Co-worker's computer messed up.

Novice2000 · Jan 29, 2008

Here is my co-worker's HJT file that he emailed me. He had to download HJT through "Safe Mode" because he can't get on the internet in regular mode. I told him to download SDFix and SmitFraud. He was able to download SDFix and run it, but it didn't do any good. He downloaded SmitFraud, but for some reason, he can't run it. He says that a black screen pops up for 1 second and immediately disappears when he tries to run the SmitFraud. This HJT log file was created after doing the above. So what does he have and how do we fix it?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:16:15 PM, on 1/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=...i7Mb/w1gCDdRLxigZcE6UDjW6LZDiQs9RdjKCRK0O/e0=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll (file missing)
O2 - BHO: (no name) - {69B98C68-D2B8-4A4E-9CB7-E85B6F3A7014} - C:\Program Files\Video Add-on\isfmdl.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: (no name) - {F93C5BFF-16F9-4DC5-B78C-EC46F896EE56} - C:\Program Files\Install Provider\InstallProvider_1.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O3 - Toolbar: (no name) - {29C5A3B6-9A8D-4FA0-B5AD-3E20F4AA5C00} - (no file)
O3 - Toolbar: &Download Manager Search Toolbar - {A9344DE7-59F2-40F8-9AE7-C203B67444DA} - C:\Program Files\Install Provider\InstallProvider_1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1122660519\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [ASM] "C:\Program Files\AOL\Active Security Monitor\ASMonitor.exe" HIDEMAIN
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [uwa7pcw] "C:\Program Files\Common Files\WinAntiVirus Pro 2007\uwa7pcw.exe" -c
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - HKCU\..\Run: [AntiSpywareShield] C:\Program Files\AntiSpywareShield\AntiSpywareShield.exe
O4 - HKCU\..\RunOnce: [SWHelper] "C:\WINDOWS\system32\Macromed\Shockwave 10\PostUpdate.exe" 1014020
O4 - HKUS\S-1-5-21-1993962763-527237240-839522115-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Donna')
O4 - HKUS\S-1-5-21-1993962763-527237240-839522115-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Donna')
O4 - HKUS\S-1-5-21-1993962763-527237240-839522115-1003\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe (User 'Donna')
O4 - HKUS\S-1-5-21-1993962763-527237240-839522115-1003\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (User 'Donna')
O4 - HKUS\S-1-5-18\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b (User 'Default user')
O4 - S-1-5-21-1993962763-527237240-839522115-1003 Startup: TrueAssistant.lnk = C:\Program Files\TrueSwitchComcast\TrueWizard.exe (User 'Donna')
O4 - S-1-5-21-1993962763-527237240-839522115-1003 User Startup: TrueAssistant.lnk = C:\Program Files\TrueSwitchComcast\TrueWizard.exe (User 'Donna')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZUxdm265LUUS
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.securesoftwarefeed.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.securesoftwarefeed.com/redirect.php (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/MyFunCardsFWBInitialSetup1.0.0.15-3.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4E7BD74F-2B8D-469E-DEFA-EB76B1D5FA7D} - http://reciperewards.aavalue.com/rr/toolbar/rr-toolbar.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.aol.com/mcafee/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {5BED3930-2E9E-76D8-BACC-80DF2188D455} - http://ftp.coupons.com/CouponsBarXML/CouponBarIE.cab
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k42037/sb02a.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://www.winantivirus.com/downloa...le=2&aid=qability_rdt_us_en&lid=120mpl&affid=
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol.com/mcafee/molbin/shared/mcgdmgr/en-us/1,0,0,20/McGDMgr.cab
O22 - SharedTaskScheduler: exultet - {4f5f16ef-af9d-4fe6-8410-f0670b58979d} - C:\WINDOWS\system32\gusur.dll (file missing)
O22 - SharedTaskScheduler: cariniana - {5c770fbc-cc2f-4acd-93e8-e6f0594307fd} - C:\WINDOWS\system32\gnjsjc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 11774 bytes

ceewi1 · Jan 29, 2008

What a mess

. Pass this on to your co-worker:

1. Please download this file - ComboFix to your desktop
2. Double click ComboFix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply together with a new HijackThis log.

Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall

Novice2000 · Jan 29, 2008

ceewi1 said:
What a mess . Pass this on to your co-worker:

1. Please download this file - ComboFix to your desktop
2. Double click ComboFix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply together with a new HijackThis log.

Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall

What's the difference between Hijack This and ComboFix? Why post a ComboFix log file? Does ComboFix also repair it? Should I have him fix it with ComboFix too, or just generate a log file?

Punk · Jan 29, 2008

Novice2000 said:
What's the difference between Hijack This and ComboFix? Why post a ComboFix log file? Does ComboFix also repair it? Should I have him fix it with ComboFix too, or just generate a log file?

Yeah it repairs and produces a useful log to clean the computer. Please follow th instructions Ceewi1 gave you, he's an expert

Novice2000 · Jan 29, 2008

I emailed him the link. But I then downloaded ComboFix from this link myself so I can run it so I could tell him what to do step by step. After I installed it from the installation icon on my desktop that I downloaded from that link, I received an error message which read.....

Error

327882R2FWJFW not in expected location

Inform sUBs now!!

And then when I clicked ok on this message and went to run ComboFix from the icon which was on my desktop after I installed it, a window popped up for about a second and then disappeared. What happened?

Also, pretty much the same thing happened to my co-worker when I emailed him the link for SmitFraud. He downloaded it and when he installed in and went to run it, he said a window popped up for about a second and disappeared. What happened?

And is there another link for downloading ComboFix and SmitFraud which will work?

P.S. We both kept deleting these and reinstalling them, but that didn't do any good.

Punk · Jan 30, 2008

I guess the virus is preventing any of those tools to run. Ceewi1 will take care of that.

Novice2000 · Jan 30, 2008

webbenji said:
I guess the virus is preventing any of those tools to run. Ceewi1 will take care of that.

That might make it understandable if SmitFraudFix doesn't run on my co-workers computer, but my computer doesn't have any viruses. Why won't ComboFix run on my computer? Is there something wrong with the links for downloading ComboFix and SmitFraudFix? They worked before at one time, why won't they work now?

Punk · Jan 30, 2008

Try this:

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.

Download this file from one of the three below listed places :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
Then double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Novice2000 · Jan 30, 2008

webbenji said:
Try this:

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.

Download this file from one of the three below listed places :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Then double click combofix.exe & follow the prompts.

When finished, it shall produce a log for you. Post that log in your next reply

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

I tried all of those links. None of them work on my computer. Have you tried downloading and running these on your computer to see if they work on your computer?

ceewi1 · Jan 31, 2008

The download link is correct, I have contacted sUBs (the developer of ComboFix) about this error, did you download ComboFix directly to the Desktop? He suggests that you move ComboFix directly onto your C:\ drive (so ComboFix should be running at C:\ComboFix.exe). If you have installed windows to a drive other than C:, please place it directly on the root of that drive instead.

Once you've moved the file, please run it from there by double clicking on it.

Novice2000 · Jan 31, 2008

ceewi1 said:
The download link is correct, I have contacted sUBs (the developer of ComboFix) about this error, did you download ComboFix directly to the Desktop? He suggests that you move ComboFix directly onto your C:\ drive (so ComboFix should be running at C:\ComboFix.exe). If you have installed windows to a drive other than C:, please place it directly on the root of that drive instead.

Once you've moved the file, please run it from there by double clicking on it.

Yes, I downloaded it directly to my desktop. I'll try downloading it to my C: drive. Why can't it run from the desktop? What's the difference?

As far as SmitFraudFix, I have that on my desktop and it runs fine. Why can't my co-worker run it from his desktop?

ceewi1 · Feb 1, 2008

This appears to be an issue with ComboFix creating its working folders in the wrong location. This happens because a program in the past has written a corrupt registry entry. It is not a widespread issue, and ComboFix will likely work on your co-worker's computer.

sUBs has further investigated the issue, please try the following:

Please run Notepad and paste the contents of the codebox into a new file. Please do not include the word Code:

Code:

REGEDIT4

[-HKEY_CURRENT_USER\Software\WinRAR SFX]
[-HKEY_LOCAL_MACHINE\Software\WinRAR SFX]

Save the file to the desktop as fix.reg and make sure the Save as Type field says All Files. Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

Try running ComboFix again.

Novice2000 · Feb 9, 2008

ceewi1 said:
What a mess . Pass this on to your co-worker:

1. Please download this file - ComboFix to your desktop
2. Double click ComboFix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply together with a new HijackThis log.

Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall

Here is his ComboFix Log File:

ComboFix 08-02.05.3 - Michael Sommers 2008-02-08 22:14:03.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.120 [GMT -6:00]
Running from: C:\Documents and Settings\Michael Sommers.DONNA-GFRCOSB61\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL
C:\Documents and Settings\All Users\Application Data\salesmonitor
C:\Documents and Settings\All Users\Application Data\Starware
C:\Documents and Settings\All Users\Application Data\Starware\buttons\cursorcafe.bmp
C:\Documents and Settings\All Users\Application Data\Starware\buttons\cursorcafeA.bmp
C:\Documents and Settings\All Users\Application Data\Starware\buttons\games.bmp
C:\Documents and Settings\All Users\Application Data\Starware\buttons\gamesA.bmp
C:\Documents and Settings\All Users\Application Data\Starware\buttons\screensaver.bmp
C:\Documents and Settings\All Users\Application Data\Starware\buttons\screensaverA.bmp
C:\Documents and Settings\All Users\Application Data\Starware\contexts\error.xml
C:\Documents and Settings\All Users\Application Data\Starware\contexts\related.xml
C:\Documents and Settings\All Users\Application Data\Starware\contexts\travel.xml
C:\Documents and Settings\All Users\Application Data\Starware\contexts\Travel.xml.backup
C:\Documents and Settings\All Users\Application Data\Starware\SimpleUpdate\ProductMessagingConfig.xml
C:\Documents and Settings\All Users\Application Data\Starware\SimpleUpdate\ProductMessagingConfig.xml.backup
C:\Documents and Settings\All Users\Application Data\Starware\SimpleUpdate\SimpleUpdateConfig.xml
C:\Documents and Settings\All Users\Application Data\Starware\SimpleUpdate\SimpleUpdateConfig.xml.backup
C:\Documents and Settings\All Users\Application Data\Starware\SimpleUpdate\TimerManagerConfig.xml
C:\Documents and Settings\All Users\Application Data\Starware\SimpleUpdate\TimerManagerConfig.xml.backup
C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2007
C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2007\Data\Abbr
C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2007\Data\ActivationCode
C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2007\Data\ProductCode
C:\Documents and Settings\Donna\Application Data\PrivacyProtector Free
C:\Documents and Settings\Donna\Application Data\PrivacyProtector Free\Logs\update.log
C:\Documents and Settings\Donna\Application Data\Starware316(2)
C:\Documents and Settings\Donna\Application Data\Starware316(2)\BrowserSearch\BrowserSearch.xml
C:\Documents and Settings\Donna\Application Data\Starware316(2)\BrowserSearch\BrowserSearch.xml.backup
C:\Documents and Settings\Donna\Application Data\Starware316(2)\Configurator\Configurator.xml
C:\Documents and Settings\Donna\Application Data\Starware316(2)\Configurator\Configurator.xml.backup
C:\Documents and Settings\Donna\Application Data\Starware316(2)\ErrorSearch\ErrorSearchOptions.xml
C:\Documents and Settings\Donna\Application Data\Starware316(2)\ErrorSearch\ErrorSearchOptions.xml.backup
C:\Documents and Settings\Donna\Application Data\Starware316(2)\Games\GamesOptions.xml
C:\Documents and Settings\Donna\Application Data\Starware316(2)\Games\GamesOptions.xml.backup
C:\Documents and Settings\Donna\Application Data\Starware316(2)\Layouts\PitchLayout.xml
C:\Documents and Settings\Donna\Application Data\Starware316(2)\Layouts\PitchLayout.xml.backup
C:\Documents and Settings\Donna\Application Data\Starware316(2)\Layouts\ToolbarLayout.xml
C:\Documents and Settings\Donna\Application Data\Starware316(2)\Layouts\ToolbarLayout.xml.backup
C:\Documents and Settings\Donna\Application Data\Starware316(2)\Manager\ManagerOptions.xml
C:\Documents and Settings\Donna\Application Data\Starware316(2)\Manager\ManagerOptions.xml.backup
C:\Documents and Settings\Donna\Application Data\Starware316(2)\Movies\MoviesOptions.xml
C:\Documents and Settings\Donna\Application Data\Starware316(2)\Movies\MoviesOptions.xml.backup
C:\Documents and Settings\Donna\Application Data\Starware316(2)\Reference\ReferenceOptions.xml
C:\Documents and Settings\Donna\Application Data\Starware316(2)\Reference\ReferenceOptions.xml.backup
C:\Documents and Settings\Donna\Application Data\Starware316(2)\RelatedSearch\RelatedSearchOptions.xml
C:\Documents and Settings\Donna\Application Data\Starware316(2)\RelatedSearch\RelatedSearchOptions.xml.backup
C:\Documents and Settings\Donna\Application Data\Starware316(2)\Screensavers\ScreensaversOptions.xml
C:\Documents and Settings\Donna\Application Data\Starware316(2)\Screensavers\ScreensaversOptions.xml.backup
C:\Documents and Settings\Donna\Application Data\Starware316(2)\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml
C:\Documents and Settings\Donna\Application Data\Starware316(2)\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml.backup
C:\Documents and Settings\Donna\Application Data\Starware316(2)\SearchAssistPlus\SearchAssistPlusOptions.xml
C:\Documents and Settings\Donna\Application Data\Starware316(2)\SearchAssistPlus\SearchAssistPlusOptions.xml.backup
C:\Documents and Settings\Donna\Application Data\Starware316(2)\SearchMatch\SearchMatchOptions.xml
C:\Documents and Settings\Donna\Application Data\Starware316(2)\SearchMatch\SearchMatchOptions.xml.backup
C:\Documents and Settings\Donna\Application Data\Starware316(2)\Toolbar\TBProductsOptions.xml
C:\Documents and Settings\Donna\Application Data\Starware316(2)\Toolbar\TBProductsOptions.xml.backup
C:\Documents and Settings\Donna\Application Data\Starware316(2)\ToolbarLogo\ToolbarLogoOptions.xml
C:\Documents and Settings\Donna\Application Data\Starware316(2)\ToolbarLogo\ToolbarLogoOptions.xml.backup
C:\Documents and Settings\Donna\Application Data\Starware316(2)\ToolbarSearch\ToolbarSearchOptions.xml
C:\Documents and Settings\Donna\Application Data\Starware316(2)\ToolbarSearch\ToolbarSearchOptions.xml.backup
C:\Documents and Settings\Donna\Application Data\Starware316(2)\TravelSearch\TravelSearchOptions.xml
C:\Documents and Settings\Donna\Application Data\Starware316(2)\TravelSearch\TravelSearchOptions.xml.backup
C:\Documents and Settings\Donna\Application Data\Starware316(2)\Weather\AlertArchive.xml
C:\Documents and Settings\Donna\Application Data\Starware316(2)\Weather\WeatherOptions.xml
C:\Documents and Settings\Donna\Application Data\Starware316(2)\Weather\WeatherOptions.xml.backup
C:\Documents and Settings\Donna\err.log
C:\Documents and Settings\Donna\Favorites\Error Cleaner.url
C:\Documents and Settings\Donna\Favorites\Privacy Protector.url
C:\Documents and Settings\Donna\Favorites\Spyware&Malware Protection.url
C:\Documents and Settings\Donna\ResErrors.log
C:\Documents and Settings\Mandy\Application Data\Starware
C:\Documents and Settings\Mandy\Application Data\Starware\BrowserSearch\BrowserSearch.xml
C:\Documents and Settings\Mandy\Application Data\Starware\BrowserSearch\BrowserSearch.xml.backup
C:\Documents and Settings\Mandy\Application Data\Starware\ErrorSearch\ErrorSearchOptions.xml
C:\Documents and Settings\Mandy\Application Data\Starware\ErrorSearch\ErrorSearchOptions.xml.backup
C:\Documents and Settings\Mandy\Application Data\Starware\Games\GamesOptions.xml
C:\Documents and Settings\Mandy\Application Data\Starware\Games\GamesOptions.xml.backup
C:\Documents and Settings\Mandy\Application Data\Starware\Layouts\PreferencesLayout.xml
C:\Documents and Settings\Mandy\Application Data\Starware\Layouts\PreferencesLayout.xml.backup
C:\Documents and Settings\Mandy\Application Data\Starware\Layouts\ToolbarLayout.xml
C:\Documents and Settings\Mandy\Application Data\Starware\Layouts\ToolbarLayout.xml.backup
C:\Documents and Settings\Mandy\Application Data\Starware\Manager\ManagerOptions.xml
C:\Documents and Settings\Mandy\Application Data\Starware\Manager\ManagerOptions.xml.backup
C:\Documents and Settings\Mandy\Application Data\Starware\PopupBlocker\PopupBlockerOptions.xml
C:\Documents and Settings\Mandy\Application Data\Starware\PopupBlocker\PopupBlockerOptions.xml.backup
C:\Documents and Settings\Mandy\Application Data\Starware\Reference\ReferenceOptions.xml
C:\Documents and Settings\Mandy\Application Data\Starware\Reference\ReferenceOptions.xml.backup
C:\Documents and Settings\Mandy\Application Data\Starware\RelatedSearch\RelatedSearchOptions.xml
C:\Documents and Settings\Mandy\Application Data\Starware\RelatedSearch\RelatedSearchOptions.xml.backup
C:\Documents and Settings\Mandy\Application Data\Starware\Screensavers\ScreensaversOptions.xml
C:\Documents and Settings\Mandy\Application Data\Starware\Screensavers\ScreensaversOptions.xml.backup
C:\Documents and Settings\Mandy\Application Data\Starware\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml
C:\Documents and Settings\Mandy\Application Data\Starware\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml.backup
C:\Documents and Settings\Mandy\Application Data\Starware\SearchAssistPlus\SearchAssistPlusOptions.xml
C:\Documents and Settings\Mandy\Application Data\Starware\SearchAssistPlus\SearchAssistPlusOptions.xml.backup
C:\Documents and Settings\Mandy\Application Data\Starware\SearchMatch\SearchMatchOptions.xml
C:\Documents and Settings\Mandy\Application Data\Starware\SearchMatch\SearchMatchOptions.xml.backup
C:\Documents and Settings\Mandy\Application Data\Starware\Toolbar\TBProductsOptions.xml
C:\Documents and Settings\Mandy\Application Data\Starware\Toolbar\TBProductsOptions.xml.backup
C:\Documents and Settings\Mandy\Application Data\Starware\ToolbarLogo\ToolbarLogoOptions.xml
C:\Documents and Settings\Mandy\Application Data\Starware\ToolbarLogo\ToolbarLogoOptions.xml.backup
C:\Documents and Settings\Mandy\Application Data\Starware\ToolbarSearch\ToolbarSearchOptions.xml
C:\Documents and Settings\Mandy\Application Data\Starware\ToolbarSearch\ToolbarSearchOptions.xml.backup
C:\Documents and Settings\Mandy\Application Data\Starware\TravelSearch\TravelSearchOptions.xml
C:\Documents and Settings\Mandy\Application Data\Starware\TravelSearch\TravelSearchOptions.xml.backup
C:\Documents and Settings\Michael Sommers.DONNA-GFRCOSB61\Application Data\PrivacyProtector Free
C:\Documents and Settings\Michael Sommers.DONNA-GFRCOSB61\Application Data\PrivacyProtector Free\Logs\update.log
C:\Documents and Settings\Michael Sommers.DONNA-GFRCOSB61\err.log
C:\Documents and Settings\Michael Sommers.DONNA-GFRCOSB61\ResErrors.log
C:\Program Files\Common Files\companion wizard
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\ScreenSaver\Cache\00867246.jpg
C:\Program Files\FunWebProducts\ScreenSaver\Cache\files.ini
C:\Program Files\FunWebProducts\ScreenSaver\Images\002B3121.urr
C:\Program Files\FunWebProducts\ScreenSaver\Images\00866D25.urr
C:\Program Files\FunWebProducts\ScreenSaver\Images\00868E0B.dat
C:\Program Files\FunWebProducts\ScreenSaver\Images\010A4325.urr
C:\Program Files\FunWebProducts\ScreenSaver\Images\wrkparam.lst
C:\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MailStampBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MyStationeryBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
C:\Program Files\internet explorer\msimg32.dll
C:\Program Files\MyWebSearch\bar\1.bin\F3BKGERR.JPG
C:\Program Files\MyWebSearch\bar\1.bin\F3BROVLY.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR
C:\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE
C:\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SHLLVW.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SPACER.WMV
C:\Program Files\MyWebSearch\bar\1.bin\F3WALLPP.DAT
C:\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR
C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST
C:\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3MSG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR
C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.MANIFEST
C:\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE
C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL
C:\Program Files\MyWebSearch\bar\Avatar\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Cache\00039442
C:\Program Files\MyWebSearch\bar\Cache\006CF1D4.bin
C:\Program Files\MyWebSearch\bar\Cache\006D3F68.bin
C:\Program Files\MyWebSearch\bar\Cache\006D469C.bin
C:\Program Files\MyWebSearch\bar\Cache\006D5011.bin
C:\Program Files\MyWebSearch\bar\Cache\008432E5.bin
C:\Program Files\MyWebSearch\bar\Cache\00846B89.bin
C:\Program Files\MyWebSearch\bar\Cache\0084AD93.bin
C:\Program Files\MyWebSearch\bar\Cache\0084C021.bin
C:\Program Files\MyWebSearch\bar\Cache\0084D261.bin
C:\Program Files\MyWebSearch\bar\Cache\0084E27E.bin
C:\Program Files\MyWebSearch\bar\Cache\0084E627.bin
C:\Program Files\MyWebSearch\bar\Cache\0084E906.bin
C:\Program Files\MyWebSearch\bar\Cache\0084EBB5
C:\Program Files\MyWebSearch\bar\Cache\026C70E2
C:\Program Files\MyWebSearch\bar\Cache\files.ini
C:\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S
C:\Program Files\MyWebSearch\bar\Game\CHESS.F3S
C:\Program Files\MyWebSearch\bar\Game\REVERSI.F3S
C:\Program Files\MyWebSearch\bar\History\search2
C:\Program Files\MyWebSearch\bar\icons\CM.ICO
C:\Program Files\MyWebSearch\bar\icons\MFC.ICO
C:\Program Files\MyWebSearch\bar\icons\PSS.ICO
C:\Program Files\MyWebSearch\bar\icons\SMILEY.ICO
C:\Program Files\MyWebSearch\bar\icons\WB.ICO
C:\Program Files\MyWebSearch\bar\icons\ZWINKY.ICO
C:\Program Files\MyWebSearch\bar\Message\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Message\COMMON\ask_logo.gif
C:\Program Files\MyWebSearch\bar\Message\COMMON\autoup.gif
C:\Program Files\MyWebSearch\bar\Message\COMMON\autoup.htm
C:\Program Files\MyWebSearch\bar\Message\COMMON\center.htm
C:\Program Files\MyWebSearch\bar\Message\COMMON\index.htm
C:\Program Files\MyWebSearch\bar\Message\COMMON\mid_dots.gif
C:\Program Files\MyWebSearch\bar\Message\COMMON\mws_logo.gif
C:\Program Files\MyWebSearch\bar\Message\COMMON\protect.htm
C:\Program Files\MyWebSearch\bar\Message\COMMON\shocked.gif
C:\Program Files\MyWebSearch\bar\Message\COMMON\stop.gif
C:\Program Files\MyWebSearch\bar\Message\COMMON\systray.htm
C:\Program Files\MyWebSearch\bar\Message\COMMON\systrayp.htm
C:\Program Files\MyWebSearch\bar\Message\COMMON\tp_grad.gif
C:\Program Files\MyWebSearch\bar\Message\COMMON\warn.gif
C:\Program Files\MyWebSearch\bar\Notifier\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Notifier\DOG.F3S
C:\Program Files\MyWebSearch\bar\Notifier\FISH.F3S
C:\Program Files\MyWebSearch\bar\Notifier\KUNGFU.F3S
C:\Program Files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
C:\Program Files\MyWebSearch\bar\Notifier\MAID.F3S
C:\Program Files\MyWebSearch\bar\Notifier\MAILBOX.F3S
C:\Program Files\MyWebSearch\bar\Notifier\OPERA.F3S
C:\Program Files\MyWebSearch\bar\Notifier\ROBOT.F3S
C:\Program Files\MyWebSearch\bar\Notifier\SEDUCT.F3S
C:\Program Files\MyWebSearch\bar\Notifier\SURFER.F3S
C:\Program Files\MyWebSearch\bar\Settings\prevcfg2.htm
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
C:\Program Files\video activex access
C:\Program Files\video activex access\ot.ico
C:\Program Files\video activex access\ts.ico
C:\Program Files\video activex access\uninst.exe
C:\Program Files\Video Add-on
C:\Program Files\Video Add-on\isfmdl.dll
C:\Program Files\Video Add-on\ot.ico
C:\Program Files\Video Add-on\ts.ico
C:\Program Files\Video Add-on\uninst.exe
C:\setup.exe
C:\UWA7P
C:\WINDOWS\system32\f3PSSavr.scr
C:\WINDOWS\system32\stera.job
C:\WINDOWS\system32\stera.log
C:\Program Files\MyWebSearch

.
((((((((((((((((((((((((( Files Created from 2008-01-09 to 2008-02-09 )))))))))))))))))))))))))))))))
.

2008-02-08 20:19 . 2002-08-28 22:59 36,224 --a------ C:\WINDOWS\system32\drivers\an983.sys
2008-02-08 20:19 . 2002-08-28 22:59 36,224 --a--c--- C:\WINDOWS\system32\dllcache\an983.sys
2008-01-29 22:45 . 2008-01-29 22:45 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-29 22:45 . 2008-01-29 22:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-28 19:39 . 2008-01-28 19:39 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-01-28 19:39 . 2008-01-28 19:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-28 19:15 . 2008-01-28 19:15 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-17 22:00 . 2008-01-17 22:00 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-17 21:11 . 2008-01-17 21:11 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-17 20:09 . 2008-01-17 07:18 <DIR> d-------- C:\SDFix

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-30 03:13 --------- d-----w C:\Program Files\TrueSwitchComcast
2008-01-24 13:58 --------- d-----w C:\Program Files\McAfee
2007-12-20 16:26 --------- d-----w C:\Program Files\AntiSpywareShield
2006-12-09 19:56 774,144 -c--a-w C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{69B98C68-D2B8-4A4E-9CB7-E85B6F3A7014}]
C:\Program Files\Video Add-on\isfmdl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{BA52B914-B692-46C4-B683-905236F6F655}
{07B18EA9-A523-4961-B6BB-170DE4475CCA}
{A9344DE7-59F2-40F8-9AE7-C203B67444DA}
{EF99BD32-C1FB-11D2-892F-0090271D4F88}

[HKEY_CLASSES_ROOT\clsid\{a9344de7-59f2-40f8-9ae7-c203b67444da}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A9344DE7-59F2-40F8-9AE7-C203B67444DA}"= C:\Program Files\Install Provider\InstallProvider_1.dll [ ]

[HKEY_CLASSES_ROOT\clsid\{a9344de7-59f2-40f8-9ae7-c203b67444da}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"My Web Search Bar Search Scope Monitor"="C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" [ ]
"combofix"="C:\WINDOWS\system32\kmd.exe" [2004-08-04 01:56 388608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AOL Fast Start"="C:\Program Files\America Online 9.0a\AOL.exe" [ ]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=C:\WINDOWS\pss\Microsoft Find Fast.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk
backup=C:\WINDOWS\pss\Office Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--------- 2004-06-29 08:06 88363 C:\WINDOWS\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 12:47 57344 C:\WINDOWS\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AntiSpywareShield]
--a------ 2007-12-20 10:21 441344 C:\Program Files\AntiSpywareShield\AntiSpywareShield.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
C:\Program Files\America Online 9.0a\AOL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
-ra------ 2006-10-23 06:50 71216 C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASM]
--a------ 2007-08-10 14:27 2500096 C:\Program Files\AOL\Active Security Monitor\ASMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 01:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]
--a------ 2007-04-19 13:21 198184 C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer4_in_1]
C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2007-04-12 15:23 42032 C:\Program Files\Common Files\AOL\1122660519\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2004-08-20 14:51 118784 C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-12-22 07:38 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-16 22:11 49152 C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2004-03-04 09:46 172032 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2004-08-20 14:55 155648 C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a------ 2005-02-02 14:44 61440 C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 4200 Series]
--a------ 2004-01-16 04:04 57344 C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar Search Scope Monitor]
C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-07-29 12:09 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2007-01-24 08:08 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
--a------ 2007-06-08 08:59 224248 C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2002-08-28 22:59]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;C:\WINDOWS\system32\DRIVERS\ADM8511.SYS [2001-08-17 11:11]
S3 brfilt;Brother MFC Filter Driver;C:\WINDOWS\system32\Drivers\Brfilt.sys [2001-08-17 12:12]
S3 brparimg;Brother Multi Function Parallel Image driver;C:\WINDOWS\system32\DRIVERS\BrParImg.sys [2001-08-17 12:12]
S3 BrParWdm;Brother WDM Parallel Driver;C:\WINDOWS\system32\Drivers\BrParwdm.sys [2001-08-17 12:12]
S3 BrSerWDM;Brother WDM Serial driver;C:\WINDOWS\system32\Drivers\BrSerWdm.sys [2001-08-17 12:12]
S3 S3chipid;S3chipid;C:\DOCUME~1\Donna\LOCALS~1\Temp\{2B43252C-A1E3-4C47-927C-9F2C276D3515}\S3chipid.sys []

.
Contents of the 'Scheduled Tasks' folder
"2007-08-03 23:05:40 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2007-09-01 06:00:10 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-08 22:22:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-02-08 22:25:29 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-09 04:25:25
.
2008-02-09 00:51:08 --- E O F ---

Novice2000 · Feb 9, 2008

Ok, as far as the ComboFix Log File above, I walked away after I started it. Did it only create a log file, or did it also fix what it found?

Oh, by the way, it downloaded right on his desktop. It also downloaded right on the desktop of a computer they have where I work. I don't know why it won't download to my desktop. That's wierd.

Ok, now I'll come back and post a new HJT log file. Be right back.

Novice2000 · Feb 9, 2008

Ok, here's his HJT log file along with the ComboFix log file I posted 2 posts above. Oh, I also forgot to add that these two log files were done after I had him download and run Spybot-Search and Destroy and Ad-Aware. I guess he said that those got rid of alot of stuff also. So is there anything else on here that needs to be cleaned off?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:36:50 PM, on 2/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (file missing)
O3 - Toolbar: &Download Manager Search Toolbar - {A9344DE7-59F2-40F8-9AE7-C203B67444DA} - C:\Program Files\Install Provider\InstallProvider_1.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b (User 'Default user')
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZUxdm265LUUS
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.securesoftwarefeed.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.securesoftwarefeed.com/redirect.php (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/MyFunCardsFWBInitialSetup1.0.0.15-3.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4E7BD74F-2B8D-469E-DEFA-EB76B1D5FA7D} - http://reciperewards.aavalue.com/rr/toolbar/rr-toolbar.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.aol.com/mcafee/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {5BED3930-2E9E-76D8-BACC-80DF2188D455} - http://ftp.coupons.com/CouponsBarXML/CouponBarIE.cab
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k42037/sb02a.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://www.winantivirus.com/downloa...le=2&aid=qability_rdt_us_en&lid=120mpl&affid=
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol.com/mcafee/molbin/shared/mcgdmgr/en-us/1,0,0,20/McGDMgr.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8199 bytes

ceewi1 · Feb 9, 2008

ComboFix has fixed what it found, and that's certainly got most of it, a few final things:

Please run Notepad and paste the contents of the codebox into a new file. Please do not include the word Code:

Code:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{07B18EA9-A523-4961-B6BB-170DE4475CCA}"=-
"{A9344DE7-59F2-40F8-9AE7-C203B67444DA}"=-
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A9344DE7-59F2-40F8-9AE7-C203B67444DA}"=-
[-HKEY_CLASSES_ROOT\clsid\{a9344de7-59f2-40f8-9ae7-c203b67444da}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar Search Scope Monitor]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]

Save the file to the desktop as fix.reg and make sure the Save as Type field says All Files. Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

Please run HijackThis and choose Do a system scan only.

Place a check next to the following entries:

[*]O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll (file missing)
[*]O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
[*]O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (file missing)
[*]O3 - Toolbar: &Download Manager Search Toolbar - {A9344DE7-59F2-40F8-9AE7-C203B67444DA} - C:\Program Files\Install Provider\InstallProvider_1.dll (file missing)
[*]O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w
[*]O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZUxdm265LUUS
[*]O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.securesoftwarefeed.com/redirect.php (file missing)
[*]O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.securesoftwarefeed.com/redirect.php (file missing)
[*]O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...1.0.0.15-3.cab
[*]O16 - DPF: {4E7BD74F-2B8D-469E-DEFA-EB76B1D5FA7D} - http://reciperewards.aavalue.com/rr/...rr-toolbar.cab
[*]O16 - DPF: {5BED3930-2E9E-76D8-BACC-80DF2188D455} - http://ftp.coupons.com/CouponsBarXML/CouponBarIE.cab
[*]O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://www.winantivirus.com/download...=120mpl&affid=

Please close all open windows except for HijackThis and choose Fix checked

Please reboot the PC and post a new HijackThis log. How is the system running now?

Novice2000 · Feb 10, 2008

ceewi1 said:
ComboFix has fixed what it found, and that's certainly got most of it, a few final things:

Please run Notepad and paste the contents of the codebox into a new file. Please do not include the word Code:

Code:

REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{07B18EA9-A523-4961-B6BB-170DE4475CCA}"=- "{A9344DE7-59F2-40F8-9AE7-C203B67444DA}"=- [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser] "{A9344DE7-59F2-40F8-9AE7-C203B67444DA}"=- [-HKEY_CLASSES_ROOT\clsid\{a9344de7-59f2-40f8-9ae7-c203b67444da}] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar Search Scope Monitor] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]

Save the file to the desktop as fix.reg and make sure the Save as Type field says All Files. Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

Please run HijackThis and choose Do a system scan only.

Place a check next to the following entries:

[*]O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll (file missing)
[*]O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
[*]O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (file missing)
[*]O3 - Toolbar: &Download Manager Search Toolbar - {A9344DE7-59F2-40F8-9AE7-C203B67444DA} - C:\Program Files\Install Provider\InstallProvider_1.dll (file missing)
[*]O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w
[*]O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZUxdm265LUUS
[*]O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.securesoftwarefeed.com/redirect.php (file missing)
[*]O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.securesoftwarefeed.com/redirect.php (file missing)
[*]O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...1.0.0.15-3.cab
[*]O16 - DPF: {4E7BD74F-2B8D-469E-DEFA-EB76B1D5FA7D} - http://reciperewards.aavalue.com/rr/...rr-toolbar.cab
[*]O16 - DPF: {5BED3930-2E9E-76D8-BACC-80DF2188D455} - http://ftp.coupons.com/CouponsBarXML/CouponBarIE.cab
[*]O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://www.winantivirus.com/download...=120mpl&affid=

Please close all open windows except for HijackThis and choose Fix checked

Please reboot the PC and post a new HijackThis log. How is the system running now?

Here's his new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:02:07 PM, on 2/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\imapi.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b (User 'Default user')
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.aol.com/mcafee/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k42037/sb02a.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol.com/mcafee/molbin/shared/mcgdmgr/en-us/1,0,0,20/McGDMgr.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 5767 bytes

ceewi1 · Feb 10, 2008

Excellent, the logfile now appears to be clean.

Normally at this point I would discuss prevention strategies, but it looks like you already have that well in hand.

Novice2000 · Feb 13, 2008

ceewi1 said:
Excellent, the logfile now appears to be clean.

Normally at this point I would discuss prevention strategies, but it looks like you already have that well in hand.

It works great. Thanks bud.

Co-worker's computer messed up.

Novice2000

New Member

ceewi1

VIP Member

Novice2000

New Member

Punk

Moderator

Novice2000

New Member

Punk

Moderator

Novice2000

New Member

Punk

Moderator

Novice2000

New Member

ceewi1

VIP Member

Novice2000

New Member

ceewi1

VIP Member

Novice2000

New Member

Novice2000

New Member

Novice2000

New Member

ceewi1

VIP Member

Novice2000

New Member

ceewi1

VIP Member

Novice2000

New Member