I need to remove Malware spyware message-Todd Hoback

[ToddHoback]

Hello. I now get a regular popup that says "Your computer is infected! Windows has detected spyware infection. Windows will now download and install anti-spyware software." but it never does anything else, and it won't stop appearing.

I am attaching the three logs you requested. Thank you very much for your help!

Todd Hoback











DDS (Version 1.0) - NTFSx86
Run by Owner at 18:45:42.81 on Tue 11/11/2008
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.540 [GMT -8:00]

============== Psuedo HJT Report ===============

uStart Page = hxxp://lasvegas.cox.net/cci/home
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = 127.0.0.1;localhost;*.local
mSearchAssistant = hxxp://www.google.com
BHO: {00A6FAF1-072E-44cf-8957-5838F569A31D} - c:\program files\mywebsearch\srchastt\1.bin\MWSSRCAS.DLL
TB: {07B18EA9-A523-4961-B6BB-170DE4475CCA} - c:\program files\mywebsearch\bar\1.bin\MWSBAR.DLL
TB: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
uRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe
uRun: [MyWebSearch Email Plugin] c:\progra~1\mywebs~1\bar\1.bin\mwsoemon.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [brastk] c:\windows\system32\brastk.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [nwiz] nwiz.exe /install
mRun: [LTMSG] LTMSG.exe 7
mRun: [CTPDPSRV] c:\windows\system32\spool\drivers\w32x86\3\CTPDPSRV.EXE
mRun: [MyWebSearch Email Plugin] c:\progra~1\mywebs~1\bar\1.bin\mwsoemon.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Verizon Custom Uninstall Tracking] c:\docume~1\owner\locals~1\temp\InstallHelper.exe /uninstalltrackingvendor=Verizon
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [brastk] c:\windows\system32\brastk.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~2.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\compaq~1.lnk - c:\program files\compaq a3000\CPQA3000.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpcent~1.lnk - c:\program files\hp center\137903\program\BackWeb-137903.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc1~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpohmr08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkvmon~1.lnk - c:\program files\nikon\nkview6\NkvMon.exe
IE: &Search - http://edits.mywebsearch.com/toolbar...p=ZUxdm080YYUS
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office11\MSOXMLMF.DLL
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;c:\windows\system32\drivers\usb8023.sys
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe

=============== Created Last 30 ================

2008-11-11 18:33 250 a------- c:\windows\gmer.ini
2008-11-11 08:07 0 a------- c:\windows\system32\wini10846.exe
2008-11-08 23:23 <DIR> --d----- c:\program files\AntivirusPro2009
2008-11-06 21:50 13,382 a------- c:\docume~1\owner\applic~1\mymadabo.vbs
2008-11-06 21:50 18,571 a------- c:\windows\dasyqipiz.bin
2008-11-06 21:50 18,533 a------- c:\windows\avahy.exe
2008-11-06 21:50 15,114 a------- c:\windows\system32\pefolu.vbs
2008-11-06 21:50 14,788 a------- c:\docume~1\alluse~1\applic~1\nudogopese.dat
2008-11-06 21:50 11,743 a------- c:\docume~1\alluse~1\applic~1\awejiv.dat
2008-11-06 21:50 19,866 a------- c:\docume~1\owner\applic~1\modiquw.dat
2008-11-06 21:50 18,892 a------- c:\windows\ymiwusudug.reg
2008-11-06 21:50 17,369 a------- c:\docume~1\owner\applic~1\fyhubumove.pif
2008-11-06 21:50 16,746 a------- c:\docume~1\owner\applic~1\ahek.bin
2008-11-06 21:50 14,123 a------- c:\docume~1\alluse~1\applic~1\abut.com
2008-11-06 21:50 12,136 a------- c:\windows\system32\ycyxyneqet.ban
2008-11-06 21:50 16,062 a------- c:\docume~1\owner\applic~1\qyvijy.com
2008-11-06 21:50 13,358 a------- c:\docume~1\owner\applic~1\ezoti.bin
2008-11-06 21:50 13,318 a------- c:\windows\cejuzyw._sy
2008-11-06 21:44 19,808 a------- c:\docume~1\owner\applic~1\bixyxop.com
2008-11-06 21:44 19,322 a------- c:\windows\system32\erabotyk.dl
2008-11-06 21:44 16,481 a------- c:\windows\usowys.bin
2008-11-06 21:44 15,547 a------- c:\docume~1\alluse~1\applic~1\uhywuro.vbs
2008-11-06 21:44 13,718 a------- c:\program files\common files\dameh.com
2008-11-06 21:44 19,844 a------- c:\windows\omaz.pif
2008-11-06 21:44 18,381 a------- c:\docume~1\owner\applic~1\ifycac.scr
2008-11-06 21:44 17,852 a------- c:\docume~1\owner\applic~1\ydude.reg
2008-11-06 21:44 16,867 a------- c:\windows\sinum.exe
2008-11-06 21:44 16,046 a------- c:\windows\gybebuleca.exe
2008-11-06 21:44 15,771 a------- c:\windows\system32\uzymod.dat
2008-11-06 21:44 14,056 a------- c:\windows\esolypis.vbs
2008-11-06 21:44 12,576 a------- c:\docume~1\alluse~1\applic~1\owodoweti.bin
2008-11-06 21:44 12,303 a------- c:\docume~1\owner\applic~1\uvod.sys
2008-11-06 21:44 11,870 a------- c:\program files\common files\aresysyqov.scr
2008-11-06 11:22 5,120 a------- c:\windows\system32\brastk.exe

==================== Find3M ====================

2008-11-19 21:46 <DIR> --d----- c:\docume~1\owner\applic~1\Verizon
2008-11-19 21:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Verizon
2008-11-18 12:49 <DIR> --d----- c:\docume~1\owner\applic~1\Move Networks
2008-11-07 20:44 <DIR> a-d----- c:\program files\Encarta Online
2008-11-07 20:44 <DIR> --d----- c:\program files\EMusic
2008-11-07 00:21 <DIR> --d----- c:\program files\Messenger
2008-11-07 00:21 <DIR> --d----- c:\program files\Compaq A3000
2008-11-07 00:21 <DIR> --d----- c:\program files\viewsonic
2008-10-15 08:34 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-03 09:41 6,066,176 -------- c:\windows\system32\dllcache\ieframe.dll
2008-10-01 15:49 86,691 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-10-01 15:46 49,152 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\bin\PCHI18N.dll
2008-10-01 15:45 77,824 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\bin\WinVerifyTrust.dll
2008-10-01 15:45 126,976 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\bin\ContentUpdater.exe
2008-10-01 15:45 122,880 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\bin\SearchCtrl.dll
2008-10-01 15:45 420,432 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\bin\pchplugin.zip
2008-10-01 15:45 155,648 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\bin\PCHButton.exe
2008-10-01 15:44 731,136 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\bin\motdeusr.zip
2008-10-01 15:44 106,496 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\bin\PluginCtrl.dll
2008-10-01 15:31 <DIR> --d----- c:\program files\Windows NT
2008-09-15 04:12 1,846,400 a------- c:\windows\system32\win32k.sys
2008-09-15 04:12 1,846,400 -------- c:\windows\system32\dllcache\win32k.sys
2008-09-08 02:41 333,824 -------- c:\windows\system32\dllcache\srv.sys
2008-08-27 00:24 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-08-25 00:38 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-08-25 00:37 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-08-22 21:56 635,848 -------- c:\windows\system32\dllcache\iexplore.exe
2008-08-22 21:54 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2008-08-14 02:11 2,189,184 a------- c:\windows\system32\ntoskrnl.exe
2008-08-14 02:11 2,189,184 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-08-14 02:09 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-08-14 02:04 138,496 -------- c:\windows\system32\dllcache\afd.sys
2008-08-14 01:33 2,066,048 -------- c:\windows\system32\ntkrnlpa.exe
2008-08-14 01:33 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-08-14 01:33 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2006-06-09 09:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\MANSION
2006-06-01 13:02 <DIR> --d----- c:\docume~1\owner\applic~1\VERITAS
2006-03-15 09:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Macrovision
2006-03-01 14:35 <DIR> --d----- c:\docume~1\owner\applic~1\MSN6
2006-03-01 14:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\MSN6
2006-03-01 10:09 <DIR> --d----- c:\docume~1\owner\applic~1\Nikon
2006-02-17 11:02 <DIR> --d----- c:\docume~1\owner\applic~1\InterTrust
2008-04-13 16:12 50,688 a--sh--- c:\windows\twain_32.dll
2008-04-13 16:11 1,028,096 a--sh--- c:\windows\system32\mfc42.dll
2008-04-13 16:12 57,344 a--sh--- c:\windows\system32\msvcirt.dll
2008-04-13 16:12 413,696 a--sh--- c:\windows\system32\msvcp60.dll
2008-04-13 16:12 343,040 a--sh--- c:\windows\system32\msvcrt.dll
2008-04-13 16:12 551,936 ---sh--- c:\windows\system32\oleaut32.dll
2008-04-13 16:12 84,992 ---sh--- c:\windows\system32\olepro32.dll
2008-04-13 16:12 11,776 ---sh--- c:\windows\system32\regsvr32.exe

============= FINISH: 18:46:13.48 ===============

[sjb007]

Hi there ToddHoback

Thank you for your patience. I will be helping you deal with the issues raised in your log from this point onwards

Before we start jumping into things, here is a quick basic note which I mention to everyone. The fix which I have provided for you is for this computer only, it should not be used on any other computer. Each fix is tailor made for the specific task in hand. If for some reason you have system restore disabled, then please re-enable it before proceeding, an infected restore is better than none. Please read through the fix first and set enough time aside to complete the task in one session. If there is anything you feel needs clarification then please ask - do not guess! Please copy and paste any requested logs into replies rather than add as attachments, this makes it easier for analysis.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription

If this is a computer from a work place then please advise your IT department of the concerning issues before commencing past this point.

Please follow these directions in the order they are set out for you.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

[ToddHoback]

Sbj007,

Thank you very much for your reply. I followed your instructions, and here is the combofix log you requested. I greatly appreciate your help. -- Todd Hoback


ComboFix 08-11-12.01 - Owner 2008-11-13 16:33:53.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.638 [GMT -8:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\FunWebProducts
c:\program files\FunWebProducts\ScreenSaver\Images\1340EC71.urr
c:\program files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
c:\program files\FunWebProducts\Shared\Cache\MailStampBtn.html
c:\program files\FunWebProducts\Shared\Cache\MySignatureInsertBtn.html
c:\program files\FunWebProducts\Shared\Cache\MySignaturePreviewBtn.html
c:\program files\FunWebProducts\Shared\Cache\MyStationeryBtn.html
c:\program files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\1.bin\F3BKGERR.JPG
c:\program files\MyWebSearch\bar\1.bin\F3CJPEG.DLL
c:\program files\MyWebSearch\bar\1.bin\F3DTACTL.DLL
c:\program files\MyWebSearch\bar\1.bin\F3HISTSW.DLL
c:\program files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL
c:\program files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL
c:\program files\MyWebSearch\bar\1.bin\F3POPSWT.DLL
c:\program files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR
c:\program files\MyWebSearch\bar\1.bin\F3REPROX.DLL
c:\program files\MyWebSearch\bar\1.bin\F3RESTUB.DLL
c:\program files\MyWebSearch\bar\1.bin\F3SCHMON.EXE
c:\program files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL
c:\program files\MyWebSearch\bar\1.bin\F3SHLLVW.DLL
c:\program files\MyWebSearch\bar\1.bin\F3SPACER.WMV
c:\program files\MyWebSearch\bar\1.bin\F3WALLPP.DAT
c:\program files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL
c:\program files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR
c:\program files\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST
c:\program files\MyWebSearch\bar\1.bin\M3HTML.DLL
c:\program files\MyWebSearch\bar\1.bin\M3IDLE.DLL
c:\program files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR
c:\program files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL
c:\program files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL
c:\program files\MyWebSearch\bar\1.bin\M3SKIN.DLL
c:\program files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE
c:\program files\MyWebSearch\bar\1.bin\MWSBAR.DLL
c:\program files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
c:\program files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
c:\program files\MyWebSearch\bar\1.bin\MWSOESTB.DLL
c:\program files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL
c:\program files\MyWebSearch\bar\Cache\000DACDA
c:\program files\MyWebSearch\bar\Cache\07CA999D
c:\program files\MyWebSearch\bar\Cache\07CA9EEC.bin
c:\program files\MyWebSearch\bar\Cache\07CA9FA8.bin
c:\program files\MyWebSearch\bar\Cache\07CAA12E.bin
c:\program files\MyWebSearch\bar\Cache\07CAA228.bin
c:\program files\MyWebSearch\bar\Cache\0C2DDE41.bin
c:\program files\MyWebSearch\bar\Cache\0C2DDFD7.bin
c:\program files\MyWebSearch\bar\Cache\0C2DE13F.bin
c:\program files\MyWebSearch\bar\Cache\0C2DE1EA.bin
c:\program files\MyWebSearch\bar\Cache\2EB51A01
c:\program files\MyWebSearch\bar\Cache\files.ini
c:\program files\MyWebSearch\bar\Game\CHECKERS.F3S
c:\program files\MyWebSearch\bar\Game\CHESS.F3S
c:\program files\MyWebSearch\bar\Game\REVERSI.F3S
c:\program files\MyWebSearch\bar\History\search2
c:\program files\MyWebSearch\bar\Settings\prevcfg2.htm
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\program files\MyWebSearch\bar\Settings\setting2.htm
c:\program files\MyWebSearch\bar\Settings\settings.dat
c:\program files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
c:\windows\system\oeminfo.ini
c:\windows\system32\f3PSSavr.scr
c:\windows\system32\wini10846.exe

.
((((((((((((((((((((((((( Files Created from 2008-10-14 to 2008-11-14 )))))))))))))))))))))))))))))))
.

2008-11-23 20:05 . 2008-10-15 08:34 337,408 --------- c:\windows\SYSTEM32\dllcache\netapi32.dll
2008-11-19 22:20 . 2008-11-13 16:22 <DIR> d-------- c:\documents and settings\LocalService\Application Data\SACore
2008-11-19 22:03 . 2008-11-19 22:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\SiteAdvisor
2008-11-19 22:03 . 2008-11-13 16:21 8,805 --a------ c:\windows\SYSTEM32\Config.MPF
2008-11-19 22:02 . 2006-03-03 08:07 143,360 --a------ c:\windows\SYSTEM32\dunzip32.dll
2008-11-19 21:59 . 2007-11-22 06:44 201,320 --a------ c:\windows\SYSTEM32\drivers\mfehidk.sys
2008-11-19 21:59 . 2007-07-13 06:20 113,952 --a------ c:\windows\SYSTEM32\drivers\Mpfp.sys
2008-11-19 21:59 . 2007-11-22 06:44 79,304 --a------ c:\windows\SYSTEM32\drivers\mfeavfk.sys
2008-11-19 21:59 . 2007-12-02 12:51 40,488 --a------ c:\windows\SYSTEM32\drivers\mfesmfk.sys
2008-11-19 21:59 . 2007-11-22 06:44 35,240 --a------ c:\windows\SYSTEM32\drivers\mfebopk.sys
2008-11-19 21:59 . 2007-11-22 06:44 33,832 --a------ c:\windows\SYSTEM32\drivers\mferkdk.sys
2008-11-19 21:58 . 2008-11-19 21:58 <DIR> d-------- c:\program files\McAfee.com
2008-11-19 21:58 . 2008-11-29 20:42 <DIR> d-------- c:\program files\McAfee
2008-11-19 21:58 . 2008-11-19 21:59 <DIR> d-------- c:\program files\Common Files\McAfee
2008-11-15 23:29 . 2008-09-08 02:41 333,824 --------- c:\windows\SYSTEM32\dllcache\srv.sys
2008-11-15 23:28 . 2008-08-14 02:11 2,189,184 --------- c:\windows\SYSTEM32\dllcache\ntoskrnl.exe
2008-11-15 23:28 . 2008-08-14 02:09 2,145,280 --------- c:\windows\SYSTEM32\dllcache\ntkrnlmp.exe
2008-11-15 23:28 . 2008-08-14 01:33 2,066,048 --------- c:\windows\SYSTEM32\dllcache\ntkrnlpa.exe
2008-11-15 23:28 . 2008-08-14 01:33 2,023,936 --------- c:\windows\SYSTEM32\dllcache\ntkrpamp.exe
2008-11-15 23:28 . 2008-09-15 04:12 1,846,400 --------- c:\windows\SYSTEM32\dllcache\win32k.sys
2008-11-12 22:03 . 2008-11-12 22:03 118 --a------ c:\windows\SYSTEM32\MRT.INI
2008-11-12 21:00 . 2008-09-04 09:15 1,106,944 --------- c:\windows\SYSTEM32\dllcache\msxml3.dll
2008-11-12 21:00 . 2008-10-24 03:21 455,296 --------- c:\windows\SYSTEM32\dllcache\mrxsmb.sys
2008-11-11 18:33 . 2008-11-11 18:33 250 --a------ c:\windows\gmer.ini
2008-11-09 16:52 . 2008-11-09 16:52 <DIR> d-------- c:\documents and settings\Owner\Application Data\InstallShield
2008-11-08 23:23 . 2008-11-12 12:05 <DIR> d-------- c:\program files\AntivirusPro2009
2008-11-06 21:50 . 2008-11-06 21:50 19,866 --a------ c:\documents and settings\Owner\Application Data\modiquw.dat
2008-11-06 21:50 . 2008-11-06 21:50 18,892 --a------ c:\windows\ymiwusudug.reg
2008-11-06 21:50 . 2008-11-06 21:50 18,571 --a------ c:\windows\dasyqipiz.bin
2008-11-06 21:50 . 2008-11-06 21:50 18,533 --a------ c:\windows\avahy.exe
2008-11-06 21:50 . 2008-11-06 21:50 17,369 --a------ c:\documents and settings\Owner\Application Data\fyhubumove.pif
2008-11-06 21:50 . 2008-11-06 21:50 16,746 --a------ c:\documents and settings\Owner\Application Data\ahek.bin
2008-11-06 21:50 . 2008-11-06 21:50 16,062 --a------ c:\documents and settings\Owner\Application Data\qyvijy.com
2008-11-06 21:50 . 2008-11-06 21:50 15,114 --a------ c:\windows\SYSTEM32\pefolu.vbs
2008-11-06 21:50 . 2008-11-06 21:50 14,788 --a------ c:\documents and settings\All Users\Application Data\nudogopese.dat
2008-11-06 21:50 . 2008-11-06 21:50 14,123 --a------ c:\documents and settings\All Users\Application Data\abut.com
2008-11-06 21:50 . 2008-11-06 21:50 13,382 --a------ c:\documents and settings\Owner\Application Data\mymadabo.vbs
2008-11-06 21:50 . 2008-11-06 21:50 13,358 --a------ c:\documents and settings\Owner\Application Data\ezoti.bin
2008-11-06 21:50 . 2008-11-06 21:50 13,318 --a------ c:\windows\cejuzyw._sy
2008-11-06 21:50 . 2008-11-06 21:50 12,136 --a------ c:\windows\SYSTEM32\ycyxyneqet.ban
2008-11-06 21:50 . 2008-11-06 21:50 11,743 --a------ c:\documents and settings\All Users\Application Data\awejiv.dat
2008-11-06 21:44 . 2008-11-06 21:44 19,844 --a------ c:\windows\omaz.pif
2008-11-06 21:44 . 2008-11-06 21:44 19,808 --a------ c:\documents and settings\Owner\Application Data\bixyxop.com
2008-11-06 21:44 . 2008-11-06 21:44 19,322 --a------ c:\windows\SYSTEM32\erabotyk.dl
2008-11-06 21:44 . 2008-11-06 21:44 18,381 --a------ c:\documents and settings\Owner\Application Data\ifycac.scr
2008-11-06 21:44 . 2008-11-06 21:44 17,852 --a------ c:\documents and settings\Owner\Application Data\ydude.reg
2008-11-06 21:44 . 2008-11-06 21:44 16,867 --a------ c:\windows\sinum.exe
2008-11-06 21:44 . 2008-11-06 21:44 16,481 --a------ c:\windows\usowys.bin
2008-11-06 21:44 . 2008-11-06 21:44 16,046 --a------ c:\windows\gybebuleca.exe
2008-11-06 21:44 . 2008-11-06 21:44 15,771 --a------ c:\windows\SYSTEM32\uzymod.dat
2008-11-06 21:44 . 2008-11-06 21:44 15,547 --a------ c:\documents and settings\All Users\Application Data\uhywuro.vbs
2008-11-06 21:44 . 2008-11-06 21:44 14,056 --a------ c:\windows\esolypis.vbs
2008-11-06 21:44 . 2008-11-06 21:44 13,718 --a------ c:\program files\Common Files\dameh.com
2008-11-06 21:44 . 2008-11-06 21:44 12,576 --a------ c:\documents and settings\All Users\Application Data\owodoweti.bin
2008-11-06 21:44 . 2008-11-06 21:44 12,303 --a------ c:\documents and settings\Owner\Application Data\uvod.sys
2008-11-06 21:44 . 2008-11-06 21:44 11,870 --a------ c:\program files\Common Files\aresysyqov.scr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-30 07:30 --------- d-----w c:\program files\Full Tilt Poker
2008-11-20 06:16 --------- d-----w c:\program files\Common Files\Motive
2008-11-20 06:03 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-11-20 05:46 --------- d-----w c:\documents and settings\Owner\Application Data\Verizon
2008-11-20 05:46 --------- d-----w c:\documents and settings\All Users\Application Data\Verizon
2008-11-18 20:49 --------- d-----w c:\documents and settings\Owner\Application Data\Move Networks
2008-11-12 02:33 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-11-08 04:44 --------- d---a-w c:\program files\Encarta Online
2008-11-08 04:44 --------- d-----w c:\program files\Microsoft Works
2008-11-08 04:44 --------- d-----w c:\program files\EMusic
2008-11-07 08:21 --------- d-----w c:\program files\viewsonic
2008-11-07 08:21 --------- d-----w c:\program files\Compaq A3000
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-03 17:41 6,066,176 ------w c:\windows\SYSTEM32\dllcache\ieframe.dll
2008-10-01 23:46 49,152 ----a-w c:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\PCHI18N.dll
2008-10-01 23:45 77,824 ----a-w c:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\WinVerifyTrust.dll
2008-10-01 23:45 420,432 ----a-w c:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\pchplugin.zip
2008-10-01 23:45 155,648 ----a-w c:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\PCHButton.exe
2008-10-01 23:45 126,976 ----a-w c:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\ContentUpdater.exe
2008-10-01 23:45 122,880 ----a-w c:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\SearchCtrl.dll
2008-10-01 23:44 731,136 ----a-w c:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\motdeusr.zip
2008-10-01 23:44 106,496 ----a-w c:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\PluginCtrl.dll
2008-10-01 00:43 1,286,152 ----a-w c:\windows\SYSTEM32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\SYSTEM32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\SYSTEM32\msxml6.dll
2008-09-10 01:14 1,307,648 ------w c:\windows\SYSTEM32\dllcache\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\SYSTEM32\msxml3.dll
2008-08-27 08:24 3,593,216 ----a-w c:\windows\SYSTEM32\dllcache\mshtml.dll
2008-08-25 08:38 13,824 ------w c:\windows\SYSTEM32\dllcache\ieudinit.exe
2008-08-25 08:37 70,656 ------w c:\windows\SYSTEM32\dllcache\ie4uinit.exe
2008-08-23 05:56 635,848 ------w c:\windows\SYSTEM32\dllcache\iexplore.exe
2008-08-23 05:54 161,792 ----a-w c:\windows\SYSTEM32\dllcache\ieakui.dll
2008-08-14 10:11 2,189,184 ----a-w c:\windows\SYSTEM32\ntoskrnl.exe
2008-08-14 10:04 138,496 ------w c:\windows\SYSTEM32\dllcache\afd.sys
2008-08-14 09:33 2,066,048 ------w c:\windows\SYSTEM32\ntkrnlpa.exe
2008-04-14 00:12 50,688 --sha-w c:\windows\twain_32.dll
2008-04-14 00:11 1,028,096 --sha-w c:\windows\SYSTEM32\mfc42.dll
2008-04-14 00:12 57,344 --sha-w c:\windows\SYSTEM32\msvcirt.dll
2008-04-14 00:12 413,696 --sha-w c:\windows\SYSTEM32\msvcp60.dll
2008-04-14 00:12 343,040 --sha-w c:\windows\SYSTEM32\msvcrt.dll
2008-04-14 00:12 551,936 --sh--w c:\windows\SYSTEM32\oleaut32.dll
2008-04-14 00:12 84,992 --sh--w c:\windows\SYSTEM32\olepro32.dll
2008-04-14 00:12 11,776 --sh--w c:\windows\SYSTEM32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NVMCTRAY.DLL" [2003-07-28 49152]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-08-15 28739]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-10 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"KBD"="c:\hp\KBD\KBD.EXE" [2001-07-06 61440]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2001-06-15 212992]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2001-08-07 143360]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2001-08-07 90112]
"PS2"="c:\windows\system32\ps2.exe" [2001-07-03 81920]
"CTPDPSRV"="c:\windows\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE" [2001-09-18 45056]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"nwiz"="nwiz.exe" [2003-07-28 c:\windows\SYSTEM32\nwiz.exe]
"LTMSG"="LTMSG.exe" [2003-07-14 c:\windows\ltmsg.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-03-01 113664]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-03-01 113664]
Compaq A3000 Settings Utility.lnk - c:\program files\Compaq A3000\CPQA3000.exe [2006-03-01 1142784]
hp center.lnk - c:\program files\hp center\137903\Program\BackWeb-137903.exe [2001-09-05 16384]
hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-05 147456]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-05 28672]
NkvMon.exe.lnk - c:\program files\Nikon\NkView6\NkvMon.exe [2006-03-01 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\hp center\\137903\\Program\\BackWeb-137903.exe"=
"c:\\WINDOWS\\SYSTEM32\\spool\\drivers\\w32x86\\3\\CTpdpsrv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-10-08 203280]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\DRIVERS\gan_adapter.sys [2006-10-19 10664]
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;c:\windows\system32\DRIVERS\usb8023.sys [2008-04-13 12800]

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-11-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 11:57]

2006-06-14 c:\windows\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1142361872.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-05 22:52]

2006-02-18 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\oobebaln.exe [2008-04-13 16:12]

2006-02-17 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\System32\OOBE\oobebaln.exe [2008-04-13 16:12]

2006-02-17 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\System32\OOBE\oobebaln.exe [2008-04-13 16:12]

2008-11-20 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-11-20 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2006-02-17 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\System32\OOBE\oobebaln.exe [2008-04-13 16:12]

2006-02-17 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\System32\OOBE\oobebaln.exe [2008-04-13 16:12]

2008-12-03 c:\windows\Tasks\User_Feed_Synchronization-{DE8326EE-D556-48F0-A912-DDE24CD006C2}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:58]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-MyWebSearch Email Plugin - c:\progra~1\MYWEBS~1\bar\1.bin\mwsoemon.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://webmail.west.cox.net/do/logout?rnd=5515342718109138664
R0 -: HKLM-Main,Start Page = hxxp://www.google.com
R1 -: HKCU-Internet Settings,ProxyOverride = 127.0.0.1;localhost;*.local
O8 -: &Search - http://edits.mywebsearch.com/toolbar...p=ZUxdm080YYUS
O8 -: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

O16 -: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} - hxxp://jmcpds.lifepics.com/net/Uploader/LPUploader45.cab
c:\windows\Downloaded Program Files\LPUploader45.inf
c:\windows\SYSTEM32\unicows.dll
c:\windows\Downloaded Program Files\LPUploader45.ocx
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-13 16:36:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-13 16:37:47
ComboFix-quarantined-files.txt 2008-11-14 00:37:21

Pre-Run: 50,469,384,192 bytes free
Post-Run: 51,104,194,560 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows Whistler Personal" /fastdetect /NoExecute=OptIn

288 --- E O F --- 2008-11-13 06:04:05

[sjb007]

Hi ToddHoback

Open Notepad and copy/paste the entire contents of the codebox below into Notepad:

Code:

del /a/f/q "c:\windows\Tasks\ISP*.job"
del /a/f/q  "c:\windows\Tasks\Registration*.job"

Save this as delete.bat and choose to Save as type: - All Files then close the Notepad file.
It should look like this:

Double-click on delete.bat and allow it to run. Please delete the file afterwards.

Once done....

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
  
• Open notepad and copy/paste the text in the quotebox below into it:
  
  
  Quote:

  http://www.techsupportforum.com/secu...ml#post1802124
  
  File::
  c:\documents and settings\Owner\Application Data\modiquw.dat
  c:\windows\ymiwusudug.reg
  c:\windows\dasyqipiz.bin
  c:\windows\avahy.exe
  c:\documents and settings\Owner\Application Data\fyhubumove.pif
  c:\documents and settings\Owner\Application Data\ahek.bin
  c:\documents and settings\Owner\Application Data\qyvijy.com
  c:\windows\SYSTEM32\pefolu.vbs
  c:\documents and settings\All Users\Application Data\nudogopese.dat
  c:\documents and settings\All Users\Application Data\abut.com
  c:\documents and settings\Owner\Application Data\mymadabo.vbs
  c:\documents and settings\Owner\Application Data\ezoti.bin
  c:\windows\cejuzyw._sy
  c:\windows\SYSTEM32\ycyxyneqet.ban
  c:\documents and settings\All Users\Application Data\awejiv.dat
  c:\windows\omaz.pif
  c:\documents and settings\Owner\Application Data\bixyxop.com
  c:\windows\SYSTEM32\erabotyk.dl
  c:\documents and settings\Owner\Application Data\ifycac.scr
  c:\documents and settings\Owner\Application Data\ydude.reg
  c:\windows\sinum.exe
  c:\windows\usowys.bin
  c:\windows\gybebuleca.exe
  c:\windows\SYSTEM32\uzymod.dat
  c:\documents and settings\All Users\Application Data\uhywuro.vbs
  c:\windows\esolypis.vbs
  c:\program files\Common Files\dameh.com
  c:\documents and settings\All Users\Application Data\owodoweti.bin
  c:\documents and settings\Owner\Application Data\uvod.sys
  c:\program files\Common Files\aresysyqov.scr
  c:\windows\System32\OOBE\oobebaln.exe
  
  Folder::
  c:\program files\AntivirusPro2009
  
  Registry::
  O8 -: &Search - http://edits.mywebsearch.com/toolbar...p=ZUxdm080YYUS

  Save this as CFScript.txt
  
  
  
  Referring to the picture above, drag CFScript.txt into ComboFix.exe
  
• Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  
• When finished, it shall produce a log for you. Post that log in your next reply
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  
  When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.
  
  Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file.
  
• Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.

Combofix will then execute the script and produce a fresh log
Please post back with the resulting log in your next reply

Next I want you to run an online scanwith Kaspersky

Download and scan with CCleaner lite
1.Double click the file and install ccleaner

2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:

• Clean all entries in the "Internet Explorer" section.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section.
• Clean all entries in the "Advanced" section.
• Clean any others that you choose.

In the Applications Tab:

• Clean all in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

This animation will guide you through the process:


**Note**

To optimize scanning time and produce a more sensible report for review:
Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan. You may disconnect from the internet once you begin the scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post back with:
Combofix Log
Kaspersky Log

[ToddHoback]

sij007,

As instructed, I saved these two lines of text as delete.bat:

del /a/f/q "c:\windows\Tasks\ISP*.job"
del /a/f/q "c:\windows\Tasks\Registration*.job"


... but unfortunately, nothing happens when I try to do this:

Double-click on delete.bat and allow it to run.


It doesn't appear that anything runs at all whenI double-click. Should I just continue to the next step in your instructions?

Thank you,
Todd Hoback

[sjb007]

yes, please continue with the rest of the steps as advised.

Sidenote: As a security precaution I would advise that you refrain from posting what appears to be your cell number, the last thing you want is your phone number used in a malicious way - I have requested that this to removed by a moderator - regards

[ToddHoback]

Here is the new ComboFix log it produced.:



ComboFix 08-11-13.01 - Owner 2008-11-14 19:02:48.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.621 [GMT -8:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


FILE ::
c:\documents and settings\All Users\Application Data\abut.com
c:\documents and settings\All Users\Application Data\awejiv.dat
c:\documents and settings\All Users\Application Data\nudogopese.dat
c:\documents and settings\All Users\Application Data\owodoweti.bin
c:\documents and settings\All Users\Application Data\uhywuro.vbs
c:\documents and settings\Owner\Application Data\ahek.bin
c:\documents and settings\Owner\Application Data\bixyxop.com
c:\documents and settings\Owner\Application Data\ezoti.bin
c:\documents and settings\Owner\Application Data\fyhubumove.pif
c:\documents and settings\Owner\Application Data\ifycac.scr
c:\documents and settings\Owner\Application Data\modiquw.dat
c:\documents and settings\Owner\Application Data\mymadabo.vbs
c:\documents and settings\Owner\Application Data\qyvijy.com
c:\documents and settings\Owner\Application Data\uvod.sys
c:\documents and settings\Owner\Application Data\ydude.reg
c:\program files\Common Files\aresysyqov.scr
c:\program files\Common Files\dameh.com
c:\windows\avahy.exe
c:\windows\cejuzyw._sy
c:\windows\dasyqipiz.bin
c:\windows\esolypis.vbs
c:\windows\gybebuleca.exe
c:\windows\omaz.pif
c:\windows\sinum.exe
c:\windows\SYSTEM32\erabotyk.dl
c:\windows\System32\OOBE\oobebaln.exe
c:\windows\SYSTEM32\pefolu.vbs
c:\windows\SYSTEM32\uzymod.dat
c:\windows\SYSTEM32\ycyxyneqet.ban
c:\windows\usowys.bin
c:\windows\ymiwusudug.reg
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\abut.com
c:\documents and settings\All Users\Application Data\awejiv.dat
c:\documents and settings\All Users\Application Data\nudogopese.dat
c:\documents and settings\All Users\Application Data\owodoweti.bin
c:\documents and settings\All Users\Application Data\uhywuro.vbs
c:\documents and settings\Owner\Application Data\ahek.bin
c:\documents and settings\Owner\Application Data\bixyxop.com
c:\documents and settings\Owner\Application Data\ezoti.bin
c:\documents and settings\Owner\Application Data\fyhubumove.pif
c:\documents and settings\Owner\Application Data\ifycac.scr
c:\documents and settings\Owner\Application Data\modiquw.dat
c:\documents and settings\Owner\Application Data\mymadabo.vbs
c:\documents and settings\Owner\Application Data\qyvijy.com
c:\documents and settings\Owner\Application Data\uvod.sys
c:\documents and settings\Owner\Application Data\ydude.reg
c:\program files\AntivirusPro2009
c:\program files\AntivirusPro2009\data\daily.cvd
c:\program files\Common Files\aresysyqov.scr
c:\program files\Common Files\dameh.com
c:\windows\avahy.exe
c:\windows\cejuzyw._sy
c:\windows\dasyqipiz.bin
c:\windows\esolypis.vbs
c:\windows\gybebuleca.exe
c:\windows\omaz.pif
c:\windows\sinum.exe
c:\windows\SYSTEM32\erabotyk.dl
c:\windows\System32\OOBE\oobebaln.exe
c:\windows\SYSTEM32\pefolu.vbs
c:\windows\SYSTEM32\uzymod.dat
c:\windows\SYSTEM32\ycyxyneqet.ban
c:\windows\usowys.bin
c:\windows\ymiwusudug.reg

.
((((((((((((((((((((((((( Files Created from 2008-10-15 to 2008-11-15 )))))))))))))))))))))))))))))))
.

2008-11-23 20:05 . 2008-10-15 08:34 337,408 --------- c:\windows\SYSTEM32\dllcache\netapi32.dll
2008-11-19 22:20 . 2008-11-13 16:22 <DIR> d-------- c:\documents and settings\LocalService\Application Data\SACore
2008-11-19 22:03 . 2008-11-19 22:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\SiteAdvisor
2008-11-19 22:03 . 2008-11-14 18:51 9,071 --a------ c:\windows\SYSTEM32\Config.MPF
2008-11-19 22:02 . 2006-03-03 08:07 143,360 --a------ c:\windows\SYSTEM32\dunzip32.dll
2008-11-19 21:59 . 2007-11-22 06:44 201,320 --a------ c:\windows\SYSTEM32\drivers\mfehidk.sys
2008-11-19 21:59 . 2007-07-13 06:20 113,952 --a------ c:\windows\SYSTEM32\drivers\Mpfp.sys
2008-11-19 21:59 . 2007-11-22 06:44 79,304 --a------ c:\windows\SYSTEM32\drivers\mfeavfk.sys
2008-11-19 21:59 . 2007-12-02 12:51 40,488 --a------ c:\windows\SYSTEM32\drivers\mfesmfk.sys
2008-11-19 21:59 . 2007-11-22 06:44 35,240 --a------ c:\windows\SYSTEM32\drivers\mfebopk.sys
2008-11-19 21:59 . 2007-11-22 06:44 33,832 --a------ c:\windows\SYSTEM32\drivers\mferkdk.sys
2008-11-19 21:58 . 2008-11-19 21:58 <DIR> d-------- c:\program files\McAfee.com
2008-11-19 21:58 . 2008-11-29 20:42 <DIR> d-------- c:\program files\McAfee
2008-11-19 21:58 . 2008-11-19 21:59 <DIR> d-------- c:\program files\Common Files\McAfee
2008-11-15 23:29 . 2008-09-08 02:41 333,824 --------- c:\windows\SYSTEM32\dllcache\srv.sys
2008-11-15 23:28 . 2008-08-14 02:11 2,189,184 --------- c:\windows\SYSTEM32\dllcache\ntoskrnl.exe
2008-11-15 23:28 . 2008-08-14 02:09 2,145,280 --------- c:\windows\SYSTEM32\dllcache\ntkrnlmp.exe
2008-11-15 23:28 . 2008-08-14 01:33 2,066,048 --------- c:\windows\SYSTEM32\dllcache\ntkrnlpa.exe
2008-11-15 23:28 . 2008-08-14 01:33 2,023,936 --------- c:\windows\SYSTEM32\dllcache\ntkrpamp.exe
2008-11-15 23:28 . 2008-09-15 04:12 1,846,400 --------- c:\windows\SYSTEM32\dllcache\win32k.sys
2008-11-12 22:03 . 2008-11-12 22:03 118 --a------ c:\windows\SYSTEM32\MRT.INI
2008-11-12 21:00 . 2008-09-04 09:15 1,106,944 --------- c:\windows\SYSTEM32\dllcache\msxml3.dll
2008-11-12 21:00 . 2008-10-24 03:21 455,296 --------- c:\windows\SYSTEM32\dllcache\mrxsmb.sys
2008-11-11 18:33 . 2008-11-11 18:33 250 --a------ c:\windows\gmer.ini
2008-11-09 16:52 . 2008-11-09 16:52 <DIR> d-------- c:\documents and settings\Owner\Application Data\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-30 07:30 --------- d-----w c:\program files\Full Tilt Poker
2008-11-20 06:16 --------- d-----w c:\program files\Common Files\Motive
2008-11-20 06:03 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-11-20 05:46 --------- d-----w c:\documents and settings\Owner\Application Data\Verizon
2008-11-20 05:46 --------- d-----w c:\documents and settings\All Users\Application Data\Verizon
2008-11-18 20:49 --------- d-----w c:\documents and settings\Owner\Application Data\Move Networks
2008-11-14 22:26 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-11-08 04:44 --------- d---a-w c:\program files\Encarta Online
2008-11-08 04:44 --------- d-----w c:\program files\Microsoft Works
2008-11-08 04:44 --------- d-----w c:\program files\EMusic
2008-11-07 08:21 --------- d-----w c:\program files\viewsonic
2008-11-07 08:21 --------- d-----w c:\program files\Compaq A3000
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-03 17:41 6,066,176 ------w c:\windows\SYSTEM32\dllcache\ieframe.dll
2008-10-01 23:46 49,152 ----a-w c:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\PCHI18N.dll
2008-10-01 23:45 77,824 ----a-w c:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\WinVerifyTrust.dll
2008-10-01 23:45 420,432 ----a-w c:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\pchplugin.zip
2008-10-01 23:45 155,648 ----a-w c:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\PCHButton.exe
2008-10-01 23:45 126,976 ----a-w c:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\ContentUpdater.exe
2008-10-01 23:45 122,880 ----a-w c:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\SearchCtrl.dll
2008-10-01 23:44 731,136 ----a-w c:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\motdeusr.zip
2008-10-01 23:44 106,496 ----a-w c:\windows\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\bin\PluginCtrl.dll
2008-10-01 00:43 1,286,152 ----a-w c:\windows\SYSTEM32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\SYSTEM32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\SYSTEM32\msxml6.dll
2008-09-10 01:14 1,307,648 ------w c:\windows\SYSTEM32\dllcache\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\SYSTEM32\msxml3.dll
2008-08-27 08:24 3,593,216 ----a-w c:\windows\SYSTEM32\dllcache\mshtml.dll
2008-08-25 08:38 13,824 ------w c:\windows\SYSTEM32\dllcache\ieudinit.exe
2008-08-25 08:37 70,656 ------w c:\windows\SYSTEM32\dllcache\ie4uinit.exe
2008-08-23 05:56 635,848 ------w c:\windows\SYSTEM32\dllcache\iexplore.exe
2008-08-23 05:54 161,792 ----a-w c:\windows\SYSTEM32\dllcache\ieakui.dll
2008-04-14 00:12 50,688 --sha-w c:\windows\twain_32.dll
2008-04-14 00:11 1,028,096 --sha-w c:\windows\SYSTEM32\mfc42.dll
2008-04-14 00:12 57,344 --sha-w c:\windows\SYSTEM32\msvcirt.dll
2008-04-14 00:12 413,696 --sha-w c:\windows\SYSTEM32\msvcp60.dll
2008-04-14 00:12 343,040 --sha-w c:\windows\SYSTEM32\msvcrt.dll
2008-04-14 00:12 551,936 --sh--w c:\windows\SYSTEM32\oleaut32.dll
2008-04-14 00:12 84,992 --sh--w c:\windows\SYSTEM32\olepro32.dll
2008-04-14 00:12 11,776 --sh--w c:\windows\SYSTEM32\regsvr32.exe
.

((((((((((((((((((((((((((((( snapshot@2008-11-13_16.36.48.53 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-14 00:28:27 32,768 -c--a-w c:\windows\SYSTEM32\config\systemprofile\Cookies\index.dat
+ 2008-11-15 02:32:54 32,768 -c--a-w c:\windows\SYSTEM32\config\systemprofile\Cookies\index.dat
- 2008-11-14 00:28:27 32,768 -c--a-w c:\windows\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-11-15 02:32:54 32,768 -c--a-w c:\windows\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-14 00:12:31 51,200 ----a-w c:\windows\SYSTEM32\dllcache\oobebaln.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NVMCTRAY.DLL" [2003-07-28 49152]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-08-15 28739]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-10 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"KBD"="c:\hp\KBD\KBD.EXE" [2001-07-06 61440]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2001-06-15 212992]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2001-08-07 143360]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2001-08-07 90112]
"PS2"="c:\windows\system32\ps2.exe" [2001-07-03 81920]
"CTPDPSRV"="c:\windows\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE" [2001-09-18 45056]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"nwiz"="nwiz.exe" [2003-07-28 c:\windows\SYSTEM32\nwiz.exe]
"LTMSG"="LTMSG.exe" [2003-07-14 c:\windows\ltmsg.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-03-01 113664]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-03-01 113664]
Compaq A3000 Settings Utility.lnk - c:\program files\Compaq A3000\CPQA3000.exe [2006-03-01 1142784]
hp center.lnk - c:\program files\hp center\137903\Program\BackWeb-137903.exe [2001-09-05 16384]
hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-05 147456]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-05 28672]
NkvMon.exe.lnk - c:\program files\Nikon\NkView6\NkvMon.exe [2006-03-01 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\hp center\\137903\\Program\\BackWeb-137903.exe"=
"c:\\WINDOWS\\SYSTEM32\\spool\\drivers\\w32x86\\3\\CTpdpsrv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-10-08 203280]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\DRIVERS\gan_adapter.sys [2006-10-19 10664]
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;c:\windows\system32\DRIVERS\usb8023.sys [2008-04-13 12800]
.
Contents of the 'Scheduled Tasks' folder

2008-11-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 11:57]

2006-06-14 c:\windows\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1142361872.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-05 22:52]

2008-11-20 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-11-20 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-12-03 c:\windows\Tasks\User_Feed_Synchronization-{DE8326EE-D556-48F0-A912-DDE24CD006C2}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:58]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-14 19:04:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: c:\windows\explorer.exe
-> c:\program files\McAfee\SiteAdvisor\saHook.dll
.
Completion time: 2008-11-14 1918
ComboFix-quarantined-files.txt 2008-11-15 03:05:56
ComboFix2.txt 2008-11-14 00:37:49

Pre-Run: 50,919,141,376 bytes free
Post-Run: 50,906,591,232 bytes free

240 --- E O F --- 2008-11-13 06:04:05

[ToddHoback]

sjb007

Per the instructions, I am trying to install CC Cleaner Lite, but when I click on the link you provided, I get a page full of download options, and none of them seem to install ccleaner lite. Does it matter which cleaner I install from that page?


Thanks for clarifying.

Todd Hoback

[ToddHoback]

sjb007,

I got it figured out. CCleaner ran OK and now Kaspersky is running. I'll send you the log asap.

Thanks
Todd Hoback

[ToddHoback]

SJB007,

Here is the Kaspersky log:


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, November 14, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, November 14, 2008 20:14:58
Records in database: 1385149
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
G:\
H:\
I:\
J:\

Scan statistics:
Files scanned: 90954
Threat name: 12
Infected objects: 48
Suspicious objects: 0
Duration of the scan: 02:18:56


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.al 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.af 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.an 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.cy 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.a 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.an 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3SHLLVW.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.al 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.f 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ax 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.an 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ad 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.an 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.q 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.i 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ai 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\f3PSSavr.scr.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP801\A0155257.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.al 1
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP801\A0155258.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP801\A0155259.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP801\A0155260.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.af 1
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP801\A0155261.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.an 1
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP801\A0155262.SCR Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP801\A0155263.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.cy 1
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP801\A0155264.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP801\A0155265.EXE Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.a 1
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP801\A0155266.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.an 1
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP801\A0155267.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.al 1
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP801\A0155268.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP801\A0155270.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.f 1
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP801\A0155271.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ax 1
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP801\A0155272.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP801\A0155273.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.an 1
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP801\A0155274.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ad 1
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP801\A0155276.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.an 1
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP801\A0155277.EXE Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP801\A0155278.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.q 1
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP801\A0155279.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP801\A0155280.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.i 1
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP801\A0155282.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ai 1
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP801\A0155284.scr Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1

The selected area was scanned.

[sjb007]

Hi ToddHoback

All is looking good. What kaspersky found is either in system restore which we will flush in our next asteps or has been quarantineed by combofix.

Lets tidy up after ourselves

If you havnt already done so please delete the bat file we created.

Go start menu select run (vista users press windows key & r) to bring up the run dialog
In the command line type in combofix /u - Note the space between combofix & /u)

This will clear out the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

Now that you appear to be free from malware lets help you stay that way!

Update windows on a regular basis - If you do not have automatic updates enabled then

Visit Microsoft's Update Page and update your computer from there
Update your virus checker on a regular basis - It is no use having a virus checker with out of date definitions.
Keep an eye on your firewall. check what it wants to allow, do not simply allow everything, If there is any processes that you are unsure of then dont be afraid to ask for advice. For more information on firewalls read this article here

Make your Internet Explorer more secure - This can be done by following these simple instructions:

Open Internet Explorer, click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

Safer Browsing
Use software such as Trendprotect or Sitehound to help you stay away from unsuspecting sites that have malicious purposes.
Use Spywareblaster to help prevent the installation of unwanted BHO's (Browser Helper Objects)

Use an alternative browser
Other browsers tend to be more secure than IE as they do not make use of active x objects, active x objects can be used by spyware as an infection point on your computer. Safer non active x browsers include Opera browser and, more recently, Firefox browser.

Computer Maintenance
Malware can breed in temporary locations. Use a program such as ccleaner slim to clear out temporary files your computer on a regular basis.

Scan your computer regularly for malware
Scan on a regular basis to keep your computer clean, free software such as Spybot's Search & Destroy and Adaware 2007 Free by Lavasoft can help you keep clear. These products are scan on demand and do not have active back ground scanning. These two products can be installed together without any complications.

Other alternative software that runs under licience and monitors your computer continuously in the background for malware is Malwarebytes Anti-Malware (MBAM) - Please note that this product can also be run as free without a licience but the background protection will not be active.

I have included some security related articles that I advise you read through in your own time. These articles will give you tips and advice on preveting malware, and how to stay safe whilst browsing the internet.

-> So How Did I Get Infected In First Place - By TonyKlein
-> How to prevent Malware - By miekiemoes
-> I'm not pulling your leg, honest - By Sandi Hardmeie

**Kindly respond one more time and let me know if we may consider this thread resolved.

[ToddHoback]

sjb007,

Yes, you can consider this thread resolved. THANK YOU VERY MUCH for all your help with this problem. I appreciate it.

Todd

[sjb007]

Only too glad to help Todd, Good luck and happy safe surfin'