 03:20 . 2010-01-27 03:20 5578752 ----a-w- c:\users\Dad\AppData\Roaming\Facebook\npfbplugin_1_0_1.dll
2010-01-23 00:54 . 2009-08-02 00:50 12 ---ha-w- c:\programdata\iWin Games\drm\Service_2458921265333135255.dll
2010-01-22 01:02 . 2010-01-31 14:21 52224 ----a-w- c:\users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\7gsrjbwc.default\extensions\{71d2cf9e-34e4-4401-8841-f4fc3f3edc32}\components\FFExternalAlert.dll
2009-12-22 19:54 . 2009-12-22 19:54 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{9565115d-c7d6-46d3-bd63-b67b481a4368}"= "c:\program files\PageRage\tbPage.dll" [2010-03-17 2355224]

[HKEY_CLASSES_ROOT\clsid\{9565115d-c7d6-46d3-bd63-b67b481a4368}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9565115d-c7d6-46d3-bd63-b67b481a4368}]
2010-03-17 20:45 2355224 ----a-w- c:\program files\PageRage\tbPage.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-07-10 22:28 1174920 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
2010-04-05 22:42 194912 ------w- c:\program files\Yontoo Layers Client\YontooIEClient.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-07-10 1174920]
"{9565115d-c7d6-46d3-bd63-b67b481a4368}"= "c:\program files\PageRage\tbPage.dll" [2010-03-17 2355224]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CLASSES_ROOT\clsid\{9565115d-c7d6-46d3-bd63-b67b481a4368}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-07-10 1174920]
"{9565115D-C7D6-46D3-BD63-B67B481A4368}"= "c:\program files\PageRage\tbPage.dll" [2010-03-17 2355224]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CLASSES_ROOT\clsid\{9565115d-c7d6-46d3-bd63-b67b481a4368}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2007-08-29 1347584]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-11 68856]
"Speech Recognition"="c:\windows\Speech\Common\sapisvr.exe" [2006-11-02 49664]
"SmileboxTray"="c:\users\Dad\AppData\Roaming\Smilebox\SmileboxTray.exe" [2009-12-07 266888]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"cdloader"="c:\users\Dad\AppData\Roaming\mjusbsp\cdloader2.exe" [2010-02-26 50520]
"Auslogics BoostSpeed"="c:\program files\Auslogics\Auslogics BoostSpeed\boostspeed.exe" [2009-09-07 480368]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2009-10-09 25623336]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RunTasktray"="c:\program files\Hewlett-Packard\HP Easy Printer Care\HPPRun.exe --regkeypath=Software\Hewlett-Packard\HP Easy Printer Care\HPPRun --valuename=InstallTTM" [X]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-05-09 865840]
"Atari Launcher 2"="c:\program files\Infogrames\Atari Anniversary Edition\Volume 2\Atari icon.exe" [2001-05-23 55296]
"AtariBanner"="c:\program files\Infogrames\Atari Anniversary Edition\Volume 2\Banner.exe" [2001-05-23 49152]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"KnexStarter"="c:\program files\Common Files\Hewlett-Packard\HP Device Communication Services\Appinterfaces\HPDeviceService.exe" [2009-03-23 159744]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2007-07-31 707080]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"boincmgr"="c:\program files\Progress Thru Processors\progressthruprocessors.exe" [2009-07-28 4850384]
"boinctray"="c:\program files\Progress Thru Processors\boinctray.exe" [2009-07-28 58064]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-12-22 30192]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"YMailAdvisor"="c:\program files\Yahoo!\Common\YMailAdvisor.exe" [2009-05-08 174424]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-03-09 2769336]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-08-02 151552]

c:\users\Dad\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Acer Empowering Technology.lnk - c:\acer\Empowering Technology\Acer.Empowering.Framework.Supervisor.exe [2007-8-21 323584]
CNET TechTracker.lnk - c:\users\Dad\AppData\Roaming\CBS Interactive\CNET TechTracker\TechTracker.exe [2010-2-3 1111552]
TheSpringBox.lnk - c:\program files\TheSpringBox\TheSpringBox.exe [2007-6-14 1695679]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
CleverKeys.lnk - c:\program files\Lexico\CleverKeys\CK.exe [2009-4-9 561664]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-9-5 813584]
Sidebar.lnk - c:\program files\Windows Sidebar\sidebar.exe [2008-12-5 1232896]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~3\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux4"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R2 gupdate1c9c06fef3dab2;Google Update Service (gupdate1c9c06fef3dab2);c:\program files\Google\Update\GoogleUpdate.exe [2009-04-18 133104]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-02-08 179712]
R3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2009-12-22 30192]
S1 aswSP;aswSP; [x]
S1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [2010-03-23 58984]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2010-03-23 125160]
S2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl [2006-11-02 13560]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-03-09 51792]
S2 BOINC;BOINC;c:\program files\Progress Thru Processors\boinc.exe [2009-07-28 844496]
S2 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe [2010-01-21 78104]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2010-03-23 779496]
S3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-11-17 3668480]
S3 winbondcir;Winbond IR Transceiver;c:\windows\system32\DRIVERS\winbondcir.sys [2007-04-19 43008]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ
.
Contents of the 'Scheduled Tasks' folder

2010-04-09 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-11 13:19]

2010-04-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-18 21:45]

2010-04-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-18 21:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.us.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
Trusted Zone: magicjack.com\my
Trusted Zone: plaxo.com\www
Trusted Zone: talk4free.com\reg
Trusted Zone: hp.com
Handler: HPDCS - {ba135f49-a12c-4e26-a2c4-6ea945999072} - c:\program files\Common Files\Hewlett-Packard\HP Device Communication Services\APP\hpdcsapp.dll
Handler: hppfile - {C4E2084B-ED27-4893-A43D-488CA3F370E2} - c:\program files\Hewlett-Packard\HP Easy Printer Care\HPPCtrls.dll
Handler: hppsam - {C4E2084B-ED27-4893-A43D-488CA3F370E2} - c:\program files\Hewlett-Packard\HP Easy Printer Care\HPPCtrls.dll
Handler: hppzip - {C4E2084B-ED27-4893-A43D-488CA3F370E2} - c:\program files\Hewlett-Packard\HP Easy Printer Care\HPPCtrls.dll
FF - ProfilePath - c:\users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\7gsrjbwc.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\Mozilla Firefox\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - component: c:\users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\7gsrjbwc.default\extensions\{71d2cf9e-34e4-4401-8841-f4fc3f3edc32}\components\FFExternalAlert.dll
FF - component: c:\users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\7gsrjbwc.default\extensions\{71d2cf9e-34e4-4401-8841-f4fc3f3edc32}\components\RadioWMPCore.dll
FF - component: c:\users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\7gsrjbwc.default\extensions\{9565115d-c7d6-46d3-bd63-b67b481a4368}\components\FFExternalAlert.dll
FF - component: c:\users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\7gsrjbwc.default\extensions\{9565115d-c7d6-46d3-bd63-b67b481a4368}\components\RadioWMPCore.dll
FF - component: c:\users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\7gsrjbwc.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPcol308.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdjvu.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\programdata\RealArcade\npraclient.dll
FF - plugin: c:\users\Dad\AppData\Local\Yahoo!\BrowserPlus\2.6.0\Plugins\npybrowserplus_2.6.0.dll
FF - plugin: c:\users\Dad\AppData\Roaming\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\users\Dad\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\7gsrjbwc.default\extensions\{38AB6A6C-CC4C-4f9e-A3DD-3C5681EF18A1}\plugins\npsoe.dll
FF - plugin: c:\users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\7gsrjbwc.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-08 22:46
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(8008)
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\WLANExt.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\acer\Empowering Technology\eLock\Service\eLockServ.exe
c:\acer\Empowering Technology\eNet\eNet Service.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\acer\Mobility Center\MobilityService.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\UTSCSI.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\acer\Empowering Technology\ePower\ePowerSvc.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe
c:\acer\Empowering Technology\eSettings\Service\capuserv.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2010-04-08 22:53:14 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-09 03:53
ComboFix2.txt 2010-04-09 01:05

Pre-Run: 6,269,628,416 bytes free
Post-Run: 6,067,044,352 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=3 Sets=1,2,3,49
- - End Of File - - A9FB10B1D1EF19CB716A8A7B60B1F478


#7 tetonbob

tetonbob

  • Malware Response Team
  • 796 posts
  • OFFLINE
  •  
  • Local time:06:30 PM

Posted 09 April 2010 - 09:35 AM

Good job, next....

I see you have Malwarebytes' AntiMalware installed. It's quite outdated.

Please update it's definitions, and run a new Quick Scan.
  • Launch Malwarebytes' Antimalware
  • On the updates tab, click on Check for Updates
  • If an update is found, it will begin. Once the update is complete..
  • Click on the Scanner tab. Select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Save it to your desktop. Malwarebytes' Anti-Malware may require a reboot to complete removals. After a reboot, if required, post that saved log in your next reply.

Practice Safe Surfing

Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015

#8 chris.gatti

chris.gatti
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jackson, TN
  • Local time:05:30 PM

Posted 10 April 2010 - 09:14 AM

here is the malwarebytes quick scan log:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3974

Windows 6.0.6000
Internet Explorer 8.0.6001.18904

4/10/2010 9:03:14 AM
mbam-log-2010-04-10 (09-03-14).txt

Scan type: Quick scan
Objects scanned: 118251
Time elapsed: 8 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\certoko.dll (Worm.Koobface) -> Quarantined and deleted successfully.


#9 tetonbob

tetonbob

  • Malware Response Team
  • 796 posts
  • OFFLINE
  •  
  • Local time:06:30 PM

Posted 10 April 2010 - 09:43 AM

Good job, next steps....

P2P - I see you have P2P software (Limewire ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

References for the risk of these programs are here and here.

I would strongly recommend that you uninstall them. You can do so via Control Panel >> Add or Remove Programs.


Other related links:

Comparison of Unwanted Software Installed by P2P Programs

Update: Seattle man arrested for p-to-p ID theft

Identity Thieves Lurk in P-to-P Networks

Risks of File-Sharing Technology

Woman Fined $222,000 for Music Sharing

Malware: Help prevent the Infection

IM And P2P Malware Threats Nearly Triple

Cyber-criminals Use P2P Tools for Identity Theft, Security Analyst Warns

How to Prevent the Online Invasion of Spyware and Adware

---------------------------------------------------------------------------------------------

Your Java is out of date.

Java™ 6 Update 18 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts. Or, you can directly download j6u19 from this link:

http://www.java.com/en/download/manual.jsp

http://javadl.sun.com/webapps/download/AutoDL?BundleId=38663


Once the install is complete...

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked


    Applications and Applets
    Trace and Log Files


  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

---------------------------------------------------------------------------------------------

Please run this online scan to help look for remnants.

Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan. Vista users will need to right click on their IE shortcut, run as Administrator.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic and also let me know how things are now.





Practice Safe Surfing

Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015

#10 chris.gatti

chris.gatti
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jackson, TN
  • Local time:05:30 PM

Posted 11 April 2010 - 01:54 PM

Here is the log file from the Eset scan:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=ac4b9eb5e1128541969efbdda4eb3b06
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-04-11 03:45:59
# local_time=2010-04-10 10:45:59 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=6.0.6000 NT
# compatibility_mode=768 16777191 100 0 1881345 1881345 0 0
# compatibility_mode=5892 16776573 100 100 0 107553136 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=201602
# found=2
# cleaned=0
# scan_time=11951
C:\Users\Dad\Downloads\SetupPlaySushi.exe Win32/Adware.Gamevance application 00000000000000000000000000000000 I
C:\Windows\Installer\a21694.msi a variant of Win32/AdInstaller application 00000000000000000000000000000000 I


#11 tetonbob

tetonbob

  • Malware Response Team
  • 796 posts
  • OFFLINE
  •  
  • Local time:06:30 PM

Posted 11 April 2010 - 02:28 PM

The GameVance file, I'll leave to your discretion on whether to keep it or not. GameVance games get flagged as adware. I'd delete it.

I'd like a look at the other file Eset identified, please.
  • Please visit this site:


    http://www.bleepingcomputer.com/submit-mal....php?channel=28

  • In the Link to topic where this file was requested: area, copy and paste this


    http://www.bleepingcomputer.com/forums/topic307602.html#entry1710223

  • Click on the Browse button.
  • In the File Upload window which opens, copy and paste this into the File Name box, then click OK.


    C:\Windows\Installer\a21694.msi

  • Then click Send File.
  • Once it shows:

    QUOTE
    Your file was successfully submitted. Please let the user helping you know that you have submitted the file.

  • Close the site and let me know.


Practice Safe Surfing

Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015

#12 chris.gatti

chris.gatti
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jackson, TN
  • Local time:05:30 PM

Posted 11 April 2010 - 04:23 PM

the file you requested has been sent. I also followed the gamevance link on my system and clicked delete which sent it to my recycle bin. Then I emptied the recycle bin.

Edited by chris.gatti, 11 April 2010 - 04:25 PM.


#13 tetonbob

tetonbob

  • Malware Response Team
  • 796 posts
  • OFFLINE
  •  
  • Local time:06:30 PM

Posted 11 April 2010 - 05:06 PM

Great. The other file is an installer for WeatherBug, which has for a long time been classified as adware. It's doing no harm here,

C:\Windows\Installer\a21694.msi

but can be safely deleted.

This command will quickly delete the file from your system if you so choose.

Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

cmd /c del /f/a/q "C:\Windows\Installer\a21694.msi"

The other items Eset found are in ComboFix quarantine, and will be addressed by uninstalling ComboFix as instructed below.

Other than that....We should be done here. Some final housekeeping instructions, and protection information for you.

Your logs appear clean.You should be good to go. We still have a few items to address.


Disconnect from the internet and disable your AntiVirus temporarily.

Go to -> Run -> copy/paste in the following single line command & click OK


ComboFix /Uninstall


This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Re-enable your AntiVirus now. Reconnect to the internet at your leisure.

Delete any remaining tools we've used (DDS and GMER) and logs from them.

Empty your Recycle Bin.

---------------------------------------------------------------------------------------------

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:
  • Microsoft Windows Update - http://www.windowsupdate.com
    Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • SpywareBlaster to help prevent spyware from installing in the first place.Install & update SpywareBlaster with the latest definitions.
    After you have updated, click the button - enable protection for all unprotected items
  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites - green to go, yellow for caution and red to stop, helping you avoid the dangerous sites. WOT has an addon available for both Firefox and IE.

  • Winpatrol

    Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.

    You can get a free copy of Winpatrol or use the Plus version for more features.

    You can read Winpatrol's FAQ if you run into problems.

  • MVPS HOST FILE
    The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  • ANTIVIRUS SOFTWARE
    It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

    Do not install more than one AntiVirus program because they will conflict with each other.

  • Scan here http://secunia.com/vulnerability_scanning/online/ for out of date & vulnerable common applications on your computer

  • http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

  • http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.

    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.


    In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles
  • How did I get infected in the first place?
  • Microsoft - 'Security at home'

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.


Practice Safe Surfing

Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015

#14 chris.gatti

chris.gatti
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jackson, TN
  • Local time:05:30 PM

Posted 11 April 2010 - 08:46 PM

If I delete this - C:\Windows\Installer\a21694.msi will it affect the running of the Weatherbug program?

#15 tetonbob

tetonbob

  • Malware Response Team
  • 796 posts
  • OFFLINE
  •  
  • Local time:06:30 PM

Posted 11 April 2010 - 09:08 PM

Good question. It may be a needed resource for repair or uninstall, so if you're happy with Weatherbug you can ignore that file.
Practice Safe Surfing

Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users